Category: POPI


The requirements of the POPI Act stipulates that an entity is required to take reasonable measures of a technical, as well as organisational nature, to ensure the adequate safeguarding of personal information. Personal Information, according to the Protection of Personal Information Act, 2013 includes the following:

  1. Information relating to the following of a person:
  • Race/nationality/ethnic/social origin/colour
  • Gender/sex
  • Pregnancy
  • Marital status
  • Sexual orientation
  • Age
  • Physical or mental health/well-being/disability
  • Religion/conscience/belief
  • Culture/language
  • Birth
  1. Education, medical, criminal, employment or financial history of a person
  2. Identifying number, email address, telephone and physical address, location information, online identifier
  3. Biometric information
  4. Personal opinions, views or preferences
  5. Explicitly or implicitly private or confidential correspondence
  6. Views of others about that person
  7. Name, if it appears together with other personal information about that person or if the name would reveal information about that person

Personal information may only be processed (collected, stored, received, organised etc.) if the following conditions are complied with:

  1. Accountability

All the conditions below must be complied with.

  1. Processing

Personal information may only be processed if the processing is lawful and in a reasonable manner which does not infringe the privacy of the data subject

  • Consents
  • Necessary to carry out a contract to which the data subject is a party
  • Obligation imposed by law
  • Protects legitimate interest of data subject
  • Necessary for a proper performance by a public body
  • Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied

Information must be collected directly from the data subject unless the information is obtained from a public record, then the data subject consented would not prejudice a legitimate interest of the data subject or if the collection is necessary in terms of a law.

Employers must obtain the employee’s consent for their personal information to be collected and used. They must be aware of the third parties (or other individuals) who might have access to it.

  1. Purpose Specification

Personal information must be collected for a specific, defined and lawful purpose related to a function or activity of the responsible party.

Records of information must not be retained for a longer period than is necessary. If it is kept for research, statistical or historical purposes, then it can be kept for longer if there are adequate safeguards in place from the records being used for other purposes.

The responsible party (the employer) must ensure that safeguards are in place to protect the data from being used for other purposes. Employees obtaining these types of personal information of other employees should have a clause in their employment contracts dealing with confidentiality.

  1. Further Processing Limitation

Further processing of personal information must be in accordance or compatible for the purpose it was collected for (see Section 15). It will not be incompatible if the data subject consents or the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purpose and will not be published in an identifiable form.

The employer must obtain the employee’s consent if further processing takes place and it is not compatible with the reason it was collected for.

  1. Information Quality

A responsible party must take steps to ensure the information is accurate, complete and not misleading.

  1. Openness

The data subject (employee) must be aware of the information being collected, or if information is not collected from the data subject, the source where it is collected from, the purpose for the collection etc. unless the data subject consents to the non-compliance. The responsible party must take reasonable steps to ensure that the data subject is informed.

If personal information of the employee is collected by a third party via the employer, the employee needs to be aware of it unless the employee consents to non-compliance.

  1. Security Safeguards

The responsible party must ensure the integrity and confidentiality of the information in its possession or under its control by taking reasonable and appropriate measures to prevent loss or damage to personal information and unlawful processing of information.

Anyone processing personal information on behalf of a responsible party may not disclose the information.

Data subjects must be notified if personal information has been accessed or acquired by an unauthorised person (or the responsible party has reasonable grounds to believe so).

The employer or third party should ensure that employee data is treated as confidential information. Our suggestion would be to include a confidentiality clause in the employment contracts. Passwords must also be set up on the systems.

  1. Access to personal information

A data subject (employee) has a right to request access to personal information, also to correct or delete it.

Although financial information is not specifically dealt with in the above mentioned Protection of Personal Information Act, according to the Basic Conditions of Employment Act, it is an offence for any person to disclose information which that person acquired while exercising or performing any power or duty in terms of this Act and which relates to the financial or business affairs of any other person, except if the information is disclosed in compliance with the provisions of any law.

This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)


My Lawyer_Images-05POPI refers to South Africa’s Protection of Personal Information Act which seeks to regulate the Processing of Personal Information.

What is Personal Information?

Means any information relating to an identifiable, living natural person or juristic person (companies, CC’s etc.) and includes, but is not limited to:

  • Contact details: email, telephone, address etc.
  • Demographic information: age, sex, race, birth date, ethnicity etc.
  • History: employment, financial, educational, criminal, medical history
  • Biometric information: blood type etc.
  • Opinions of and about the person
  • Private correspondence etc.

What is Processing?

Processing broadly means anything done with someone’s personal Information, including collection, usage, storage, dissemination, modification or destruction (whether such processing is automated or not). 

Some of the obligations under POPI:

  • Only collect information that you need for a specific purpose.
  • Apply reasonable security measures to protect it.
  • Ensure it is relevant and up to date.
  • Only hold as much as you need, and only for as long as you need it.
  • Allow the subject of the information to see it upon request. 

Does POPI really apply to me or my business? 

POPI applies to every South African based public and/or private body who, either alone, or in conjunction with others, determines the purpose of or means for processing personal information in South Africa.

There are cases where POPI does not apply. Exclusions include: Section 6:

  • purely household or personal activity.
  • sufficiently de-identified information.
  • some state functions including criminal prosecutions, national security etc.
  • journalism under a code of ethics.
  • judiciary functions etc.

Why should I comply with POPI?                                                                                       

POPI promotes transparency with regard to what information is collected and how it is to be processed. Openness increases customer trust in the organisation.

Non-compliance with the Act could expose the Responsible Party to a penalty of a fine and/or imprisonment of up to 12 months. In certain cases, the penalty for non-compliance could be a fine and/or imprisonment of up 10 years.

This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)

© 2019

Theme by Anders NorenUp ↑