by Nicozaan Finestone-Jordaan
Companies worldwide, from small to international businesses, are realising that information is an important strategic asset. Businesses are devising new ways of collecting and leveraging information to their and their clients’ benefit. Client information gives businesses access to client behaviour, preferences and needs.However, holding personal information also has a flipside – in the wrong hands, sensitive, personal information can be traded and used by criminals to the detriment of the business and the individual.
Information breaches, such as that faced most recently by Liberty, are a cause for concern to both business owners and consumers. Consumers are becoming more aware of the importance of their information and who they choose to share it with. They want to know what information is collected, how it is stored and processed, and with whom it is shared.
In line with international best practices and regulations, such as the EU’s General Data Protection Regulation (GDPR), South Africa introduced legislation to regulate the collection, processing and storage of personal information. The Protection of Personal Information Act (POPIA) was introduced during 2014 to regulate the processing of personal information by private and public entities. Only certain provisions of POPIA came into operation, such as the establishment of the Information Regulator, who will oversee adherence to the Act. The provisions of POPIA dealing with the processing of personal information are expected to come into operation early next year. Entities will be granted a year’s grace to get their affairs in order, to comply with POPIA.
The purpose of POPIA
The purpose of the Act is to promote the protection of personal information processed by private and public bodies and to establish the minimum requirements for the processing of such information.
Information protected by POPIA
The personal information processed (for example, collected, stored, used, shared, archived) of any individual or a juristic person (for example, a company) will be protected under POPIA.
Personal information would include a person’s name, surname, identity number, age, address, and so forth. There is also a specific category of information, called special personal information, that includes information about children and other sensitive information (for example, religious or political beliefs and race) and provides for even stricter requirements for the processing of that information.
POPIA identifies certain conditions for the processing of personal information. These include:
- A person whose personal information is collected must give his, her or its consent (subject to certain conditions) and be made aware of what information is collected and what it will be used for (the purpose).
- Personal information may only be collected in a lawful manner, and the information collected is limited to only that which is really required for a specific purpose.
- The personal information collected may not be used for any other purpose, unless express consent is obtained from the person.
- The above personal information may only be kept for as long as reasonably necessary to achieve the purpose for which it was collected (subject to certain legislation).
- The party who decides what personal information to collect remains responsible for the processing thereof and must put security measures in place to protect the information.
- The party who collected the personal information must ensure that the information is at all times accurate, complete and updated where necessary.
- The person whose personal information has been collected has the right to request access to information held about him or her and also that such information is corrected, updated, or deleted.
Implications for businesses
POPIA places an obligation on anyone collecting personal information to deal with that information in line with the requirements as set out in the Act. Considering that you collect, process and store vast amounts of personal information on a daily basis, it is of vital importance that you get acquainted with the requirements of POPIA and start planning how you will adapt your processes to ensure compliance. Non-compliance with the provisions of the Act can lead to major fines and even imprisonment.
It is important to realise that the protection afforded by POPIA to personal information does not apply to only your customer information; it also applies to supplier and employee information.
Treating all personal information with the necessary confidentially and ensuring its security, will result in people being more willing to do business with you and help you grow your business.
For more information regarding POPIA and data privacy, please contact:
Henning Pieterse | Partner
Areas of Expertise: Corporate & Commercial Law
Nicozaan Finestone-Jordaan | Associate
Areas of Expertise: Litigation | Dispute Resolution | Contracts | Commercial advice and agreements | Consumer rights and privacy
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)