On 1 July 2020 the main substance of the Protection of Personal Information Act 4 of 2013 (commonly known as “POPI”) came into operation. The Act outlines how parties who handle an individual’s personal information need to protect this information and provides for some severe-sounding sanctions if this is not done. This article will attempt to provide you with a brief overview of POPI: what it intends to achieve, what it requires, what sanctions there are for non-compliance and how this may impact you.
What is POPI?
POPI is an Act that has been passed to give effect to the constitutional right to privacy by protecting how an individual’s personal information is handled, used and recorded. The Act protects a wide scope of information including identifying numbers, contact details, personal opinions and views, race, gender, sexual orientation, culture and financial and criminal records.
The Act predominantly deals with regulating the interactions between a “data subject” and a “responsible party” during the “processing” of personal information
- A data subject is the person/entity to whom the personal information in question belongs and the responsible party is a body which processes the data
- Processing has a very wide definition and includes the collection, recording, storing, dissemination or destruction of personal information – essentially if an activity involves personal information in any way, that activity would fall under the definition of processing
The Act has also established the office of the Information Regulator which is a body that receives and investigates complaints made in relation to non-compliance with the Act.
Section 5 of the Act lists the “Rights of data subjects” which is essentially the rights of individuals in relation to their information. This would be a useful section to read if you would like to be more informed on what your information privacy rights are.
What requirements does POPI introduce for the processing of personal information?
The first thing to note here is that the Act has a 1 year ‘grace period’. So, a responsible party needs to ensure that they are processing personal information in line with the POPI requirements (including those discussed below) before 1 July 2021.
The Act outlines “conditions” for the processing of personal data. These conditions are essentially the requirements that need to be met by a responsible party when they handle personal information and can be summarised as follows:
- The responsible party is accountable for ensuring that personal information is processed in line with the Act and that the information is accurate and relevant
- The Act outlines certain situations in which personal information may be processed. The most relevant situation is that a person’s information may be processed if they consent
- The Act specifically provides that the consent obtained needs to be specific and informed
- Personal information must be collected for a specific, explicitly defined purpose that relates to a function of the responsible party and the data subject must be aware of this purpose when they consent
- The information that has been collected may only be used for the specific purpose for which it was collected, and it cannot be passed on / sold to third parties unless the data subject consents
- The responsible party needs to make sure that the data subject is informed about the collection, retention and use of their personal information
- Security: The Act requires that appropriate, reasonable safeguards are taken to ensure the security and integrity of the personal information
Practical consequences
For the individual, POPI signifies a concrete step forward in attempting to regulate how our personal information is used by private and public entities.
For businesses, the requirements outlined in the Act may mean that the business will need to restructure how they handle information in order to make sure they do not contravene the provisions of POPI. Some practical steps for a business could include:
- Understanding how POPI will impact the business’ email and direct marketing strategies
- Drawing up a POPI plan – creating a document which outlines the internal steps taken by the business to comply with POPI. The Plan should visualise and record the flow of how personal information is processed as it moves through the business.
Enforcement procedures and consequences of breaching POPI
There are a number of sanctions outlined by the Act. These are:
- Civil damages: A data subject or the Regulator may institute an action for civil damages (for a “just and equitable amount”) if one of the provisions outlined in section 99 is breached (includes the “conditions” described above and direct marketing provisions).
- Administrative fines: Administrative fines of up to R10 million are payable by a party who commits an offence in terms of the Act. The offences are listed in chapter 11 of the Act.
- Some offences may result in up to a 12-month imprisonment or fine. These include:
- Processing information that carries a particular risk to the data subject which requires prior approval AND you fail to get approval from the Regulator (section 59)
- Falsely declare compliance with an information orderissued on your organisation by the Regulator
- Some offences may result in up to a ten-year imprisonment or fine. These include:
- Responsible party who fails to meet all the conditions in relation to personal information classified as an “account number” (section 105)
- Failure to comply with enforcement notice issued to you by the Regulator
Written by:
Savanna Kanzler – Candidate Attorney
Should you require assistance kindly contact Stephen Koen at skoen@bissets.com or via:
- Switchboard: 021-441 9800
- Website: bissets.com
- Bissets WhatAapp: 072 370 0416 – our Client Liaison, Tracy, will put you in contact with the relevant professional.