WHAT IS POPI?
The Protection of Personal Information Act, 2013 (Act 4 of 2013) (“POPI”) has been partly in effect in the background for some time and has recently become a reality. POPI was promulgated into law during the course of April 2014. Following this, the legislature adopted a system of incremental implementation of the Act by way of enacting certain sections of the Act into operation over a period of time.
POPI is intended to give effect to Section 14 of the Constitution which entrenches every person’s right to privacy. POPI promotes the protection of personal information processed by both public and private entities (who are referred to as ‘responsible parties’) and it creates a compromise between individuals and entities’ rights to privacy (referred to as ‘data subjects’) with the rights of access to information.
WHAT IS COMING INTO EFFECT AND WHEN?
Sections 2 to 38; sections 55 to 109; section 111; and section 114(1), (2) and (3) commenced on 1 July 2020. While sections 110 and 114(4) shall commence on 1 July 2021. The sections which will come into effect on 1 July 2020 are essential parts of the Act and relate to the following:
- The conditions for the lawful processing of personal information;
- The regulation of the processing of special personal information;
- Codes of conduct issued by the information regulator;
- Procedures for dealing with complaints;
- Provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act.
Section 114(1) is of particular importance as it states that all forms of processing of personal information must, within one year after the commencement of the section, conform with the Act. This means that entities (both private and public) will have to ensure full compliance with the Act by 1 July 2021.
Sections 110 and 114(4), which deal with the amendment of laws and the transfer of functions from the South African Human Rights Commission to the Information Regulator regarding the Promotion of Access to Information Act will only come in to effect in July 2021.
WHO MUST COMPLY?
POPI places various obligations on the ‘responsible party’, which is the person ultimately responsible for the lawful processing of personal information. Where responsible parties use third parties to process personal information, they must ensure that such third parties also meet the requirements of POPI for lawful processing of personal information. This may require you to look at your contracts with third parties carefully to ensure that they are accountable in terms of POPI.
Any natural or juristic person who processes personal information, including companies and government, are required to comply with the Act, some examples include doctors, lawyers, schools, homeowners’ associations, call centres as well banks. As one can see, POPI has far reaching consequences and its application is possibly wider than first assumed.
THE KEY AREAS THAT YOUR BUSINESS SHOULD FOCUS ON TO ENSURE COMPLIANCE
There are 8 key principles in the Act which businesses should comply with.
- Accountability; an information officer should be appointed whose main role is to ensure that POPI is complied with and that the necessary controls are in place to ensure information protection. This principle confirms that the obligation of compliance is placed on the “responsible party”.
- Processing Limitation; the processing and collection of information should be justified for the purpose in which it was collected, it must be consented to by the data subject and it should be collected directly from the data subject. Businesses will have to consider why the information they are processing is required and how much, or what type of, information is really necessary, to this extent the minimum relevant and necessary information may be processed.
- Purpose Specification; the information collected should be for a specific, explicitly defined and lawful purpose and the data subject must be informed of this purpose.
- Further Processing Limitation; any further processing of information must be compatible with the original purpose to which the information was collected, should be limited as well as disclosed and consented to by the data subject.
- Information Quality; a business should ensure that the personal information collected is complete, accurate, up to date and not misleading. Businesses must verify information received, use only information from reliable sources and maintain information in a way that is not misleading.
- Openness; a business should ensure that they are candid and open about the collection of information. Businesses should notify the Regulator if they intend to process personal information, their reason for collecting information, the types of information being processed and who will have access to this information. In addition the responsible party must take reasonable steps to ensure that the data subject has been informed that their personal information is being collected, the purpose for the collection, where this information can be accessed and corrected and the consequences of failure to provide the information.
- Security Safeguards; a business must ensure that any personal information which is collected is secured through internal technical and organizational measures. This principle requires responsible parties to secure the integrity of personal information in its possession or under its control.
- Data Subject Participation; the person whose information is collected is entitled to request the business to confirm whether it holds their personal information, and he/she may request a description of such information. It also gives the data subject the right to access information held about them and includes the right to request a correction of inaccurate information as well as details of persons who may have had access to the personal record. As a result, business must keep up to date, accurate records of all information processed and collected.
CONSEQUENCES OF NON-COMPLIANCE
The responsible party may face two possible legal consequences for non-compliance with the Act. The first is a fine of between R1 million and R10 million or the responsible party may face up to ten years imprisonment. The second legal consequence is the responsible party having to pay compensation to data subjects for the damage they have suffered due to the responsible party’s non-compliance with the Act. Other considerations when contemplating non-compliance with the Act include reputational damage, the loss of customers (and employees) as well as the failure to attract new customers
It is important to ensure that you are POPI compliant in order to avoid the consequences mentioned above. Please feel free to contact us for advice regarding POPI, to draft information security policies, or review and advise you on any of your contracts.
Fiona Worwood [Candidate Attorney]
Jordan Smith [Director]