AI and the Protection of Personal Information Act of 2013 Quarter 3 2021

By VENOLAN NAIDOO, Published in Technology/POPIA

Preface

This is a three-part article series discussing the impact of the Personal Information Act (4 of 2013) on artificial intelligence or machine learning systems used in the context of the workplace.

rgad

Although it is dependent on the type of workplace or employer regarding the degree to which the processing of personal information by artificial intelligence systems is relevant, and may appear prescient, it is reasonable to conclude that this will grow in the not too distant future as more technologies make up the workplace.

From a general perspective, this article looks at what is viewed as the relevant provisions or themes of POPI and its possible relation to artificial intelligence or machine learning systems. However, the provisions of POPI discussed are not exhaustive and other areas (not covered) may also be relevant considering the specific context in each given case.

In Part 1 of the series, I discuss the background to the series; the Protection of Personal Information Act (4 of 2013), providing an overview of the Act for purposes of the series, and personal versus de-identified information: the likely relationship between POPI and AI systems.

Background

In the age of data harnessing and analytics, from Google searches, to the Internet of Things, the collection of data has become an innate part of our connected world given its considerable value. This has also transformed the workplace. With the advent of cloud-based computing, we have seen the scalability and flexibility of virtual workplaces.

The COVID-19 pandemic has undoubtedly further accelerated the cloud-based/'remote work from home' regime, with many businesses having immediately shifted to this new work order and other businesses being left with no option but to do so.

In 2021, this has now become the norm (and no longer the "new" normal). Businesses are now focusing on cloud-based technology solutions for better efficiency, productivity (and the list goes on) as we keep up with global trends in a changing digitised world.

Recently, what has been remarkable is the reliance by local businesses on particular technologies which, to varying degrees, rely on artificial intelligence (AI) or machine learning systems (these terms will be used interchangeably albeit AI has a much wider meaning and includes, amongst others, machine learning).

Take for example: Chatbots that attend to general queries; systems that train or coach individuals on best sales/marketing techniques; biometric technology, automation of administratively repetitive tasks; cyber security or fraud detection; robotic process automation in the healthcare, manufacturing, and logistics industries (to name but a few). These are already part of the changes as workplaces move further forward into the 4th industrial revolution.

AI or machine learning systems rely on mass data that include datasets which, given its purpose, would comprise personal information. In some instances, the technology is not privy to information that can identify a particular person i.e it is anonymised and merely aggregated data. Thus it functions to what the AI has been designed or programmed to do – based on its underlying logic. On the other hand, some AI does rely on personal information (given its specific purpose) or it can be a combination of both anonymised and identifiable personal information.

As we become increasingly digitalised, employers will invariably need to use employees personal information for a range of business related reasons, whether for security, performance, or better workplace efficiency. This will include information relating to one's views or preferences and other personal information. Businesses in the global north are already far ahead in this trajectory and it is only a matter of time until this is fairly extensive in South Africa.

Whilst there has been a proliferated transformation of technologies in the workplace, particularly in regard to data or information processing, relatively recently conversation about data privacy has hit centre stage on all facets of technological platforms including WhatsApp, Google search profiles, Facebook and other social media platforms. Individuals consciously want to keep their data private and do not want to be the 'the product themselves'.

Striking a balance between technologies requiring as much 'real world' data to work efficiently (and in view of technological development) and the rights to data privacy seems to be the new conundrum.

The Protection of Personal Information Act (4 of 2013) (POPI)

In November 2013, South Africa enacted the Protection of Personal Information Act (4 of 2013) (also known as POPI or POPIA). POPI is aimed at protecting individuals' personal information. This, of course, gives effect to the constitutional right to privacy, but has been enacted, inter alia, to:

  • protect important interests, including the free flow of information within South Africa and across international borders; and
  • regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information.

Although POPI was signed into law several years ago, only certain provisions incrementally came into effect over the past few years. Published in the Government Gazette on 22 June 2020, the remaining transitional provisions in relation to compliance took effect on 1 July 2021.

POPI impacts all responsible parties holding or processing a person's personal information. Employers, especially, but not always, those of a medium to large nature, hold a considerable amount of personal information on their employees.

It is worth emphasising that personal information is widely defined under s1 of POPI. It includes information relating to an identifiable natural person and where applicable an identifiable existing juristic person. It further defines personal information (which is not exhaustive) as information relating to the education, medical, financial, criminal, employment history of a person. It also includes information relating to their race, gender, sex, ethnic and social origin, location information, online identifier or other particular assignment to the person, etc. Rather importantly, it includes information relating to the 'personal views, opinions or preferences of the person and the views or opinions of another individual about the person'.

Processing is also widely defined (s1 of POPI) and means— 'any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information.'

Now that we are required to process information, including personal information, to better workplace security, productivity, efficiency etc. through emerging technologies, the question is what will be the impact once POPI takes full effect.

In order to be compliant with the provisions of POPI a statutory justification for the processing (which includes consent) viz-a-viz the various grounds as recognised (for example, to conclude or perform in terms of a contract, as would be the case in an employment relationship).

It further gives data subjects, or employees in the context of the workplace (data subject employees), a right to be made aware when personal collecting personal information this should come directly from them. This must be explicitly defined and lawful. The processing must be lawful, conducted in a reasonable manner and pertain to a function or activity of the employer (responsible party employer).

In order to be compliant, POPI envisages consent (notwithstanding some of the other exceptions) from data subjects. It further gives data subjects, or employees in the context of the workplace, a right to be made aware that personal information is being collected. Importantly, this information should come directly from them. This must be explicitly defined and lawful. The processing must also be lawful and conducted in a reasonable manner, and pertain to a function or activity of the employer.

POPI further imposes requirements in the processing of special personal information. As a default position, there is a prohibition in the processing of special information, unless the general authorisation provisions apply. Under s26 of POPI, special personal information includes information relating to 'religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, biometric information of a data subject', etc. POPI makes specific provision in regulating special personal information.

Personal versus de-identified information: the likely relationship between POPI and AI systems

Based on what POPI covers and the machine learning systems requiring a wealth of data that may include personal information, it is evident that the provisions of POPI will be applicable to these systems. Indeed, if data or information is de-identified (or anonymised) then POPI would not apply.

Personal versus de-identified information

Based on what POPI covers and that the machine learning systems require a wealth of data that may include personal information, it is evident that the provisions of the Act will be applicable to these systems insofar as personal information is concerned. Indeed, if data or information is de-identified (or anonymised) per se then POPI would not apply.

The scope of the article series focuses on those AI or machine learning systems that require personal information, or, information which, at face value, is anonymised but can be associated in some way, through a reasonably foreseeable method, to a particular individual that would bring it within the scope of POPI.

In order to constitute 'de-identified' personal information in terms of its definition under POPI, it in essence means to delete information that can identify the data subject. Importantly, it also means a deletion of information that can be used or manipulated by a reasonably foreseeable method to other information in order to identify the data subject, or, the possibility by a reasonably foreseeable method to other information that can identify the data subject.

In other words, if the face value "anonymised" personal information can still identify a person through a "reasonably foreseeable method", it will not constitute de-identified personal information.

In this regard, it will then fall under the definition of "re-identification" which means to resurrect any information that has been identified that: '(a) identifies the data subject; (b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or (c) can be linked by a reasonably foreseeable method to other information that identifies the data subject, and ''re-identified'' has a corresponding meaning.'

While these definitions may seem straightforward, it will be interesting to determine in due course to what degree of measure the test of "reasonably foreseeable method" will apply in practice (even with an 'objective standard') in the context of AI systems. This is especially when taking into account the varying intricacies of a machine learning system, becoming more intuitive in its "training" as it progresses, and whether such a standard will be suitable in each given case.

Naidoo is a Senior Associate, Employment Law practice, Fasken (South Africa).