Article by Dr. Danie Strachan – Partner (Adams & Adams)
The Protection of Personal Information Act, 2013 (POPI) has recently been in the news on a frequent basis. This has been due to the Information Regulator’s publication of draft regulations for public comment. In view of these developments, many people and businesses are starting to become nervous, knowing that they are not yet familiar with POPI’s requirements and because they have not yet taken steps to prepare for POPI’s implementation. The purpose of this article is to explain POPI in a nutshell, focusing on the essential information.
Also, read Steps to POPI readiness on the Adams & Adams website.
The first issue to address relates to POPI’s status. There is a lot of uncertainty in this regard, and many people are under the impression that POPI is already in force. Actually, only certain sections have legal effect at this stage. Those sections relate to the establishment of the Information Regulator and the drafting of the regulations. A general effective date must still be published in the Government Gazette. Currently, it is not yet known when this will happen, although many experts expect that this might happen during the course of 2018. Once POPI is in force, it will regulate the processing of personal information on a comprehensive basis. It will also bring South Africa’s legislation in this regard in line with the position in many other countries.
POPI identifies key role players that will be involved in the protection of personal information. The Information Regulator will be the watchdog that will be tasked with enforcing POPI and ensuring compliance. It will also be involved in education relating to the protection of personal information. On an operational level, POPI defines a business or person who determines the purpose or means for the processing of personal information as a “responsible party”. The person to whom the personal information relates is known as the “data subject”. If a third party process personal information for a responsible party, such third party will be a “processor”.
It is important to understand POPI’s definitions of “personal information” and “process” in order to determine whether or not POPI will apply in a specific situation. “Personal information” includes information of a living, identifiable natural person or an existing juristic person. The position in South Africa will therefore differ from the situation in many other countries that have similar legislation, because most countries regulate the processing of humans’ personal information only. However, in South Africa, the law will also regulate personal information of existing companies, close corporations and the like.
The definition of “personal information” covers a very broad spectrum of information, such as a person’s race, gender, age, medical history, employment history, address and various other classes of information. The definition also includes a person’s biometric information (for example, their fingerprints) as well as private correspondence and views or opinions of an individual.
The term “processing” has an equally wide definition. Basically, it covers anything that one can do with personal information. It would include anything from collecting information to destroying it. For this reason, one must carefully consider what you do with personal information and whether it is even necessary to collect that information in the first place. For example, many businesses should review the forms used by them to gather information (for example, customer application forms) to determine whether it is really necessary to request all the information dealt with in those forms.
It is important to bear in mind that POPI will not apply in all situations. For example, one will only need to comply with POPI if you process personal information by way of automated means or non-automated means (but then a filing system must be used). POPI will also only apply if information has been entered into a record. It also lists specific exceptions. For example, POPI will not apply to the processing of personal information in the course of personal or household activities. Also, de-identified information will not fall within POPI’s scope. Information is de-identified if the information which links it to a specific data subject has been deleted or the link between a data subject and their personal information has been broken to such an extent that someone cannot link the information back to the relevant data subject again.
POPI is based on eight conditions for lawful processing of personal information. Under each principle, POPI contains key requirements relating to the processing of personal information. These conditions are as follows:
- Lawfulness. Personal information must be processed lawfully and in a reasonable manner that does not infringe on a data subject’s privacy.
- Minimality. The purpose for processing personal information must be adequate, relevant and not excessive.
- Consent, Justification and Objection. Personal information may only be processed in certain circumstances. The easiest way to ensure that one complies with this specific condition is be obtaining the data subject’s consent to the processing of their personal information. However, one can also process personal information without the data subject’s consent. For example, if one needs to process someone’s personal information in order to fulfil your contractual obligation towards them, it is not necessary to obtain consent. POPI even allows a responsible party to process a data subject’s personal information if the processing is in the legitimate interest of the data subject or necessary for pursuing the responsible party’s legitimate interests.
- Purpose Specification. Information may only be collected for a specific, explicitly defined and lawful purpose relating to the responsible party’s function or activity. Information may be retained only for as long as may be necessary for achieving the purpose for which it was collected or subsequently processed, although there are exceptions to this rule.
- Further Processing Limitation. The further processing of personal information must be in accordance or compatible with the purpose for which it was originally collected.
- Information Quality. A responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated.
- Openness. A responsible party must document its information processing operations, as required by POPI’s provisions. It must also ensure that data subjects are notified when their personal information is processed. In view of this condition, many organisations are compiling privacy policies, which explain their privacy operation.
- Security Safeguards. Responsible parties must ensure that personal information is kept confidential and that the information’s integrity is maintained. Responsible parties must also take appropriate measures to prevent loss of, damage to or destruction of personal information and to guard against unlawful acts. If there has been a data breach, the responsible party will also have to comply with POPI’s requirements in this regard.
- Data Subject Participation. A responsible party must ensure that a data subject is able to confirm, at no cost, whether or not the responsible party holds any personal information about the data subject. A data subject must also be allowed to correct their personal information and to require a responsible party to destroy or delete it.
POPI creates a certain categories of “special personal information”. This includes children’s information, as well as information relating to a data subject’s religious or philosophical beliefs, their race or ethnic origin, trade union membership, political persuasion, health or sex life as well as criminal behaviour and biometric information. POPI’s requirements relating to the processing of special personal information are more stringent than those relating to other personal information. Although POPI does not prohibit the processing of special personal information, such information can only be processed in very specific circumstances.
In future, POPI will also regulate direct marketing. Currently, South Africa follows an “opt-out” system. This means that one may send direct marketing communications to someone, as long as they have the opportunity to opt-out (unsubscribe) from receiving further communications. This system will change to an “opt-in” system. In future, one will only be allowed to send direct marketing communications to someone if they have agreed to receive such communications (but some other exceptions apply as well).
Furthermore, POPI will regulate the transfer of personal information across South Africa’s borders. In order to send personal information to someone in another country, a responsible party will have to comply with POPI’s requirements in this regard.
As one can see, POPI’s scope is far and wide. It will require significant effort and dedication, and will have a substantial impact on the way in which business is done. Accordingly, all businesses should familiarise themselves with POPI’s requirements and ensure that they are taking the necessary steps in order to prepare for POPI.