South Africa: The revised CBA code of conduct and its impact on credit bureaus
The South Africa Credit Bureau Association ('CBA') has published a Code of Conduct1 ('the Code') governing the Conditions for Lawful Processing of Personal Information by credit bureaus who are members of the CBA under the Protection of Personal Information Act, No.4 of 2013 ('POPIA'). Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, explains the key provisions of the Code and what credit bureaus must now consider when processing personal information.
While the provisions governing the processing of information in the National Credit Act, 34 of 2005 ('NCA') are not in all aspects as detailed and as extensive as POPIA, they are not inconsistent with POPIA. Credit bureaus operating in accordance with the NCA already largely comply with the conditions for the lawful processing of personal information contained in POPIA.
When acting as a responsible party, the bureaus must ensure that all eight conditions for lawful processing and the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing, as well as during the processing itself.
Condition 1: Accountability
A governance framework should be established which includes:
appointment and registration of an Information Officer;
- assigning responsibility for the protection of personal information throughout the business;
- requireing effective communication between the Information Officer, data subjects, and the business;
- requiring that all POPIA compliance activities and controls are documented and demonstrable for verification or audit purposes;
- requiring the performance of a Personal Information Impact Assessments ('PIIA');
- requiring the bureau to maintain an inventory of processing activities; and
- requiring the implementation of training programmes.
Where functioning as an operator for a client, credit bureaus will:
- maintain strong security controls for any data processing activity;
- maintain an updated record of all processing activities carried out as an operator;
- notify the responsible party as soon as a breach of personal information is discovered; and
- ensure that a legally binding contract with responsible party is in place.
Condition 2: Processing limitation
Only categories and volumes of information that are adequate, relevant, and not excessive should be processed.
When collecting information directly from the individuals, there must be a legal basis:
- Where credit bureaus rely on consent for the lawful processing of personal information, the consent must be:
- for a specific purpose, freely given, and requires a clear expression of will by the data subject;
- notification given to the data subject at the time of consent collection about how consent can be withdrawn in a clear, concise, and understandable manner;
- requested in manner and form prescribed in POPIA where consent specifically relates to direct marketing by electronic communication; and
- adequately recorded.
- Necessary to comply with legal obligation: Limit the collection of Personal Information to include only what is permitted and which is necessary to maintain data quality and accuracy and to enable its clients to make meaningful and accurate decisions.
- Legitimate interest:
- Carefully assess whether a data subject can reasonably expect, at the time of collection of the personal information, that processing for that purpose may take place.
- Ensure that when it relies upon the legitimate interests for processing personal information that those interests are not overridden by the interests or fundamental rights and freedoms of the data subject(s).
- The right to object to such processing must be communicated to the data subject, when the bureau communicates the purpose for processing.
- Where a credit bureau collects information from a third party, e.g. credit provider, they must notify the source in the privacy disclosure. The legal basis for this is maintaining the legitimate interests of the responsible party or the third party to whom the information is supplied.
Condition 3: Purpose specification
When collecting directly from the individual, it should be ensured that the data subject is aware of the specific, explicitly defined, and lawful purpose related to the function and activity of the credit bureau in processing the data subject's personal information e.g. where personal information is collected for dispute resolution.
When collecting from another source, it should be verified the originating source of the information and ensure that personal information is lawfully collected in terms of the NCA, namely, require the supplier of the personal information to agree in writing that:
- where required, the prior consent of the data subject has been obtained; and
- the data subject has received proper notification relating to the processing of the data as required in terms of Section 18(1) of POPIA.
A policy should be developed and maintained for data retention and destruction that ensures that records of personal information are not retained any longer than is necessary for achieving the predetermined purpose for which the information was collected and subsequently processed, unless required by law, or reasonably necessary for lawful purposes related to credit bureau functions and activities.
The policy must include a schedule which specifies:
- the periods for retention of records of personal information;
- the security measures applied to records that are no longer displayed or used for purposes of credit scoring or credit assessment;
- triggers for such destruction or de-identification of such records when outside of the specified retention period;
- destruction or de-identification of records containing personal information; and
- justification for retention period that are longer than the period set forth in the NCA.
Personal information must also be destroyed or de-identified as soon as reasonably practicable after its retention is no longer necessary
Condition 4: Further processing limitation
It needs to be ensured that the processing of personal information falls within the purposes defined in the NCA. Personal information will not be further processed in a manner that is incompatible with the original purpose for processing, unless the bureau ascertains that the steps set out in Condition 4 of POPIA are met prior to the further processing by conducting a PIIA.
Where further processing occurs, the credit bureaus will assess:
- any link between the purpose of collection of personal information and reasons for intended further processing;
- the relationship between the data subject and the responsible party, and the context of the collection of personal information;
- the nature of the personal information, e.g. if special categories of data are being processed;
- the possible consequences of intended further processing to the data subject;
- appropriate safeguards relating to further processing will be implemented; and
- whether in the circumstances, a data subject may have reasonably expected such further processing.
If the purpose for processing the personal information changes and is no longer compatible with the original purpose, it will be considered as a new processing activity which will require a separate legal basis for processing.
Condition 5: Information quality
It needs to be ensured that the information which may affect these decisions is complete, accurate, not misleading, and updated where necessary, considering the purpose for the processing of this information.
The industry agreed data validation rules should be applied to ensure that personal information processed by the bureaus conforms with minimum data quality requirements and filters out inconsistent, incomplete, and inaccurate information.
Measures should be established to address and remedy instances where the quality of the personal information processed by a credit bureau is found to be deficient.
Reasonable measures should be taken, including, where appropriate, the conclusion of written agreements to obtain assurance from sources of information that the personal information provided to the credit bureau is accurate, up to date, relevant, complete, valid, and not duplicated.
A free consumer dispute processes should be established and maintained.
Condition 6: Openness
Detailed records of their processing activities, categories of personal information, and information flows should be kept, and the documentation of all processing operations under their responsibility should be maintained.
A Promotion of Access to Information Act, 2000 ('PAIA') Manual should be developed and displayed on their website that includes:
- direction to request access to information;
- details of sources from which information may be collected;
- the purpose of the collection of the information;
- whether the supply of the information by the data subject is voluntary or mandatory; and
- where applicable, details of cross border transfers of information.
An Information Officer and Deputy Information Officers should be appointed. Before providing a record to any person including the data subject, or the data subject's duly authorised representative, credit bureaus should authenticate the identity of the data subject and confirm the purpose for which the record is required. A privacy notice should be displayed on their website and communicate it to the individuals.
In addition to provisions required by POPIA, the following should also be included:
- to the extent that the information processed by the credit bureaus is consumer credit information as defined in the NCA, its processing is subject to the provisions of the NCA, the NCA Regulations, and rulings and guidelines of the National Credit Regulator;
- the data subject has a right to access personal information, rectify incorrect information, and object to the processing; and
- the data subject may lodge a complaint with the Information Regulator and/or the National Credit Regulator and provide their contact details.
Credit bureaus, when acting as the operator, are not obliged to confirm whether the data suppliers (who are the responsible party) have complied with their obligations to notify the data subject of the purpose and manner of the processing of the data subject's personal information for credit assessments.
Condition 7: Security safeguards
Credit bureaus are required to have robust information security controls, which are applied to all processing. An Information Security Management Systems ('ISMS') should be established and maintained including: appropriate infrastructure, policies, control measures, training, and IT security policies (the applies even if the credit bureau is an operator).
Appropriate technical and organisational measures should be implemented. Provisions in written contracts should be included requiring that the operator will notify the credit bureau on an immediate basis if there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.
Where a credit bureau acts as an operator as defined in POPIA:
- it will establish and maintain the security measures necessary to safeguard the integrity and confidentiality of personal information;
- it may only process personal information with the knowledge and authorisation of the responsible party; and
- it is obliged to maintain the confidentiality of the personal information and not disclose it unless required by law or in the performance of its duties as a credit bureau.
It is recommended to follow the Compromise Response Guideline that is applicable to credit bureaus and describes the processes to be followed in the event of a security compromise as defined by POPIA.
In the event of a compromise, the affected credit bureau will conduct a risk assessment to determine the likelihood of harm to the data subject following the compromise and the bureau will ensure that it offers appropriate support and services free of charge to the affected data subjects.
Where credit bureaus are the operator and there is a personal information breach, credit bureaus will notify the responsible party without undue delay after becoming aware of the personal information breach (and in line with notification obligations as per the agreement with the responsible party). Credit bureaus will assist the responsible party in ensuring compliance with its obligation to notify the Information Regulator.
Condition 8: Data subject participation
Procedures should be established to provide consumers access to their consumer credit information displayed on their credit reports, free of charge once in any 12-month period (free credit report). For other data subjects, the credit bureaus provide this information at a charge.
Upon receipt of an access request, confirmation should be issued to the data subject should the credit bureau hold the information. The requested information should be presented to the data subject in a reasonable manner and in a format that is understandable.
Upon receipt of a request by a data subject for information about the identity of third parties, or categories of third parties who have or have had, access to the data subjects' personal information, the names of the third parties should be provided.
Credit bureaus should correct incorrect information that it holds on its database. Where the correction request is to correct or dispute consumer credit information, credit bureaus should investigate the request and update consumer credit information on behalf of and on the instruction of the credit provider (the responsible party).
If the request for correction is to correct consumer credit information, and the credit bureau does not receive an instruction to correct the information from the responsible party, the credit bureau should advise the data subject of its decision and inform the data subject that he/she/it may refer a complaint to the NCR.
Special personal information
Credit bureaus are expressly prohibited from processing the information contained in Regulation 18(3) of the NCA Regulations. These categories of information correlate closely to the categories of personal information defined as special personal information under the POPIA.
Credit bureaus may process biometric information to verify the identity of a data subject in order to provide services that enables its clients to prevent or detect fraud. The processing of criminal behaviour information may be conducted during background screening for employment or during employment.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia