The Enforcement of the Protection of Personal Information Act, No.4 of Act of 2013 (” POPI”)
What is POPIA?
POPIA (“the Protection of Personal Information Act”) is South Africa’s data privacy law. Its long-awaited operation came into effect on 1 July 2020 with a grace period of 12 months to comply, although some of its sections had commenced in 2014.
POPIA is intended to ensure that entities that collect personal data (referred to in the Act as “Responsible Parties”) revamp their policies by putting in place measures that encourage responsibility and transparency in the handling of personal information. It is South Africa’s answer to the European Union’s General Data Protection Regulation (“GDPR”), and it gives effect to section 14 of the Constitution which provides that everyone has the right to privacy.
What is personal information?
Personal information is a broad term and relates to the information of an identifiable, natural or legal entity and includes, but is not limited to:
- Contact information – telephone number, email address etc.
- Private correspondence.
- Biometric information – blood group etc.
- Demographic information – age, gender, race, date of birth, ethnicity etc.
- Opinions of and about a person or group.
- History – employment, financial information, medical history, criminal history as well as educational history.
What does POPIA do?
POPIA is intended to safeguard personal information while balancing the right to privacy against other rights such as access to and the free flow of information. It applies to every business in South Africa (even international companies that do business in South Africa) that processes, i.e., collects, uses, stores or destroys personal information that belongs to any natural person or legal entity, whether such processing is automatic or not.
How to comply with POPIA
Compliance with POPIA means that, Responsible Parties must adhere to POPIA in the processing and gathering of personal information in general, and in particular, to the eight conditions provided in its regulations, namely:
- The achievement of ‘accountability’ which involves the alignment of data collection procedures and measures to be solely aimed in line with compliance.
- ‘Processing limitation’ which is aimed at the gathering of information for the purpose it was collected for, coupled with consent for such particular purpose.
- The data subject must know the exact and explicit purpose why personal information is required for the responsible party to comply with the condition of ‘purpose specification’.
- ‘Further processing limitation’ which places an obligation on the Responsible Party to request further authorisation should the purpose for which the information was collected initially, substantially alter. Further authorisation is, however, not necessary for ancillary purposes, which fall within the ambit of the original authorised purpose.
- The collected information is to be validated so that it is accurate, complete and not misleading. This is to ensure compliance with the condition of ‘information quality’.
- ‘Openness’ requires that the data subject be aware that their information is being collected and given clear reasons why.
- Unauthorised access, disclosure, modification and destruction of the gathered information must be avoided at all costs. The Responsible Party must put ‘security safeguards’ in order to avoid unauthorised access.
- ‘Data subject participation’ demands that the data subject be involved in the collection, amendment or obliteration of the data.
It is important that Responsible Parties put measures in place to fully comply with POPIA prior to the lapse of the 12-month grace period. POPIA aims to eradicate the unlawful processing of personal information and it remains to be seen how successful it will be once implemented.
In the meantime, it is advisable that companies ensure that their terms and conditions, particularly their privacy policies, comply with POPIA.