What POPIA means for business
The POPI Act ensures that the right to privacy is taken seriously and includes a data subject's right to be protected against any unlawful collection, retention, dissemination and use of their personal information.
Companies are required to receive consent from individuals before they can obtain, retain and process personal information for communication or any other purpose. As per "Conditions for lawful processing" the definition of "Personal Information" includes contact details, demographic information, personal history, as well as communication records.
The POPI Act highlights the need for a greater understanding of the manner in which personal information is stored and processed. This means that the systems, processes and how logical and physical access is maintained and managed for the systems and areas housing personal information al need to be considered.
Protection of Personal Information requires extra vigilance in all aspects of physical and information security. The basis of the POPI Act is to protect personal information and prevent information from being exposed to unauthorised persons. As a result, this implies an obligation to protect information relating to individuals and juristic entities from any damage, including financial fraud, identity theft, misuse and the abuse of personal information.
The POPI Act requires that a set of streamlined processes and systems must be established that can easily identify where personal information is stored, understand how this information is processed physically and electronically, who has access to this information, as well as for what purpose it is required.
This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013
KEY DEFINITIONS
“data subject” – a person to whom personal information relates.
“direct marketing” – sending a data subject an electronic communication about goods and services that you are promoting or offering to supply in the ordinary course of business, or requesting a donation of any kind for any reason.
“processing” – any operation or activity concerning personal information.
“record” – any recorded information, regardless of when it came into existence.
“responsible party” – a public or private body or any other person which determines the purpose of and means for processing personal information.
For a full list of definitions, please refer to the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013
The POPI Act (POPIA) is just one of many Acts that govern South African law. When looking at the requirements of the POPI Act, the requirements of other Acts should also be taken into consideration.
The Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PIAI) hold a special relationship. Both can be seen as "information" laws, and are each on one end of a continuum. On the one end, PAIA is an "Access" law, all about Freedom of Information. POPIA on the other end, is about Priivacy - prevention of exposure of information. They shouldn't be seen as competing, both rather, both are there to help ensure that information is managed correctly.
Below are some of the other Acts that may impact the POPI Act compliance process.
In addition to these Acts, other Industry specific Act, Regulations, Codes of Practice should be considered. In particular, the King Report on Corporate Governance, (King III and IV) should be considered.
Failure to comply with the requirements of the POPI Act could have dire consequences. Although one cannot and shouldn't shy away from the legal aspects of the Act, POPIA should be seen as an opportunity to identify, clean-up and manage information better, and in doing so, improve business processes. Don't fall into the trap of implementing POPIA just to meet your compliance requirements.
Download the Act and draft regulations and become familiar with them.
Review all the pages on this website and keep in touch as this will be updated frequently.
Add yourself to our "keep-up-to-date with POPIA" mailing list. In keeping with the spirit of POPIA, we promise not to spam you or abuse your information.
Appoint an Information Officer and ensure that he is aware of his roles and responsibilities.
Make decision makers and key personnel in your organization aware that the law has changed in accordance with the POPI Act and the severe consequences of non-compliance.
Conduct a current status risk assessment / information audit to establish data protection compliance level.
Document what Personal Information you currently hold, where it comes from, how it is to be used and who you share it with.
Produce a POPI Act policies and procedures manual and ensure that everyone who deals with Personal Information is aware of the legal implications of this Act. This manual is to include your organizations privacy policy with regard to:
Put procedures in place to monitor and enforce compliance.
“POPIA” THE PROTECTION OF PERSONAL INFORMATION ACT
The POPI Act is a new all-inclusive piece of legislation, a privacy law, that safeguards the integrity and sensitivity of private information. Companies are required to carefully manage the data capture and storage process of Personal Information.
The defition of Personal Information as set out in the POPI Act is as follows:
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
The Act ensures that Personal Information of both individuals and juristic entities is sufficiently protected, used in a manner for which it was gathered and that facilitates transparency around the following: