The South African Protection of Personal Information Act (POPI) will officially be enforced on 1 July 2020.
The purpose of this legislation is to protect the personal information of citizens, which is obtained and processed by both public and private institutions, and also attempts to balance the right to privacy with other rights such as access to information.
This Act has been implemented for a number of years and many parts of it has been in working since April 2014.
Sections 2 until 38; 55 until 109; section 111; and section 114 (1), (2), and (3) will be in effect from 1 July.
Other parts of the Act such as section 110 and 114 (4) will only be in effect from 30 June 2021.
What is personal information?
Personal information is a broad term and relates to an identifiable, natural or legal entity and includes, but is not limited to:
- Contact information – telephone number, email address etc.
- Private correspondence
- Biometric information – blood group etc.
- Demographic information – age, gender, race, date of birth, ethnicity etc.
- Opinions of and about a person or group
- History – employment, financial information, medical history, criminal history as well as educational history
The POPI Act applies to every business in South Africa (even international companies that does business in South Africa) that collects, uses, stores or destroy personal information from a data subject (the natural or legal entity to whom the information belongs), whether or not such processing is automatic.
What are the obligations of businesses under the POPI-Act?
Some of the obligations include:
- To only collect information for a specific purpose;
- to ensure that the information is relevant and up to date;
- to have reasonable security measures in placer to protect the information;
- to only keep the necessary information; and
- to allow the data subject to obtain or view his or her information on request.
Examples of activities by companies that violate the POPI Act include collecting email addresses via a webform, saving a list of clients’ addresses, sending marketing messages or communication to people.
Legal processing of personal information
What is processing?
Processing involves anything that is done with personal information and includes the collection, use, storage, dissemination, modification or destruction of personal information (regardless of whether the processing is automatic).
The POPI legislation consists of the following important information processing principles:
- Accountability: Businesses must ensure that the information processing principles are adhered to.
- Processing restriction: Processing must be done lawfully, and personal information may only be processed if it is sufficient, relevant and not excessive given the purpose for which it is processed.
- Specific purpose: Personal information must be collected for a specific, and defined and legal purpose in relation to a function or activity of the business concerned.
- Transparency: Certain prescribed information must be provided to the data subject by the business, including the information collected, the name and address of the responsible party, the purpose for which the information is collected and whether the information provided by the data subject is voluntarily or mandatory.
- Further processing restrictions: This is where personal information of a third party is received and transferred to another responsible party for processing.
- Security measures: The business must protect the integrity of the personal information in its possession and under its control by ensuring that measures are in place to prevent loss of, damage to or unauthorised destruction of personal information.
- Data subject participation: A data subject has the right to: request personal information that the business holds for free; 2. update or destroy personal information that is incorrect, irrelevant, superfluous, misleading or unlawful; and 3. destroy a record of personal information that is unnecessary for the business to keep.
May personal information be sent abroad, and can information be sent back to South Africa?
The answer is yes, but there are restrictions that will depend on the laws of countries to which the information is sent and where the information comes from. It is especially cloud-based systems that can cause problems with POPI.
Should businesses provide an opt-in or opt-out option for direct marketing?
Every business should use an opt-in and opt-out option when contacting a data subject for marketing purposes. Many companies already offer the option when sending messages via SMS and many emails sent to data subjects for marketing purposes offer the option to dele the data subject’s email address. This option must be offered so that the data subject understands what he or she consents or objects to.
How long may personal information be kept by a company?
Any person’s information may not be kept longer than necessary to achieve the purpose for which it was collected.
Can a business that violates the POPI Act get into trouble?
The POPI Act has strict regulations that every company must comply with and depending on the nature of the offense, businesses as well as individuals can be punished. Offenders can be fined up to R10 million and can even be jailed.
Each business has 12 months (from 1 July 2020) to fully comply with this Act.
According to the law firm, DLA Piper, companies will need to pay attention to the following aspects to ensure they are on the right side of the law:
- Reviewing and updating all customer, supplier and third-party agreements
- Implement technical and organisational measures to protect and prevent unauthorised access to and obtaining of personal information
- Preparation of consent documentation and private notices
- Reconsider and/or implement measures for identified boundary flow of personal information – seek prior information from the Information Regulator and implementation of data transfer agreements
- Developing a culture of privacy by training staff, updating and implementing of policies and procedures, and implementing awareness campaigns
- Implementing a data breach and incident response plan and policy
- Implementing a data access management system for the data subject in accordance with the POPI and PAIA legislation
According to Elizabeth de Stadler, an expert on consumer law and co-author of, among other things, A Guide to the Protection of Personal Information Act, the Act means that the public has somewhere to complain if they believe a company obtained their information with their knowledge or is doing something with it that they have no control over. According to de Stadler this Act protects the public from troublesome call centres and against data theft. She believes that this legislation will make it much harder for companies to access your data and even buy it.
The Information Regulator (IR) has been appointed by the President on the recommendation of the National Assembly and is responsible to the National Assembly. The duties of the Information Regulator are diverse and he or she has the power and authority to handle all matters relating to the POPI Act. For more information on the Information Regulator, please visit https://www.justice.gov.za/inforeg/index.html