POPI in Practice
Statutory Framework
The Protection of Personal Information Act 4 of 2013 (“POPI”) aims to regulate the collection and processing of “Personal Information” in South Africa. The Act was signed by the President and we now await the announcement of the commencement date. There has been some talks on POPI especially what the impact on certain businesses will be. The following should shed some light on the topic.
“Personal Information” is defined in the Act as1:
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
The Act Defines “Processing” as2:
‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information;
1Sec 1
2Sec 2
Possession:
POPI goes further in Section 4 and provides the conditions for lawful possession of Personal Information. The conditions are:
- Accountability – Make sure the responsible party knows the rights and obligations
- Processing Limitation – Reason for possesion and manner of collection must be lawfull
- Purpose Specification – Reason for collection must be lawfull
- Further Processing Limitation – The reason for further processing must be in compliance with the provisions of POPI
- Information Quality – Must take all reasonable steps to ensure that the Information is accurate and correct
- Openness – Be open and trasparrent when collecting information
- Security Safeguards – Sucure the information received
- Data Subject Participation – Data Subjetc must be allowed to have access to the information held and correct same.
Processing:
POPI does allow the possession and processing of Personal Information in certain cases. It must be justified in terms of the act. These instances will include:
- In the course of purely personal and household activity
- The information has been de-identified in such a manner that it cannot be re-identified again
- Processed by a public body which involves national security, terrorism, defence, public safety, money laundering etc
Many companies and businesses rely on the possession and use of such information. The Act allows for this in certain instances, however, it must be justified by the holder thereof. The holder must be able to justify possession as stipulated above and for good corporate governance draft and adopt a policy and procedure for the protection of personal information.
Compliance:
In order to comply, a person (legal or natural) needs to evaluate the Personal Information that is in his/her/its possession as well as the manner in which this information is processed in terms of the sections stated above.
This will mean that the following steps will be a good starting point:
- Audit of Personal Information Held
- Audit of Processing
- Evaluate the Audits
- Set Rules and Processes
- Communications to Subjects
- Protect Information
- Communicate Process and Measure with Regulator
- Record Keeping
All of the above steps will require extensive assessment and evaluation after which a policy must be implemented to ensure compliance and continuity on compliance in regard to POPI.
Non-Compliance
In Chapter 11, POPI provides the penalties and fines that will be applicable.
Fines and penalties will be enforced once a complaint is submitted to the Regulator. The regulator may then summon the party to appear and explain the complaint. The Regulator may approach a court and ask for a Warrant to be issued to search the premises of such a party.
In terms of Section 107, an offence may be punished by a fine to a maximum of R10 million or imprisonment of up to 10 years.