The Protection of Personal Information Bill, which will soon become law and is commonly referred to as POPI, seeks to regulate the processing of personal information.
It must be read with other relevant statutes such as:
- Electronic Communications and Transactions Act 25 of 2002 (‘ECT’)
- Promotion of Access to Information Act 2 of 2002 (‘PAIA’)
- Regulation of Interception of Communications Act 70 of 2002 (‘RICA’)
- Consumer Protection Act 68 of 2008 (‘CPA’)
Personal information of both employees and clients is – given e-commerce and technology used in connecting businesses – becoming instantly accessible to third parties.
POPI aims to introduce certain protection principles to establish minimum requirements for the processing of personal information. There are eight information protection principles contained in chapter 3 of the Bill, namely:
Accountability; Processing limitation; Purpose specification; Further processing limitation; Information quality; Openness; Security safeguards; Data subject participation.
The intention is to promote transparency with regard to what information is collected and how it is to be processed. This might be the end of all those unsolicited sales calls and spam we receive on a daily basis.
Processing means broadly anything done with personal information, including collection, usage, storage, dissemination, modification or destruction (whether such processing is automated or not).
POPI compliance involves capturing the minimum required data, ensuring accuracy, and removing data that is no longer required. These measures are likely to improve the overall reliability of the organisation’s databases.
Compliance further demands identifying personal information and taking reasonable measures to protect the data, like tracking the workflow of client documents and ensuring that vital information is not misplaced or falls into the wrong hands.
The POPI Act is very much in line with similar legislation that exists in about 70 to 80 other countries, and South Africa is finally set to fall in line with international standards for the collection and handling of personal information.
The Act does not only protect the way in which information is used and/or re-used by the recipients of the information, but the party gathering the information also has the responsibility to ensure it is accurate, current and not misleading. Personal Information may only be processed if voluntary, specific and informed consent is obtained.
An Information Protection Regulator will be appointed who will have broad powers and may consider the public interest as opposed to an individual’s rights to privacy.
There are, however, cases where POPI does not apply. Section 4 Exclusions include:
- purely household or personal activity;
- sufficiently de-identified information;
- some state functions including criminal prosecutions, national security etc.;
- journalism under a code of ethics;
- judiciary functions etc.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice.