We provide an update on the POPI Act, the POPI Regulations, the coming into effect of the legislation, as well as give some essential information on the application of POPI.
The Protection of Personal Information Act, Act No 4 of 2013 (“POPIA” or “the Act”) was signed into law in 2013. It has not been made effective in its entirety as yet. Some parts, dealing with the appointment of the Information Regulator has been effective for some time. The Information Regulator and its members were appointed in 2016 and is responsible for education on POPIA; they will monitor and enforce compliance with the Act once it becomes effective, and will handle complaints received relating to abuse of personal information.
The Final Regulations to the POPIA were published on 14 December 2018 by the Information Regulator and contains additional administrative information as well as Forms to be utilised in the administrative processes of POPI legislation.
The Regulations published are the Final Regulations for POPI, but will only commence on a date yet to be determined by the Information Regulator which date will be published by proclamation in the Government Gazette. The commencement date of the POPI Regulation will coincide with the coming into effect of the entire Act. As from this date of the POPIA becoming effective, all businesses have a grace period of 12 months to become fully compliant with the Act.
Compliance to the POPIA will be mandatory for most organisations in South Africa. The Act applies to any person or organisation who keeps records relating to the personal information of anyone, unless those records are subject to other legislation, which protects such information more stringently.
‘Personal Information’ is defined in Section 1 of the POPIA and means information relating to an identifiable, living natural person, and where it is applicable, an identifiable, existing juristic person and includes (but is not limited to) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person; and the name of a person if it appears with other personal information relating to the person or of the disclosure of the name itself would reveal information about the person.
The Act sets minimum standards for the protection of personal information and regulates the “processing” of personal information.
“Processing” includes collecting, receiving, recording, organising, retrieving, or using such information; or disseminating, distributing or making available such information.
POPIA does not apply to personal information processed in the course of personal or household activities, or where the processing authority is a public body involved in national security, defence, public safety, anti-money laundering, or by the Cabinet, or Executive Council of the Province or as part of a judicial function.
In terms of Section 11 of the POPIA, personal information may only be processed with the consent of the data subject, if it is necessary for the conclusion or performance of a contract to which the data subject is a party, if it is required by law or if it protects a legitimate interest of the data subject or if it is necessary to pursue your legitimate interests or the interest of a third party to whom the information is supplied.
The Act offers many safeguards regarding using personal data and primarily protects individuals from unsolicited emails and SMS’s for services that they never applied for, as well as against any security breaches that could result in identity theft, when personal information is stolen or offered too freely by third parties.
The aim of the POPIA is to ensure that personal information is collected, managed, kept and disposed of in the correct (prescribed) manner. Personal information is kept in the form of data in databases or systems as well as in the form of documents or records.
POPIA provides for 8 conditions for the lawful processing of personal information in Section 4. These 8 conditions are as follows:
- Accountability: The responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions, are complied with at the time of the determining of the purpose and form of the processing of personal information.
- Processing limitation: personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
- Purpose specification: personal information may only be processed for specific, explicitly defined and legitimate reasons.
- Further processing limitation: personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
- Information quality: The responsible party must take reasonable steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary.
- Openness: The data subject whose information you are collecting must be aware that you are collecting such personal information and for what purpose the information will be used.
- Security safeguards: personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorized destruction and disclosure.
- Data subject participation: Data subjects may request whether their personal information is being held by a particular business. They may also request the correction or amendment of their personal information or the deletion thereof from the business’ records.
Compliance in terms of these conditions is required and translates to the proper management, retention and disposal of records. In order to achieve this compliance goal, a business should develop and adopt a plan or programme which is structured. This plan will have to be in the form of a manual which should be accessible to any person who wishes to see in what manner your business deal with personal information.
In terms of POPIA requirements, the manual will inter alia make provisions for the way in which records are captured, kept and maintained. Those records (personal information) which are relevant to a specific purpose, may only be kept for the length of time for which they are required and may only be used for the purposes for which they were collected in the first instance. Information/records are required to be kept up to date.
In terms of POPIA, records and information need to be destroyed when their purpose has been served. A disposal programme will have to be incorporated into the manual, to ensure that the required information and records (including records not necessarily typically regarded as personal information records and duplicate records/files) are disposed of timeously and in the correct manner.
POPIA requires that every business appoints an Information Officer. The duties and responsibilities of this Information Officer as well as the designation of responsibilities to deputy information officers are detailed in Sections 55 and 56 of the POPIA. The Information Officer will primarily be tasked with the responsibility to encourage compliance with the conditions for the lawful processing of personal information. He or she will deal with any requests made to or by the Information Regulator. He or she will be tasked with implementing the compliance framework, taking adequate measures and standards to ensure POPIA compliance. He or she will also be responsible for conducting preliminary assessments to determine the need and requirements, and develop the manual required (POPIA and PAIA), have it inspected and lodged with the Information Regulator. The information officer also has to implement measures and systems to process requests for or access to personal information and provide POPIA awareness training in his or her business.
The Information Officer has to be registered as such, by his or her business (or employer), with the Information Regulator, after which he or she will be allowed to act as and perform the duties of an Information Officer.
The Act provides for the rights of data subjects. All data subjects have the right to have his or her or its personal information processed in accordance with the conditions for the lawful processing of personal information and the Act elaborates quite succinctly on the various rights data subjects are entitled to in subsections 5(a) to (i). Everyone has, amongst other rights, the right to know if someone is collecting their personal information, or if their personal information has been accessed by an unauthorised person.
Compliance with the POPIA will be enforced by the Information Regulator and non-compliance will be penalised. In Chapter 10 (Sections 73 to 99) of the Act, the way in which compliance may be enforced, is clearly set out.
The Proclamation bringing this legislation into full effect is expected soon, and every business should equip themselves with the necessary knowledge to effectively comply within the time limits that will be set by the Information Regulator.
For any further information on POPI or the POPIA you can contact Lorraine Oosthuysen at email@example.com.
- Protection of Personal Information Act No. 4 of 2013, Government Gazette Vol 581, 26 November 2013
- www.justice.gov.za/inforeg/ (Information Regulator (South Africa))