BKM
ATTORNEYS & NOTARIES
ARE YOU PREPARED FOR WHAT “POPI” HAS INSTALL?
- INTRODUCTION
The Protection of Personal Information Act, Number 4 of 2013 (“POPI”) was promulgated in 2013 but has yet to come into force. In anticipation thereof it is imperative that those who collect data and information from and about their customers be POPI compliant as they will only have one year after the implementation of POPI to comply with the set conditions. This adjustment period will allow ‘affected parties’ to make necessary adjustments and communicate with the Information Regulator on issues specific to their industry.
- PURPOSE AND APPLICATION OF POPI
POPI was introduced as a means of regulating the processing of personal information. Section 1 defines processing as “any operation or activity or any set of operations whether or not by automatic means, concerning personal information.” This definition is very broad and includes:- collection, receipt, storage, modification, dissemination by means of transmission and destruction of information, to name but a few. Businesses that fail to comply with POPI after the first year of POPI coming into force open themselves to penalties including a R10 million fine or 10 years in jail.
- WHO DOES POPI APPLY TO?
POPI has a very wide scope and applies to a responsible party which is defined in POPI as a “public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.”3 POPI also applies to any person who processes personal information for a responsible party, as defined above, “in terms of a contract or mandate, without coming under the direct authority of the responsible party.”
- RIGHTS CONFERRED ON DATA SUBJECTS:
‘Data subjects’ are defined in POPI as “persons to whom personal information relates.” This does not only relate to individuals but to personal information of companies as well. Section 5 of POPI affords these data subjects various rights relating to the manner in which personal information is received and used. Some of these rights include but are not limited to:
- The right to be notified when personal information is processed;
- The right to be notified when personal information has been compromised or hacked by unauthorised individuals;
- The right to know if a responsible party holds the personal information of a data subject; and
- The right to a record or copy of this personal information. A responsible party may charge a fee for providing access to the record.
- CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION
Chapter 3 of POPI sets out eight conditions that allow for lawful processing of personal information which include:
- ACCOUNTABILITY:
The responsible party must ensure that all conditions hereunder are complied with and be accountable for the information that is processed;
- PROCESSING LIMITATION:
Personal information must be adequate, relevant and proportionate to the purpose for which it is processed. Information that serves no specific purpose need not be collected;
- PURPOSE SPECIFICATION:
The information must be collected for a specific, explicitly defined and lawful purpose related to a function of the responsible party. The data subject must be aware of this purpose for the processing of the information. These records must not be retained any longer than necessary to achieve the initial purpose. The data subject may at any time object to the processing of their personal information;
- FURTHER PROCESSING LIMITATION:
This occurs in circumstances where a third party receives information and passes it onto the responsible party for further processing. Once again the further processing must be in compliance with the purpose for which it was initially collected.
- INFORMATION QUALITY:
A responsible party has a duty to ensure that the personal information is complete, accurate, not misleading and updated where necessary considering once again the reason for which the information was collected;
- OPENNESS:
A responsible party must first notify the Information Protection Regulator before processing personal information. The responsible person must inform the data subject of what information is being collected, the name and address of the responsible party collecting the data, the purpose for which the information is collected and whether or not the supply of this information is mandatory or voluntary;
- SECURITY SAFEGUARDS:
The responsible party must take prescribed measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information; and
- DATA SUBJECT PARTICIPATION:
The data subject has various rights as set out above.
- CONCLUSION
As illustrated above POPI imposes various conditions and duties on responsible parties when processing personal information namely to capture the minimum data required, ensure the accuracy of this data and removal of the data that is no longer necessary. In turn data subjects whose personal information is being processed have rights that can be enforced against these responsible parties. POPI ultimately promotes transparency with regard to what information is collected and how it is to be processed.6
We hope the above is of interest to you.
Written and prepared by Caitlin Askew
BOUWER KOBELI MORABE
Please do not hesitate to contact us on 011 788-0083 or email enquiries@bkm.co.za should you require legal advice on POPI and the protection of personal information.
“BKM Attorneys – Passionate about Law