THE POPI Act, which was officially
signed into law at the end of last
year but isn’t effective yet, could
see travel agents who accidentally or
purposely leak information about their
clients facing fines of up to R10m and
jail sentences of up to 10 years.
What is it?
POPI regulates the manner in
which personal information may
be processed and provides rights
and remedies to protect personal
information.
The Act applies to every
business that processes (collects,
disseminates or merges) personal
information (passport numbers,
names, phone numbers, race, gender,
etc.) and special personal information
of the ‘data subject’ (client) ‘entered
into a record’ (such as e-mails and
hard copies) by or for a responsible
person (the travel agent) who
determines the purpose and means
of such processing (to book flights,
hotels, car rental).
There will be a ‘mean’ regulator
The Act will have its very own
regulator in the near future. The
regulator will deal with consumer
complaints and with appeals
concerning breaches of the law.
Gareth Cremen, partner at Ramsay
Webber attorneys, says the regulator
will be a “mean machine”, as the
fines imposed for non-compliance
can be anything up to R10m. In the
worst-case scenario, travel agents,
tour operators, hotels and/or
airlines could even find themselves
behind bars for up to 10 years
for disseminating their clients’
information.
The powers of regulators will be
far-reaching. They can demand
access to a travel agent’s premises
for the purpose of conducting
an investigation. They may also
approach a court of competent
jurisdiction and obtain a warrant to
conduct an investigation. This may
include searching the premises,
inspecting, examining, operating
and testing equipment used to
process information, and inspecting
and seizing any record, material or
equipment found there that may
serve as evidence. They can also
stop a travel agent from processing
information, which will effectively
mean that the travel agent will have
to close its doors. The powers of the
regulator are very broad.
The basic rule
You need the consent of the
consumer in order to process their
personal information!
The following tips will help travel
agents be compliant...
1. Adjust your terms and conditions
Insert clauses into your current
terms and conditions that
stipulate that your agency will be
collecting personal information
as well as special personal
information as defined by the
POPI Act. Don’t forget to mention
the reason why you need to
collect information: to secure
bookings with third
party service providers.
Agreements must be concluded
with all suppliers surrounding
information being provided to
them and ask for them to
indemnify you in the event
that there is a breach.
2.Install cookie pop-ups
If you are dealing with online
bookings from customers be sure to
have a cookie policy and also ensure
that your online terms and conditions
have been updated. Install popups
that warn your customers that
you are collecting their personal
information. Include a disclaimer that
outlines that, by logging on to the
site, the client consents to sharing
his information but, remember,
consent is needed where information
is be collected and sent outside the
Republic of South Africa.
3.Invest in security software
Travel consultants tend to move
around a lot in the industry, from
one job to the next. This trend
carries an inherent risk that the
consultant takes along client
information to the competitor and
it is up to the owner or manager
to limit the risk of clients’
information being leaked.
That is why travel agencies
should have the necessary
software in place that will alert
them when someone tries to pull
information from the server. It is
imperative that travel agencies
stop all client information at the
doorstep.
Once a breach has occurred,
the travel agent has an obligation
to report the breach to the
regulator as well as to the client.
4.Adjust corporate agreements
Travel agents are not allowed,
under the POPI Act, to reveal any
personal and/or special personal
information to third parties. What
happens if a jealous wife wants
to know where the husband is
vacationing with his mistress?
What do you do when the ceo
of a big corporate client phones
asking where his employee is and
what he is using the company’s
credit card for? Every company
and person in the agency – anyone
handling client information –
should study the definition of
‘personal information’ and ‘special
personal information’ as defined
in the POPI Act. Therefore, for
example, agents cannot divulge
information to their client’s wife
unless the husband has signed an
agreement that all information can
be passed on.
It is advisable to have
agreements in place with
corporate clients whereby the
company gives you the permission
to do all future bookings for the
company and their employees.
Companies must ensure that they
have the requisite permission
and/or consent from their
employees in order to hand over
information on all bookings made
by the company, irrespective
of who the employee is. What
happens if the company makes a
booking for a third party outside
their employ? These are all issues
that need to be dealt with in
the agreements and terms and
conditions.
5.Get it in writing
Travel agents need to officially notify
clients about the type of information
they collect about them and why. If
problems arise, the onus will be on
the travel agent to prove that the
client gave his consent to store the
information.
This notification can be a simple
booking form. Outline on your
booking form the information you
need and include a notice reading:
“Please refer to our privacy policy
and terms and conditions, which
deal with the manner in which your
personal information is stored. The
purpose of collecting, disseminating
and merging is contained therein.”
Gareth says the fact that the agency
has a privacy policy in place will not
be enough to protect you.
Problems arise when clients phone
the travel agent requesting an
urgent flight ticket, as a telephonic
conversation won’t be sufficient
proof of consent. Gareth advises
agents to do the booking and send
the client an email, preferably
with a delivery receipt recording
the transaction and stating in the
email: “As per our conversation,
you confirm (i) having understood
and agreed to our privacy policy
and standard terms and conditions;
and (ii) that we may proceed with
your booking/reservations on your
behalf in accordance with our privacy
policy and standard terms and
conditions. We informed you during
the telephone call that we do collect
information in line with the POPI Act
and by doing so you hereby consent
to us utilising same for the purpose
as set out in our privacy policy and
standard terms and conditions etc.”
6. Appoint an information officer
It is imperative that travel agencies
appoint a dedicated person within
their company as the information
officer, Gareth says. This person will
be responsible for enforcing the POPI
Act and implementing the privacy
policy within the company.
The information officer will keep
all the client information on file and
record it in a safe vault to ensure
it can’t be leaked. The information
should be encrypted to prevent usage
by other individuals.
Internal policies and procedures will
need to be implemented, especially
with regard to safeguarding any
credit card information. Ideally the
information officer should be the
only person to access and process
payments on behalf of clients.
Always ask the appointed
information officer and employees
processing information to indemnify
you in case there is a breach of
the information that only they have
access to.
7.Destroy information
The Companies Act states that
travel agents need to keep
documents on file for five years.
However, there is a conflict as,
according to the POPI Act, travel
agents can’t keep documents for
longer than is necessary to render
services. The solution to this is to
notify the consumer in writing that
his/her information will be filed
away for five years, after which it will
be destroyed. During that period,
nobody else will have access to that
information.
If the client requests to be
removed from the database, comply
with this request. Remove his/her
file from the computer database
and get his/her file offsite with
companies such as Metrofile or,
if you prefer electronic vaults, one
such as Safe4. All electronic data
should be encrypted to prevent
unauthorised usage by third parties.
8. Foresee risks
According to the POPI Act, companies
need to be able to foresee both
internal and external risks to the
clients’ information. What are the
risks involved in your business? How
do you stop employees selling off
credit card information and personal
information to third parties? What
firewalls have been established by
your IT department? What happens if
your laptop/employee’s laptop
has been stolen? These are real
issues that need to be carefully
considered and catered for.
If there is a breach of info and the
regulator asks you to prove the steps
you’ve taken to prevent the offence,
you will need to show all possible
measures taken by you to identify and
prevent the offence from occurring.
The mere fact that you did not know
or that it was the employee’s fault is
not sufficient to protect the company
and its directors from criminal
prosecution and/or a fine in terms
of POPI.
9. In case of a breach
If a breach of information took place and
a client’s information was compromised,
both the client and the regulator need to
be alerted immediately.
10. Seek legal advice
Travel agencies will be held liable for
non-compliance with the POPI Act,
regardless or whether or not there
was an intention to leak information
or whether it was negligence. To
ensure that you are 100% compliant
with the POPI Act and that the
weaknesses within your company are
addressed, it is advisable to seek
legal advice.
It is also suggested that companies
train all relevant employees on
the POPI Act and the procedures
implemented by the company.
11. The golden rule
Put the necessary policies and procedures in place and don’t deviate
from the rules.
When will the law
come into effect?
South African president, Jacob
Zuma, signed into law the POPI
Act at the end of last year but the
commencement date still needs to
be set. Once this is set everyone
will have a year within which to
comply.
It is good practice and far better
to start the process now rather
than waiting until the 11th hour.
