Privacy check-in – POPIA pitfalls in the hospitality industry

0
109

Prineil Padayachy | Senior Associate | Webber Wentzel | mail me |


South Africa’s hospitality industry is seeing a shift from traditional leisure-based tourism to experience-based tourism, focused on providing tourists with unique, authentic life-enriching experiences.

This shift has necessitated the rapid adoption of technological advancements such as digital contactless booking and reservations, digital tourism platforms, smart room technology that allows the automation of various Internet of Things devices (thermostats, lighting, entertainment systems, and cooling systems), AI-powered customer support, chatbots and service robots, virtual and augmented reality tours and experiences as well as enhanced biometric security and surveillance systems.

While these technological advancements may enable South Africa’s hospitality industry to meet evolving customer expectations, one should not lose sight of the increasing invasiveness of these technologies and the impact that this will have on customers’ privacy and personal information.

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa’s primary data protection regulation that governs the processing of personal information. Businesses, particularly in the hospitality industry, may face various POPIA challenges as digitisation and innovation increase.

Inadequate data security measures

In terms of POPIA, responsible parties, or those who determine the means and purposes of the processing, are required to protect any personal information in their possession or control.

Responsible parties must implement appropriate, reasonable technical and organisational measures to prevent loss, damage, or unauthorised destruction and unlawful access to processing personal information. While POPIA does not specify or require specific security safeguards, it states that responsible parties must adhere to generally accepted information security practices and procedures that may apply to them or be required by specific industry or professional rules and regulations.

While introducing advanced digital technologies and their interoperability has accelerated technological development in the industry, the technologies also increase a business’ attack surface and bring additional vulnerabilities.

Hospitality businesses should ensure that they implement robust security measures to protect all personal information in their possession or control and that these measures are regularly tested and updated to address any potential reasonably foreseeable risk to the personal information. Practically, these measures should at least be as secure as those security measures used by the average business in the hospitality industry and related sectors.

Processing of biometric information

Regardless of functionality, industry stakeholders who have implemented biometric systems must demonstrate a legal basis for processing such biometric information (which may include information based on a guest’s physical, physiological or behavioural characteristics, such as fingerprinting, retinal scanning, and voice or gait recognition).

Consent is one such legal basis, but it is not the only one available. Furthermore, industry players should be cautious when transferring biometric information to third parties, particularly if the information is shared with entities outside of South Africa, as this may require prior notification to the Information Regulator if the third party or foreign country does not provide for an adequate level of protection as required by POPIA.

Third-party data sharing

Given the shift to experience-based tourism, hospitality businesses have been collaborating to develop holistic tourism portals, allowing guests to not only book accommodation but also other interconnected services such as car rental or transportation, guided tours or other leisure experiences. These platforms have become common within the industry and involve the sharing and transferring of guests’ personal information across various businesses and service providers.

When personal information is shared within South Africa, the entities that share the personal information (and special personal information as the case may be) must demonstrate an appropriate legal basis to process and share such information.

Consent, where the processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party, or where the processing protects a legitimate interest of the data subject or the responsible party itself are examples of legal bases for sharing personal information.

POPIA, however, places additional requirements on responsible parties when transferring personal information outside of South Africa. POPIA, with limited exceptions, prohibits the transfer of personal information outside of South Africa, subject to certain exceptions.

These exceptions include circumstances in which:

  • a data subject has consented to the transfer; or
  • the recipient of the personal information is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection and terms materially similar to those contained in POPIA for the lawful processing of personal information.

If a responsible party is unable to establish an exception under Section 72 of the POPIA, that party must obtain prior authorisation from the Information Regulator before transferring any special personal information, (including biometric information).

There is no one-stop shop for POPIA compliance, particularly in a constantly growing business such as the hospitality industry. However, the above pitfalls attempt to demonstrate some of the common issues that should be considered when implementing new and advanced digital technology.

Industry players must adopt a privacy-by-design approach to POPIA compliance in their various businesses, especially given the current digital and technological rat race in which the hospitality industry finds itself.



Related FAQs: Privacy and POPIA compliance in South Africa

Q: What is POPIA Compliance and why is it important for South African businesses?

A: POPIA Compliance refers to adhering to the Protection of Personal Information Act in South Africa. It is crucial for South African businesses to comply with POPIA to protect personal data and ensure data privacy for individuals.

Q: Who is considered as the Information Officer in an organisation?

A: The Information Officer is a designated person within an organisation who is responsible for overseeing the protection of personal information and ensuring compliance with data protection laws like POPIA.

Q: What are the key responsibilities of the Information Officer in South Africa?

A: The Information Officer is responsible for implementing and monitoring the organisation’s compliance with data protection laws, maintaining records of processing activities, and handling data subject access requests.

Q: How can a business register their Information Officer with the Information Regulator?

A: A business can register their Information Officer by submitting the required details and documentation to the Information Regulator in accordance with the guidelines provided in the POPIA Act.

Q: What is the deadline for South African businesses to comply with POPIA?

A: The deadline for compliance with POPIA for South African businesses was 1 July 2021. It is important for businesses to ensure they are fully compliant to avoid potential penalties.

Q: What is the relationship between POPIA and the Promotion of Access to Information Act (PAIA)?

A: POPIA and PAIA are both legislative acts in South Africa that govern information access and protect personal data. POPIA focuses on data privacy, while PAIA ensures transparency and access to information.

Q: How can South African businesses protect personal information under POPIA?

A: Businesses can protect personal information under POPIA by implementing secure data processing practices, obtaining consent for data collection, maintaining accurate records, and ensuring compliance with data protection regulations.



 



LEAVE A REPLY

Please enter your comment!
Please enter your name here