Article provided Coface
The Protection of Information Act, better known as POPIA, came into full effect on July 1st, 2020, which meant that all companies were required to be fully POPIA compliant by July 1st, 2021.
The POPIA act is not the first of its kind but relatively similar to the GDPR (General Data Protection Regulation), which is a European privacy law, that came into effect on May 25th, 2018.
What is the purpose of POPIA?
The intended purpose of POPIA is to promote the right to privacy in the Constitution, while dealing with the right of access to information, as well as the protection of information and the flow of same.
Who does POPIA cover?
Under the POPIA act, all personal information of data subjects are covered.
Data subjects are defined in the act as: “person to whom personal information relates”
Personal information means: “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to —
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
It is important to note that POPIA includes juristic information, and therefore company information over and above confidential information is covered.
Who needs to comply with POPIA?
Any company or organization processing personal information in South Africa, who is domiciled in the country, or not domiciled but making use of automated or nonautomated means of processing in the country.
How can you become compliant with POPIA?
In terms of the POPI act, there are eight specific information protection principles that organisations must comply with:
- Processing limitation
- Purpose specification
- Further processing
- Information quality
- Security safeguards
- Data subject participation
This in practical terms means the company should do the following:
- First and foremost appoint an Information Officer and register them with the Information Regulator.
- Train all members of staff on POPIA and its importance, as some of the staff may be handling some of the information.
- Only collect information that is relevant to the transaction, this means only gather the information that you have:
- Consent of data subjects
- Processing of data necessary to perform a contractual obligation
- Processing helps comply with a legal obligation set by applicable law
- Processing protects the legitimate interests of the data subject
- Performance of public law duty
- Legitimate interests of either the responsibly party or a third party
- Apply adequate security measures to protect both your staff and customers, for example, try and have security software loaded on your computers, so that third parties cannot hack and obtain the information, further to this, ensure staff members only have access to information that is relevant to their job.
- Only store the information of both clients and customers for as long as it is needed or as legislation requires this includes employees’ information, once an employee has resigned the information you have on them is no longer required.
- If any person (juristic or individual) asks what information the company has on record on them, the company is obliged to disclose it and not withhold it.
What happens if there is a breach of information?
Under the POPIA act, there is a duty on all responsible parties to notify the Information Regulator of confidentiality and integrity breach of personal information. If such breach takes place, the responsible party must notify the Regulator within a reasonable time and must include the following:
- A description of the possible consequences of a security compromise;
- A description of the measures that the responsible party intends to take or has taken to address the security compromise;
- A recommendation regarding the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
- if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information. Keep in mind there is an obligation to protect the personal information of this person and share it with the smallest number of people possible.
What penalties and offences can you face if you do not comply with POPIA?
Failing to comply with POPIA can result in the company facing the following:
- Imprisonment of up to 10 years and/or
- A fine not exceeding R10 Million Rand.
Therefore, POPIA is not an act to be taken lightly, and while it is still a new piece of legislation, the Information Regulator is taking each offense committed very seriously. Companies are therefore encouraged to take the time to understand the Act and to understand what is required as provided above.