THE
BEECHAMBER
B-BBEE Verification evidence & POPIa
2021
General
General
B-BBEE Verification evidence & POPIa
Since the publishing and full enforcement of the Protection
of Personal Information Act (POPIA) on 1st July 2021,
organisations have been aware of their responsibilities in
collecting, processing and sharing third-party information. POPIA
has changed how South African organisations conduct business,
as it compels careful consideration and protection of the rights of
Data Subjects.
It has been a long time since parliament assented to the
POPIA on 19th November 2013. A portion commenced on 11th
April 2014, including section 1, Part A of Chapter 5, section
112 and section 113. The balance of POPIA came into effect on
1st July 2020, except sections 110 and 114(4), which became
effective on 1st July 2021.
POPIA, although promoting the right to privacy outlined in the
Constitution, manages the flow, timeframe of retaining and
destruction of information. POPIA refers to:
Responsible Party
Operator
Data Subject
Personal
Information
A public or private body that
determines the purpose and means
for processing personal information
taken from a Data Subject.
The party that processes Personal
Information on behalf of a
Responsible Party.
Any party to whom the Personal
Information relates. It means an
identifiable, living, natural person and
an identifiable, existing juristic person.
Relates to any information that can
identify a Data Subject in any way.
The purpose of POPIA is to regulate, along with international
standards, the processing of personal information by public and
private bodies. The objective is to store and process Personal
Information in a manner that respects the right to privacy. Subject
to justifiable limitations, POPIA aims to protect the rights and vital
interests of Data Subjects.
The safekeeping of the vast amount of personal information
necessary for a B-BBEE Verification is dictated by the 2008
Verification Manual and the SANAS R47-03 document. The
introduction of POPIA has not changed any BEE requirements.
If any Personal Information or other relevant document is not
available at the time of a B-BBEE Verification, it will not be
recorded as evidence.
n terms of evidence at a B-BBEE Verification,
what party is responsible for proving
adherence to POPIA?
The Responsible Party is the organisation rolling out its B-BBEE
Strategy. It must take responsibility for collecting, processing
and sharing information with the correct permissions. The
Responsible Party must ensure that it has the consent of the
Data Subject to share their information in line with its B-BBEE
Verification, irrespective of whether an Operator collected the
Personal Information on their behalf.
The role of a B-BBEE Rating Agency remains to verify the data
supplied by a Responsible Party for a B-BBEE Verification
that must include a SANAS audit if necessary. Therefore, any
information not provided will not be counted in an organisation’s
B-BBEE Verification, impacting its overall B-BBEE Score.
Once a B-BBEE Rating Agency collects, processes and shares
information for a B-BBEE Verification, it, in turn, becomes the
Responsible Party for that Personal Information. To fulfil its
POPIA compliance requirements, a B-BBEE Rating Agency must
provide evidence that all Personal Information received from a
Responsible Party was in line with POPIA.
How is information lawfully processed from its
origin to a B-BBEE Rating Agency?
The Responsible Party collecting, processing and sharing
Personal Information must take into consideration section 2.4.1
of POPIA :
> Accountability;
> Processing limitation;
> Purpose specification;
> Further processing limitation;
> Information quality;
> Openness;
> Security safeguards; and
> Data Subject participation.
Are there any exclusions for POPIA
compliance?
POPIA addresses exclusions to compliance in Chapter 2, Section
6 and 7. The following are exclusions from POPIA:
> Where Personal Information processed is not recorded in any
other form;
> Where Personal Information forms part of internal household
activities;
> Where information has been de-identified to the extent that it
cannot be re-identified again;
> When an organisation is a public body that protects
national security;
> When an organisation is a public body that prosecutes
offenders;
> A Cabinet or Executive Council of a province;
> A court as defined in the Constitution; and
> When Personal Information is processed for journalistic,
artistic or literary purposes as per section 7.
The scope of POPIA is broad and applies to the processing
of personal information rather than a particular person or
organisation. Therefore, any organisation that processes data
must comply with POPIA and, in particular, a Responsible
Party must utilise all personal data according to the protection
principles held within POPIA.
The POPIA framework shapes the rules and practices a
Responsible Party must follow when processing information
about individuals or juristic persons. It bestows specific rights
regarding data, and generates an independent regulator to
enforce such rules, rights and practices.
POPIA applies to all information processed automatically,
recorded on paper, including health records and certain public
authority records.
Does a Data Subject have the right to refuse
information sharing?
A Data Subject is not obliged to share their personal information;
however, refusing could limit their access to employment,
participation in B-BBEE initiatives or any such benefits.
As POPIA safeguards a Data Subject’s Personal Information, the
Promotion of Access to Information Act (PAIA) provides the right
to access and controls the use of Personal Information. In effect,
these pieces of legislation balance out the right to privacy and the
legitimate needs of organisations to collect and use personal data
for business or any other legitimate purpose.
How does Personal Information flow through
parties to allow for a B-BBEE Verification?
The Personal Information of a Data Subject is captured and
processed long before it is presented as evidence at a B-BBEE
Verification. It is, therefore, fair to surmise that the flow of Personal
Information would end at a B-BBEE Verification after flowing
through various parties. However, the Personal Information, from
its origin, as it flows through multiple parties, must be traceable
with the relevant approvals, allowing it to flow.
All Parties must ensure that they process Personal Information
lawfully and in a reasonable manner that does not infringe,
the privacy of the Data Subject. Responsible Parties may only
process the minimum amount of relevant information, and it must
be for a specific purpose.
From where does the evidence necessary for
a B-BBEE Verification stem?
During the B-BBEE Verification process, Personal Information
from a multitude of Data Subjects is collected. From the
time Data Subjects become Participants or Beneficiaries in a
Responsible Party’s B-BBEE Strategy, their Personal Information
will be collected and processed through various parties, ending
with a B-BBEE Verification. In theory, because of the flow of a
Data Subject’s Personal Information, the process becomes more
complex as the responsibility spreads to a broader network.
More often than not, an organisation will use the services
of B-BBEE Consultants or an Operator to drive its Skills
Development, Procurement, Enterprise Development, Supplier
Development or Socio-Economic Development Solutions. It
is, therefore, crucial that an organisation works with service
providers that implement POPIA requirements. At any given
time during the process of capturing and sharing Personal
Information, the relevant Responsible Party bears the burden of
proof that it obtained consent from the Data Subject from the
initial interaction.
Responsible Parties must consider what historical data would
be necessary for a B-BBEE Verification. Therefore, obtaining
consent from Data Subjects pertaining to the last financial
period must be factored into the preparation timeline of a
B-BBEE Verification.
What information must a Responsible Party
provide to a Data Subject when requesting
their Personal Information?
Data Subjects must provide consent for their Personal Information
or Special Personal Information to be processed. The request
must be clear and concise in its intention. The following must
be communicated to a Data Subject when requesting their
Personal Information:
> What Personal Information or Special Personal Information
will be collected;
> The purpose for which the information is being collected;
> What other parties will be privy to this information and the
purpose for sharing it; and
> Contact details of Information Officers or Deputy Information
Officers responsible for sharing a Data Subject’s
Personal Information.
What are the criteria for sharing Personal Information?
POPIA provides the criteria according to which Personal Information may be processed.
1 The Data Subject, or legal guardian if the Data Subject is a child, has provided explicit consent for processing Personal Information.
2 When a Data Subject is a party to a contract, their Personal Information needs to be processed to meet their obligations.
3 Where a Responsible Party processes Personal Information to meet legal obligations.
4 When the processing of Personal Information will protect the legitimate interest of the Data Subject.
5 The processing of Personal Information is necessary for the proper performance of a public law duty by a public body.
6 When processing is necessary to pursue a legitimate interest of the Responsible Party or a third party.
Data Subjects have the right to withdraw their consent at any time, providing there are no legal implications as mentioned in the above
points 2 to 6. However, as per the points 4 to 6 above, withdrawal must be made in a prescribed format, outlining the reason why.
If a Data Subject withdraws their consent, a Responsible Party may no longer use that information. If the Personal Information flows through
various parties, the relevant Responsible Party must ensure the withdrawal of that Data Subject’s Personal Information.
What evidence is necessary to confirm that POPIA requirements were adhered to by the
Responsible Party at the time of a B-BBEE Verification?
Before embarking on a B-BBEE Verification, a B-BBEE Rating Agency may require evidence that a Data Subject gave consent to have their
Personal Information processed. Responsible Parties must consider what Personal Information is necessary per scorecard indicators.
How do the POPIA requirements flow through the B-BBEE Scorecard? What are the
considerations for each element?
The following outlines the necessary evidence for a B-BBEE Verification and how Personal Information flows through each element.
What are the responsibilities of a B-BBEE Rating Agency when processing Personal
Information?
The SANAS R47-03 accreditation regulations mean that B-BBEE Rating Agencies already had strict controls for the
identification, storage, protection, back-up, archiving, retrieval, retention time and disposal of Personal Information.
Section 21 of the SANAS document requires the following from B-BBEE Rating Agencies:
> Request for evidence, including the initial and ongoing B-BBEE Verifications;
> Justification of the timeframe determined for a B-BBEE Verification;
> Records of complaints and appeals, and any subsequent corrections or corrective actions;
> Adequate deliberations and decisions;
> Documentation of the findings; and
> Record of B-BBEE Verification Certificates issued.
Section 21 further stipulates that a B-BBEE Rating Agency must retain Personal Information from the current
accreditation cycle, plus the previous one; otherwise as the law prescribes. Currently, the accreditation cycle is four
years. However, Section 14 of POPIA addresses this, as it allows records to be retained for a period, as and when
required, prescribed in law or a code of conduct.
Due to remote B-BBEE Verifications, B-BBEE Rating Agencies have adapted security for capturing, processing and
sharing data. In some cases, third parties oversee the process. The responsibility, however, lies with a B-BBEE
Rating Agency to communicate clearly to its client how Personal Information will be processed, protected and
ultimately destroyed.
Responsible Parties must ensure that their chosen B-BBEE Rating Agency does have POPIA compliance protocols in
place. A B-BBEE Rating Agency’s B-BBEE Verification agreement should clearly outline what its POPIA processes are,
how it safeguards, retains and destroys Personal Information.