The Protection of Private Information Act POPIA A brief Overview:
- Signed in 2013. Only parts of the Act came into force.
- Based on section 14 of the Constitution – the right to Privacy - POPIA was designed to prevent the misuse of personal information of citizens by anyone who uses such details of private citizens, including for direct marketing unless the specific and explicit permission of the person concerned is obtained in advance.
- The effective enforcing agency of POPIA is the Information Regulator (IR). It is headed by Adv. Pansy Tlakula.
- In December 2018 the IR published the POPIA Regulations in the Government Gazette.
- When the Act is fully enforceable, a penalty for breach of the Act of ten year prison sentence or a R10 million fine may be applicable.
- President Ramaphosa’s statement in June 2020 made further parts of the Act enforceable from 1 July this year which will give parties and companies twelve months to be fully compliant - in other words by 1 July
Personal Information Protected by the Act:
- “personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;”
- The Act provides 8 conditions under which Personal Information may legally be gathered and processed.
- A POPIA policies and procedures manual will be required in certain circumstances
- It is the duty of the Responsible Person to ensure that these policies and procedures are followed.
- Accountability The responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions, are complied with at the time of the determining the purpose and means of the processing.
- Processing Limitation .Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
- Purpose Specific Personal information may only be processed for specific, explicitly defined and legitimate reasons.
- Further Processing Limitation Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
- Information Quality The responsible party must take reasonably steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary. 6. Openness The data subject whose information you are collecting must be aware that you are collecting such personal information and for what purpose the information will be used.
- Security Safeguards Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorized destruction and disclosure.
- Data Subject Participation Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them.
- Extraterritoriality: There is a connection with the General Data Protection Regulations (GDPR) of the EU which mandate that those regulations apply to all processing of personal data of data subjects even if the entity processing the data is not located within the EU