by Aleshia van der Ploeg LLB. (RAU), Director of VDP Legal Consulting (PTY) Ltd
I have had numerous clients hearing the adverts on the radio, or being misinformed by their fellow entrepreneurs, and calling me in a panic about the POPI Act - Protection of Personal Information Act. So let me unpack it for you...
THE POPI ACT – WHAT IS IT?
It is the Protection of Personal Information Act 4 of 2013. No commencement date has been announced and there is a one-year grace period that runs from the commencement date, so you only have to comply with POPI at the end of the grace period.
WHAT DOES IT DO?
The Act promotes the protection of personal information processed by public and private bodies; introduces certain conditions on such bodies so as to establish minimum requirements for the processing of personal information.
DOES IT APPLY TO ME OR MY BUSINESS?
If you process any personal information – the answer is yes!
Processing includes the collecting or storing of any information and personal information is defined as “information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person”.
This Act does not apply to the processing of personal information in the course of a purely personal or household activity. This Act does not apply to the processing of personal information solely for the purpose of journalistic, literary or artistic expression either.
WHAT DO I NEED TO DO?
Personal information needs to be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. You can only collect personal information for a specific, explicitly defined and lawful purpose and the subject must be aware of the purpose for which the information is being collected.
The conditions for the lawful processing of personal information by or for a responsible party are the following:
1. ‘‘Accountability’’
The party or institution that holds personal information must give effect to the principles for the protection of personal information as set out in the Bill.
2. ‘‘Processing limitation’’
Personal information must be collected directly from the data subject and may only be processed with the consent of the data subject, or where it is necessary to comply with a legal obligation, public law duty or contractual obligation.
3. ‘‘Purpose specification’’
Personal information must be collected for a specific, explicitly defined and legitimate purpose. The data subject should be aware of the purpose for which the information is collected, and who the likely recipients of the information should be.
4. ‘‘Further processing limitation’’
Personal information may not be processed further in a way that is incompatible with the purpose for which the information was collected initially. Thus, if information was processed for the purpose for which it was collected, it may only be processed further if it can be shown that the purpose for further processing is compatible with the original purpose.
5. ‘‘Information quality’’
The person or institution that determines the purpose and means for processing personal information should ensure that the information is complete, not misleading, up to date and accurate
6. ‘‘Openness’’
Notify the Regulator and notify the data subject that you are processing personal information.
7. ‘‘Security safeguards’’
The Bill requires the implementation of technical and organisational measures to secure the integrity of personal information, and to guard against the risk of loss, damage or destruction of personal information. Also, personal information should be protected against any unauthorised or unlawful access or processing.
8. ‘‘Data subject participation’’
A data subject is entitled to the particulars of his or her personal information held by an institution or person, as well as to the identity of any person that had access to his or her personal information. The data subject is also entitled to require the correction of any information held by another party.
SO… IN A NUTSHELL?
Appoint an information officer. Audit your processes and put procedures in place regarding the collection and storing of personal information. Define your reasons for collecting personal information. Ensure against the loss, damage, and unauthorised destruction of the personal information, and prevent unlawful access to or unlawful processing of this personal information.
WHAT ABOUT DIRECT MARKETING?
In terms of the Act, the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject has given his, her or its consent to the processing; or is a customer of the responsible party.
BEWARE!
Non-compliance can result in up to R10 million in fines or 10 years in jail!
Author: Aleshia van der Ploeg LLB. (RAU). Director VDP LEGAL CONSULTING (PTY) LTD
For further information or assistance email aleshia@vdplegal.co.za
Aleshia van Der Ploeg LLB (RAU) was admitted as an Attorney of the High Court in South Africa in 2006. She is a member of the Law Society of the Northern provinces. She has 10 years post-qualification experience in corporate, commercial, labour and general law. She practised as an attorney and served as a Director before forming her own consulting firm. www.vdplegal.co.za | Email aleshia@vdplegal.co.za
More articles by Aleshia...