This is the final article in the three-part series discussing the impact of the Personal Information Act (4 of 2013) on artificial intelligence or machine learning systems in the context of the workplace.
Although the degree to which the processing of personal information by artificial intelligence systems is relevant depends on the type of workplace or employer, and may appear prescient, it is reasonable to conclude that this will grow in the not-too-distant future.
This article looks at the relevant provisions or themes of POPI and its possible relation to artificial intelligence or machine learning systems. However, the provisions of POPI discussed are not exhaustive and other areas may also be relevant in the specific context of any given case.
This article looks at:
Further processing of personal information, security safeguards, third party operators and those abroad receiving personal information
If a responsible employer wants to further process information by the machine learning system, in terms of s15(1) of POPI, the employer must determine whether further processing is compatible with the purpose for which it was collected – i.e. adhering to s13 of POPI. Section 15(2) of the Act sets out a list of considerations to be taken into account in this assessment. Importantly, s15(3) provides a list of grounds in which further processing will not be construed as incompatible with the purpose of collection. This includes, amongst others, consent from the data subject employee; the information being available in or derived from a public record or has deliberately been made public by the data subject or, the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form.
Under s19 of POPI, a responsible party employer must hold security safeguards to protect the integrity and confidentiality of the information.
In the context of AI systems, it is possible that third party operators will play a role.
Section 20 of POPI regulates third party operators or persons who process the information. The processing must only be done with the knowledge or authorisation of the responsible party employer and the third party must treat personal information which comes to their knowledge as confidential and not for disclosure.
In terms of s21 of POPI, a responsible party employer must conclude a written contract with a third party operator to ensure that the operator establishes and maintains the security measures referred to in s19. A third party operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. Section 22 imposes further obligations on a responsible party employer where there are reasonable grounds to believe that the information has been accessed or acquired by an unauthorised person. A responsible party employer would need to notify the Information Regulator and the data subject employee unless the stipulated exceptions apply.
It is also possible that third party operators can be beyond the borders of South Africa. For those cross-border third parties, s72 of POPI imposes further obligations. Section 72 requires that the responsible party employer may not transfer information about a data subject employee to a third party who is in a foreign country. However, the exceptions to this include, amongst others, consent from the data subject; if the third party is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection taking into account the applicable considerations under s72; the transfer is necessary for the performance of a contract between the data subject and the responsible party, for the implementation of pre-contractual measures taken in response to the data subject's request; the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party.
Given the potential of AI systems being linked through cross-border cloud computing servers, it is possible as the AI systems could be administered or managed, on behalf of a responsible party employer, by a third party entity (including from another country). The applicable provisions will therefore need to be complied with.
Quality of personal information and the data subject employee's right to correct or delete personal information
Although serving the interests of all, including a responsible party employer, a data subject employee and an AI system to ensure accurate predictions or decisions, s16 of POPI requires that 'a responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary' and 'the responsible party must have regard to the purpose for which personal information is collected or further processed'.
Section 24 of POPI also makes provision for a data subject employee to request a responsible party employer to 'correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14 of POPI'.
Data subject participation: right to request information held about the data subject employee
In line with POPI and the Promotion of Access to Information Act (2 of 2000) (PAIA), data subject employees may exercise their right to access information held about them. A data subject employee may, therefore, request a record or description of the personal information about themselves as held by the responsible party employer, including information about the identities of all third parties, or, a category of third party, having or having had access to it (s23). The provisions also require, amongst others, that it should be in a form that is generally understandable.
Based on this, what if in processing the information the machine learning system has developed a myriad of profiles as part of its "learning", even with (as mentioned earlier) face value anonymised information (by removing the identity), but in some way, through a 'reasonably foreseeable method', is, can at a later stage associate it with that person?
In light of the rights of data subject employees to request a record or description of what information has been 'held about the data subject', could this also extend to request a record and/or description in respect of the 'processing' of the personal information? If so, from a practical perspective, would the employer be in a position to provide this information, which has perhaps been processed by an intricate, complex and intuitive system?
Section 17 of POPI appears to provide some clarity in that a responsible party must maintain documentation of all processing operations under its responsibility as referred to in terms of sections 14 and 15 of PAIA. That said, it is silent as to what extent the "processing operations" ought to be documented. For example, should a responsible party employer make provision in their machine learning processes to systematically link, akin to 'virtual paper trail', as to what that personal information (mixed with a horde of other data) has or was processed with or should it merely document an overall purpose of the processing (based on the underlying logic of the AI or machine learning system).
Unique identifiers in the processing of personal information and prior authorisation required from the Information Regulator
Section 57 of POPI regulates, amongst other matters, the processing of unique identifiers of data subject employees, the processing of information on criminal behaviour or unlawful objectionable conduct on behalf of third parties, the processing of information relating to credit reporting, and the transfer of special personal information (referred to in s26 of POPI) to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
A unique identifier is defined as any identifier that is assigned to a data subject and uniquely identifies that data subject in relation to that responsible party. In this instance, s57 is triggered when, amongst others, unique identifiers are processed for a purpose other than the one for which the unique identifier was specifically intended at collection and with the aim of linking the information together with information processed by other responsible parties.
A responsible party employer would, amongst others, need to get prior authorisation from the Information Regulator (Regulator) before any processing, if it plans to do so, together with such other obligations under sections 57 & 58 of POPI.
In terms of unique identifiers in the context of machine learning systems, this would be personal information intertwined with other information and possibly linked to other responsible parties (perhaps through a third-party AI platform). Amongst the other instances envisaged under s57 of POPI, these would impose further obligations.
The Regulator was established in terms of POPI and has various statutory powers some of which will be discussed in the next section below.
Information Regulator: statutory powers, amongst others, to monitor and enforce compliance
The Regulator has the statutory powers to monitor and enforce compliance. This would include the the conducting of investigations, seeking court ordered warrants, and making assessments to ensure compliance.
Pertinent to the topic of this article, the Regulator also has the powers (under s40(1)(b)(ii) of POPI) to undertake research and monitor developments in information processing and computer technology to ensure that any adverse effects are minimised. The Regulator must report the results of this research and monitoring to the relevant Minister.
This provision of POPI acknowledges that emerging technologies play a role in the processing of personal information and could have adverse effects as technological development progresses.
Apart from the above, there are provisions on offences, penalties, and administrative fines if a breach or contravention takes place. Having an 'accountable' machine learning system in respect of the processing of personal information could be essential for purposes of POPI compliance if the need to audit ever arose.
This article raises a host of challenging questions about the relationship between POPI and the AI software systems that may require this personal information. It remains to be seen how this likely conundrum between AI or machine learning systems and data privacy under POPI will unfold, and whether they are mutually exclusive or adaptable to function symbiotically.
It also remains to be seen whether the Regulator will issue a code of conduct.
For now, it would seem that creating well defined and clear provisions, including contractually and in policy documents, between the processing of personal information by an AI or machine learning system and the regulation of data privacy under POPI will be a foundational start. Moreover, ensuring compliance from the outset when setting up the AI or machine learning systems would result in a system processing personal information (if any) in tandem with POPI.
Naidoo is a Senior Associate, Employment Law practice, Fasken (South Africa).