The Protection of Personal Information Act 4 of 2013 (“POPI”) aims to regulate the collection and processing of “Personal Information” in South Africa. The Act was signed by the President and we now await the announcement of the commencement date. There has been some talks on POPI especially what the impact on certain businesses will be. The following should shed some light on the topic.
“Personal Information” is defined in the Act as1:
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
The Act Defines “Processing” as2:
‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
POPI goes further in Section 4 and provides the conditions for lawful possession of Personal Information. The conditions are:
POPI does allow the possession and processing of Personal Information in certain cases. It must be justified in terms of the act. These instances will include:
Many companies and businesses rely on the possession and use of such information. The Act allows for this in certain instances, however, it must be justified by the holder thereof. The holder must be able to justify possession as stipulated above and for good corporate governance draft and adopt a policy and procedure for the protection of personal information.
In order to comply, a person (legal or natural) needs to evaluate the Personal Information that is in his/her/its possession as well as the manner in which this information is processed in terms of the sections stated above.
This will mean that the following steps will be a good starting point:
All of the above steps will require extensive assessment and evaluation after which a policy must be implemented to ensure compliance and continuity on compliance in regard to POPI.
In Chapter 11, POPI provides the penalties and fines that will be applicable.
Fines and penalties will be enforced once a complaint is submitted to the Regulator. The regulator may then summon the party to appear and explain the complaint. The Regulator may approach a court and ask for a Warrant to be issued to search the premises of such a party.
In terms of Section 107, an offence may be punished by a fine to a maximum of R10 million or imprisonment of up to 10 years.
This article was drafted by Izak Viljoen on 12 March 2015 an attorney at Barnard Incorporated, Centurion, Pretoria.
Barnard Incorporated is a firm of attorneys situated in Centurion, Pretoria.
We are always on standby to receive your query - 24 Hour Emergency Line - 072 727 2231