If someone is alleged to be in breach of the POPI Act, a complaint may be submitted to the Information Regulator.
This complaint will be dealt with by an adjudicator.If a person is not happy with the determination of the adjudicator, they can still approach the Information Regulator for another ruling.
Disputes and breaches are covered in great detail in the Act and the Act should be consulted before drawing up Policies and Procedures to handle such matters.
This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013
The Act controls the transfer of personal information from South Africa to foreign countries and prohibits this unless: (section 71)
This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013
Section 69 of the Act outlaws direct marketing by means of any form of electronic communication unless the data subject has given their consent. Such an electronic communication obviously includes emails, SMSs and automatic calling machines. A subject can only be approached once to obtain such a consent. Once such consent is refused, it is refused forever.
Slightly different rules apply if the subject is a customer. Here the customer’s contact details must have been obtained in the context of the sale of a product or a service, the direct marketing by electronic communication can only relate to the suppliers own similar products or services, and the customer must have been given the right to opt out at the time that the information was collected and each time such a communication is sent.
The Act covers Direct Marketing restrictions in great detail and should be consulted before any direct marketing campaign is considered.
This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013
Information Regulator
An Information Regulator has been appointed by the President on the recommendation of the National Assembly and is answerable to the National Assembly. There will be a large body of staff working under the Information Regulator.
The Information Regulator’s duties are varied and he/she has the power and authority to handle all matters relating to the POPIA Act.
The Information Regulator must immediately be advised in the event of a breach which resulted in Personal Information falling into the wrong hands.
This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013
Any organisation or person who keeps personal information must take steps to prevent the loss, damage, and unauthorized destruction of the personal information. In terms of Section 19, they are also required to prevent unlawful access to, or unlawful processing of this personal information.
All risks have to be identified and then safeguards must be established and maintained against these risks. Regular verification that the safeguards are being effectively implemented is required. Safeguards are to be updated in response to any new risks or identified deficiencies in existing safeguards.
Any person processing personal information on behalf of an employer must have the necessary authorization from the employer to do so. They must also treat the personal information as confidential and not share this information without the following the required processes. (section 20). The person must have a written contract with their employer in which they are specifically obliged to maintain the integrity and confidentiality of the personal information and to implement the established safeguards against identified risks.
Data Subject Rights
Everyone has the right to be informed if someone is collecting their personal information, or if their personal information has been accessed by an unauthorized person. In addition, they have the right of access to their personal information and to require that personal information be corrected or destroyed, or they may object to their personal information being processed.
The Act does not apply to personal information processed
Personal information can only be processed: (Section 11)
Everyone has the right to object to having their personal information processed. They have the right to withdraw their consent, or object if they can show legitimate grounds for their objection.
The POPIA Act Applies to Everyone
The Act applies to any person or organisation who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently.
It therefore sets the minimum standards for the protection of personal information. It regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organizing, retrieving, or using such information; or disseminating, distributing or making such personal information available.
The Act will also relate to records which are already in the possession of the entity or person doing the processing.
This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013