POPI: Protection of Personal Information Act 4 of 2013
The 5 things you need to know
Everyone seems to know the word, but not many know what to do with it…
One of the buzz words in law in the last year or two has been “POPI”. For those who are not yet acquainted with this word, it is the Protection of Personal Information Act 4 of 2013.
This is not to be confused with the Protection of State Information Bill, commonly referred to as the Secrecy Bill. While the Secrecy Bill pertains to state information, POPI deals with a person’s personal information on all levels. POPI is intended to put South Africa on par with international standards as it complies with international data protection standards, and should therefore be an asset for the commercial world as it will serve to promote trust from consumers and foreign business partners.
So what do you need to know about POPI?
1. Does POPI apply to you?
The act has a very broad application, and applies to all processing of personal information.
‘Processing’ is defined in the act as ‘the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as restriction, degradation, erasure or destruction of information’.
Therefore, it comes down to the question of whether you come into any contact at all with personal information. If you receive an email from a person, you have received personal information, and POPI might apply to you.
The question that therefore begs to be asked, is what would be regarded as personal information? Would an email address and a name be enough?
The definition of personal information in the act is also very broad, and a safe approach to follow, would be to assume that any information that relates to a person, is personal.
A few examples of what is included in the act, would be information relating to race, gender, age, language, birth, religion, education, medical or employment history, identifying number, email address, telephone number, personal opinions, views or preferences, correspondence that is private, the views of another individual about that person, and the name, if it appears with other personal information or if the name itself would reveal information.
It is necessary to specifically note that even personal opinions, as well as information that might seem mundane, like education or language, are regarded as personal information, and should be handled in accordance with the requirements of the act.
Therefore, if you do any type of business, you can assume that POPI does apply to you.
2. To what and whom does POPI not apply?
There are a few exclusions in the act to which POPI does not apply.
There are about 8 different exclusions, and broadly one can say that POPI does not apply to the processing of personal information in the course of a purely personal and household activity; information that has been de-identified to the extent that it cannot be re-identified again; by or on behalf of a public body which involves security, or the prevention or prosecution of unlawful actions; processing by the Cabinet, or processing for the judicial functions.
POPI also does not apply to the processing of personal information solely for the
purpose of journalistic, literary or artistic expression to the extent that such an exclusion
is necessary to reconcile, as a matter of public interest, the right to privacy with the right
to freedom of expression.
Unfortunately the act does not provide definitions or examples of any of the exclusions, and it will be up to the courts or the regulator to clarify what would fall within the perimeters of the exclusions.
One might assume though that an example of an exclusion under the personal and household use exemption, would be an address book which is kept at home of all friends and relatives’ details, or a birthday calendar kept at home. If such an address book would be used to advertise a product or service, however, it would no longer be exempted.
3. What must you do to comply?
The act provides for 8 conditions for processing personal information. These 8 conditions are:
- Accountability – the responsible party must ensure compliance with the act;
- Processing limitation – information must be processed lawfully, only necessary minimal information may be processed, and there must be grounds, as specified in the act, for the processing, for example consent, performance in terms of a contact, or for pursuing a legitimate purpose.
- Purpose specification – there must be an explicit and defined purpose for the processing, and data may not be retained or processed if it cannot be justified by the purpose.
- Further processing limitation – further processing must be compatible with the original purpose. If there is a new purpose, you need new grounds, for example, fresh consent.
- Information quality – reasonable steps must be taken to ensure that information is complete, accurate and updated.
- Openness – the responsible party are required to provide the data subject with a complete list of details, for example the information of the responsible party, the purpose of the processing, whether information will be transferred to a third party and what their regulations are, etc. There are grounds for non-compliance, such as consent, or where it is not reasonably practical, or where non-compliance is necessary.
- Security Safeguards – measures must be taken to ensure the integrity and confidentiality of information, and data subjects must be notified of any compromises.
- Data subject participation – the data subject must have access to the information, and must have the ability to correct information.
Furthermore, the act requires specific consent or existence of specific grounds, such as an obligation in law, to process any special information, which includes information concerning the religious beliefs, race, trade union membership, political persuasion, health or sex life, or criminal behaviour.
4. What happens if you do not comply?
Penalties for non-compliance can be a fine of up to R10 million, or 10 years in jail, or both.
However, the most prevalent effect may be the damage to your reputation. Compliance with the act promotes security of information. Should data leak from your safekeeping, due to your non-compliance, the biggest effect would probably be reputational damage. Most of the time when there is a major confidentiality breach and personal information leaks, it is covered by the media.
5. When must you comply?
The act has been promulgated, and the sections that pertain to the regulatory bodies are already in force. However, the remainder of the act is not yet in force, and it is uncertain when the enforcement date will be.
It is advisable however, to start implementing processes and policies with regards to personal information in anticipation of the act. It will most probably be a process to get to a point of full compliance with the act on all levels in your business, and it is therefore best to start now. Most importantly, when processing information, you are often trusted with a person’s most personal details, which can have devastating consequences should it fall into the hands of the wrong people. It is therefore extremely important that all information be kept safe, and all processes be examined and the integrity and safety improved.
If you only take 3 things from this post, let it be the following:
- If you are processing information in a lawful manner and for a lawful reason, POPI would most probably not prevent you from doing what you are doing now, it will only regulate HOW you do it.
- POPI is not fully in force yet, but it is better to start complying now, in order to avoid any penalties, or to avoid reputational damage.
- You can start in a simple way by implementing one measure for each of the 8 conditions, and then gradually improving on each one. But most importantly, it is advisable that you focus on the security of data, by deleting data when no longer required, password protecting devices, encrypting electronic data, and locking all physical documents in a safe place.
If used as a guideline and implemented in a positive manner, POPI can be an asset to your business. Compliance with the act will provide piece of mind to you and your clients that your company should not be the source of any leaked data.