The Protection of Personal Information Act, more commonly referred to as the POPI act, seeks to regulate the processing of personal information.
The objective of the POPI Act is to ensure that personal information of an individual or a business entity is protected in terms of their right to privacy, therefor all South African institutions should conduct themselves in a responsible manner when they collect, process, store and share another entity’s personal information. Should any institution abuse or compromise your personal information in any way, they will be held accountable and non-compliance could have major financial consequences on their business.
The POPI Bill, has been signed into law by the President on 19 November 2013, however only some parts of the act were declared effective on 11 April 2014. The sections that became effective mainly deal with the appointment of the Information Regulator. The Regulator who has already been appointed is responsible for research, monitoring, education, compliance and enforcement of the POPI act.
Furthermore the Regulations to the POPI act was published on 8 September 2017 for public comments, with a deadline set for 7 November 2017. A grace period of one year starts running from the commencement date of the act and thereafter the Information Regulator will start enforcing the act one year after the commencement date.
The POPI act will soon be law and therefor it is important that consumers and business owners should be aware of what their rights are in terms of this act and furthermore understand their responsibilities in terms of this act.
Examples of “personal information” of an individual includes: identity or passport number, phone numbers, email addresses, physical address, gender, race and ethnic origin, photos, video footage, relationship status, criminal record, private correspondence, religious believes, employment history, education information, physical or mental health etc.
According to the act, processing of information can be seen as , broadly anything done with personal information, including collection, usage, storage, dissemination, modification or destruction, whether such processing is automated or not.
It is important to note that this right to protection of “personal information” is not just applicable to a natural person (individual), but also any legal entity, including companies and also communities or other legally recognised organisations. All of these entities are considered to be “data subjects” and afforded the same right protection of their information, whilst you and your company or organisation are also considered as “responsible parties” and have the same obligation to protect other parties’ personal information.
The POPI Act sets the following conditions for how personal information can be processed lawfully:
- the capturing of minimum required data, ensuring accuracy, and removing data that is no longer required;
- identifying personal information and taking reasonable measures to protect the data, like tracking the workflow of client documents and ensuring that vital information is not misplaced or falls into wrong hands;
- the party gathering the information has the responsibility to ensure that the information that is gathered is accurate, current and not misleading;
- personal information may only be processed if voluntary, specific and informed consent is obtained;
- A person should have access to his or her own personal information and will have the right to have their data removed and/or destroyed.
The intention of the act is to promote transparency with regard to what information is collected and how it is to be processed. Even though the full act is not effective as yet, it is important that business owners should start implementing changes to comply with the act, as soon as possible. For clients and consumers this might just be the end of all those unsolicited sales calls and spam we receive on a daily basis, however each person should still take care of and protect their own information.
By :Andri de Jager LL.B