Page 11 - EngineerIt June 2021
P. 11
ICT LEGAL OPINION
It is also important to determine the type of information that is processed by the
chatbot, as organisations have a duty to protect personal information under POPIA.
This includes biometric information (information that identifies a person based on
physical, physiological or behavioural characteristics), basic identifying information (name
and surname; any identifying number; e-mail address and location etc.) and information
relating to a person’s racial and ethnic origin, religious beliefs and health.
The chat session and sharing of personal information will typically unfold in a
three-step process. Firstly, prior to a chat session, the chatbot is able to obtain and
identify the end user’s information such as name, location, phone numbers and email
addresses. Notably, this may differ from platform to platform. Secondly, when the chat
session has commenced and the end user and the chatbot are conversing, further
personal information or files may be introduced to the chat. Lastly, when the chat session
is concluded, the chatbot may integrate the data received from the end user with the
customer relationship management (CRM) software (which administers interactions with
end users) used by the chatbot customer, and other related technologies, to improve
business relationships with end users.
Considerations for chatbot operators in ensuring POPIA compliance
There are various measures that a chatbot operator and its customers should take in About the author
order to ensure POPIA compliance. The considerations discussed below should not be Maison Samuels is a candidate
considered as exhaustive. attorney currently completing practical
.
vocational training at Webber Wentzel
• Purpose – Records of personal information must not be kept any longer than maison.samuels@webberwentzel.com
is necessary for achieving the purpose for which the information was collected.
If a chatbot informs an end user that it will be using their email address to of personal information are
provide further information about the chatbot customer’s services, it should be recommended features to enable
used for that purpose only. POPIA compliance.
• Consent – Importantly, because the chatbot will request personal information from • Automated decision making – A
the end user, he/she should consent to the personal information being used, unless data subject may not be subject to
there is another justification for the chatbot to process the end user’s personal a decision that may adversely affect
information. Before the conversation commences, the chatbot should provide the him/her, which is based solely on the
end user with a link to the Terms of Service, which should include appropriate automated processing of personal
consent provisions to the processing of the end user’s personal information. information. Therefore, it is prudent
• Access to and deletion of information – POPIA provides data subjects with the chatbot operators ensure that there is
right to request access to their personal information once collected. It is common human oversight or involvement over
practice to enable the end user to download his/her data in digital form by making the chatbot.
use of a query and response format in the chatbot. Further, POPIA provides data • Transborder information flows
subjects with the right to request the deletion of their personal information. The – The chatbot customer should
end user may be provided with an option to request that his, her or its personal determine whether any personal
information be deleted. A download feature and the ability to request the deletion information is being transferred to
a third party outside South Africa
when using the chatbot service. A
responsible party may not transfer
personal information of a data
subject to a third party who is in
a foreign country unless certain
conditions are met.
Although chatbots are innovative and
transform aspects of the online business
landscape, it is crucial to consider the
rights of the end user, and the obligations
of the chatbot customer and provider
under POPIA. The purpose of POPIA is to
protect the constitutional right to privacy.
However, this should not stifle innovation,
and organisations using chatbots and
those that provide this service should
receive appropriate legal advice to ensure
POPIA compliance. n
EngineerIT | June 2021 | 9
