What is South Africa’s POPI Act?
As the name would suggest, personal information is not something we generally want strangers to have access to. Just imagine the kind of stress it would cause to have shadowy figures learning about your address or details about your family. Perhaps even more terrifying is the fact that some social media companies are in the habit of cataloguing everything from your likes and dislikes to your political opinions and religious views. Maybe you’ve given them this information voluntarily, but what happens if they get hacked and your personal information becomes public knowledge? This is where the Protection of Personal Information Act comes in. But what is it and what does it mean for you? What is South Africa’s POPI Act?
The Protection of Personal Information Act (commonly abbreviated to POPIA) is mainly designed to ensure that personal information is properly processed and protected by public and private parties. It’s also a big fan of alliteration.
Simply put, this act identifies when personal information can be legally processed and ensures that the groups which process it are properly collecting and safeguarding that data so that it isn’t misused and doesn’t fall into the wrong hands.
To use an example, when dealing with the personal information of their patrons, a bank would have to follow certain guidelines and regulations identified in the act to guarantee that –
- They are collecting the minimum amount of information necessary for their specific purposes.
- Processing is done legally and in a reasonable manner that does not infringe upon the privacy of the data subject.
- They have taken all necessary steps to prevent a data breach and/or the misuse of information.
Additionally, the act helps us to understand what we mean by personal information and how consent works in these situations.
What is Personal Information?
Personal Information is an umbrella term that covers a wide range of variables. Most notably, the term includes, but is not limited to –
- Information relating to race, gender, social origin, age, religion, culture, etc.
- Personal opinions, views, etc.
- Biometric information
- Address, telephone number, e-mail, etc.
How does Consent work?
Personal information can only be legally processed in certain scenarios and when certain prerequisites have been met. Some of these instances include, but are not limited to –
- When consent is given by the data subject
- In cases involving children, when a competent person gives consent
- When the processing is necessary to complete certain functions relating to a contract that includes the data subject as one of its established parties.
- When the processing is necessary for the proper performance of a public law duty of a public body
How does this affect me?
When dealing with personal information processing, the act identifies 3 main role players. Depending on which group you belong to, the act could affect you in different ways. We’ll use the example of a bank/customer relationship again to understand these roles.
- The Data Subject – This is the person to whom the information relates. If, for example, you give your telephone number to the bank, you are the data subject related to that personal information. The act affords many protections and rights to data subjects to ensure that their information is properly safeguarded.
- The Responsible Party – This group determines the purpose of, and the means for, personal information processing. The bank, for instance, would be the responsible party in this scenario and would have to follow a long list of POPIA rules. Just keep in mind that a single individual processing personal information can still be considered the responsible party.
- The Operator – This is the group or individual that processes personal information for the responsible party, usually as part of a contract, without coming under the direct authority of the responsible party. In this case, we can imagine an IT company which specialises in information processing and which is contracted by the bank. Once again, there are various rules in the POPIA for the operator to follow. For example, the operator is required to notify the responsible party of a potential data breach when they believe one has occurred.
Do I need to Register my Business for POPIA?
Any organisation or individual that can be considered a Responsible Party will need to appoint and register an Information Officer with the Information Regulator. It is the responsibility of this information officer to ensure that the organisation is POPIA-compliant. This process can be done either online or physically via the Information Regulator offices.
Making sure that your business is POPIA-compliant is going to be quite difficult as there are many nuanced standards that have to be met. Besides appointing and registering an information officer, you should also do things like –
- Draft/update your company’s POPIA policy and practice manual
- Set up training courses for the relevant staff members who deal with personal information
- Ensure that you have the relevant authorisation for the processing of different types of personal data
- Receive written assurance from your IT department/contractors that all safety systems/protocols are up to date and in working order
Certain cybersecurity groups offer POPIA-compliance assessments and can help you make sure that you have checked all the necessary boxes.
What are the Penalties for Non-compliance with POPIA?
Failures to comply with POPIA standards normally come to light after a data breach has occurred. In most of these scenarios, the responsible party is usually ordered to pay compensation to the data subjects whose personal information was misused. That said, more serious cases may see fines of between R1 – R10 million for the responsible party and even prison sentences of between 1 – 10 years.
For many companies, however, the true damage is done to their reputation and they often end up losing business in the long run.
Who is POPIA Applicable to?
In our digitally connected world, POPIA applies to everyone. It provides rules and regulations for those who process personal information (whether they do it personally or hire others to do it for them), and it provides key protections for everyday individuals whose data could be at risk.
In Conclusion – What is POPIA and how does it Affect Me?
POPIA refers to the Protection of Personal Information Act and is essentially the South African version of the EU’s GDPR, although there are some important differences.
At its core, POPIA regulates the processing of personal information to ensure that everyone’s data is properly safeguarded and is at less risk of being stolen or misused. It does this by establishing various rules and guidelines that groups and individuals must abide by when processing personal information to ensure that the bare minimum level of protection has been put into place.
In the same way that cyclists are forced to wear helmets, data processors need to set up things like firewalls, anti-virus systems and back-ups to maintain a level of POPIA compliance.
The act also provides protection and rights to individuals whose personal information may be at risk – such individuals are known as Data Subjects.
The term ‘Personal Information’ covers a wide range of topics ranging from your race and gender to your religious and political views. Oftentimes, groups will need to receive your consent before they process this personal information although this may be bypassed in certain scenarios such as when it is required to complete a contractual function or when it is necessary for a public law duty of a public body.
The act differentiates between 3 main groups, namely –
- Data Subjects – Those to whom the data relates
- The Responsible Party – Those who determine the reasons for, and means of, personal information processing
- The Operator – Those who process personal information for the responsible party without coming under their direct authority
Groups or individuals who can be considered a ‘Responsible Party’ are required to appoint an information officer and register them with the Information Regulator, this individual is then required to ensure that the company is POPIA-compliant.
Becoming POPIA-compliant can be challenging and can include duties such as the establishment of training courses for information processors as well as receiving formal written assurance from IT divisions that certain protections are in place and working. Luckily, many cybersecurity groups exist which specialise in assessing the compliance of businesses and ensuring that they have the necessary protections in place.
Disclaimer LAW101: All of our posts are for research purposes only. Law 101 aims to assist its readers with useful information on the laws of our country that can guide you to make decisions in line with the South African Governmental Laws currently in place. Although our posts cite the constitution in many instances, they are intended to assist readers who are looking to expand their knowledge of the law. Should you require specific legal advice we advise you to get in touch with a qualified legal expert.
Found this article interesting? Leave us your thoughts below.