The Protection of Personal Information Act (“POPIA”) – Fast Facts

Think Twice Before Using an Image from Google
July 16, 2020
Cancelling a lease agreement during COVID-19
July 30, 2020

(Approximate reading time: 5 minutes)

The protection of data, data privacy and the processing of personal information came under the spotlight in 2019 when the United States Judiciary Committee called witnesses to testify about data breaches and general data privacy issues at Facebook.  The issue related to Facebook’s sale of private data of millions of users to certain companies, most notoriously, Cambridge Analytica.  While the Facebook – trial brought the issue of data privacy to the forefront, the issue and fundamental rights to privacy are not new and has become a global concern.

The Protection of Personal Information Act 4 of 2013, often referred to as the POPI Act or POPIA, was assented to by Parliament on 19 November 2013 to address the issue of data protection in South Africa and give effect to the constitutional right to privacy which includes the right to privacy in a borderless digital environment.

Until recently, only certain sections of POPIA were in effect.  On 22 June 2020 however, the President announced that, as from 1 July 2020, further sections would come into force.  Most importantly, any person defined as a “responsible party” or “operator” will have 12 months from 1 July 2020 to become compliant with POPIA.

This article provides brief facts regarding POPIA and its application as a starting point in the process of businesses becoming compliant.

What is POPIA?

POPIA is South African legislation which, when it becomes fully operative, will regulate the collection, storage and dissemination of personal information.  The purpose of POPIA is, inter alia, to promote the protection of personal information processed by public and private bodies and thus give effect to the constitutional right to privacy enshrined in Section 14 of the Constitution.

What is Personal Information?

Section 1 of POPIA defines personal information as information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person which includes –

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well – being, disability, religion, conscience, belief, culture, language and birth of the person;
  • information relating to the educational, medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is of a private or confidential nature;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person.

To whom is the POPIA applicable? 

POPIA applies to all persons who process personal information in South Africa and applies to automated and non – automated information gathering which will form part of a filing system or is intended to do so.  An example of such information gathering would be the completion of an online form or the collection of personal information in order to open an account which account data will then become part of a data filing system.

The scope of application of the POPIA is broad and applies to every public and private body if they process personal information in South Africa and includes, for example profit and non – profit companies, sole – proprietors, partnerships, trusts, SME’s, large corporations, government entities, foreign companies, insurers  (responsible parties) and any person, business or entity that processes personal information on behalf of such persons (operators).

How to comply with the POPIA?

While it is important to note that POPIA compliance is not a ‘tick – box’ exercise and non – compliance can have serious consequences, the following are examples of rudimentary measures to ensure that personal information is protected against loss or unauthorised access and includes that responsible parties should:

  • appoint an information officer;
  • identify and assess the nature and extent to which personal information is processed;
  • identify current POPIA compliance gaps in processing procedures and processes;
  • prepare a POPIA compliance framework and POPIA compliance policies and procedures;
  • conclude written agreements with appointed operators of personal information to ensure that the operator establishes and maintains the necessary security measures; and
  • provide training to employees regarding applicable POPIA obligations and the implementation of the compliance policies and procedures.

(Note: The information officer for any private company will, by default, be the CEO of that company unless the CEO has authorised another person to fulfil the role of the information officer.)

What is the deadline for POPIA compliance?

The POPIA provides for a grace period of 12 months from the date of commencement being 1 July 2020 for responsible parties and / or operators to become fully compliant.  The deadline for compliance will therefore be 1 July 2021.

What are the consequences on non – compliance?

In terms of section 107, non-compliance with the POPIA may result in administrative penalties or fines of up to R10 million and / or imprisonment of up 10 years.

The process of planning, integrating and implementing the requirements of POPIA will be time consuming and often unique to different businesses making use of different systems and processes to process personal information.  Although the POPIA provides for a grace period, it is prudent that persons and / or businesses who process personal information start as soon as possible to ensure compliance is achieved within the allocated period.  In addition, businesses which, as part of their daily operations, actively engage in the process of processing personal information should consider engaging an expert to assist and guide them through the compliance process.

This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)

Leave a Reply

Your email address will not be published. Required fields are marked *