What you need to know about the POPI Act

In the early part of 2020, President Cyril Ramaphosa proclaimed certain sections[1] of the Protection of Personal Information Act 4 of 2013[2] (PoPI Act) into law.  These sections became effective on 1 July 2020, with two further sections (110 and 114 (4)) scheduled to commence at the end of June this year.

The PoPI Act can be quite tedious to read and time-consuming to understand.  This article is meant to provide readers with some insights into the application of PoPI Act in both their personal and business lives. So, let’s begin at the beginning.

 

What is ‘personal information’?

The main objective of the PoPI Act is to protect (“safeguard”[3]) the personal information of a person or company when it is handled by a third party.

It provides rules around how personal information should be treated in South Africa.  But what defines personal information? The PoPI Act refers to it as “…information relating to an identifiable, living, natural person and, where applicable, an identifiable, existing juristic person” (a juristic person generally refers to a company).  It includes details such as name, race, gender, age, disability, education and location.

 

Who does the PoPI Act apply to?

The PoPI Act mentions two major role players: the ‘data subject’ and the ‘responsible party’.

The ‘data subject’ is defined as “the person to whom personal information relates”[4].

The ‘responsible party’ is defined as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and the means for processing personal information”[5]. In other words, the responsible party is the person requesting or using someone’s personal information.

POPI at a glance

Whether you are the proverbial ‘man on the street’ or a major corporate, the PoPI Act will have a significant impact on your day-to-day life.  See our brief summary below to get a birds-eye view of the main concepts and definitions.

  • WHO does the PoPI Act apply to?
    • Data subject – the person / company to whom the personal information belongs.
    • Responsible party – the person collecting personal information for processing.
  • WHAT is personal information?
    • “…information relating to an identifiable, living, natural person…” and/or “…identifiable, existing juristic person (e.g. a company)”[6]
  • WHEN can personal information be processed?
    • Personal information can only be processed if the responsible party has received consent for the processing, and processing is required for the conclusion or performance of a contract (the purpose of the processing).
    • Personal information may only be kept for as long as it is required for processing.
    • Certain laws and/or contracts may, however, require that the personal information be kept for a certain period after processing (for example B-BBEE verification agencies are required to hold the records for between 3 – 5 years after the verification has been conducted)
  • WHERE can personal information be collected from?
    • Directly from the data subject; or
    • Another source (for example a payroll or HR system, provided that the data subject has consented to the collection from this source).
  • WHY is it important to know the PoPI Act?
    • It highlights the rights that a data subject has with regards to personal information.
    • For responsible parties, it highlights the conditions that need to be upheld when processing personal information. If the responsible party fails to uphold these conditions, he/she may become liable for
    • a fine[7];
    • or to imprisonment[8]; or
  • HOW is the data subject protected?
    • The PoPI Act lists many conditions that the responsible party must comply with to avoid conviction. These conditions include:
    • Accountability (section 8);
    • processing limitations (section 9 – 12);
    • purpose specifications (section 13 – 14);
    • Further processing limitation (section 15)
    • information quality (section 16);
    • openness (section 17 – 18);
    • security safeguards (section 19 – 22); and
    • data subject participation (section 23 – 25).

 

Why is the PoPI Act important?

The PoPI Act provides and protects many rights of the person to whom the information pertains. It stipulates that people (and companies) have the right to:

  1. Privacy;
  2. Consent to collection of the personal information from other sources or directly from the data subject;
  3. Consent to the use (processing) of the personal information in line with a contract;
  4. Object to certain types of processing on reasonable grounds, unless legislation allows for the processing;
  5. Withdraw permission at any time;
  6. Know the purpose for which the personal information is or will be used;
  7. Correct any errors on the personal information at any time.

 

How does the PoPI Act protect the rights of people and companies?

The PoPI Act identifies certain conditions that the responsible party needs to follow before, during and after the processing of personal information.  Below is a summary of each of the relevant conditions based on some of the more important sections of the PoPI Act.

 

Conditions:

Accountability (section 8)

  • The responsible party must ensure that all conditions are complied with when determining “the purpose and means” of the processing, as well as during the processing itself.[9]

Processing limitation (sections 9 – 12)

  • There are limitations around how the information is processed.
  • Firstly, the processing[10] needs to be lawful and conducted in such a manner that it does not infringe on the privacy of the data subject.
  • Secondly, the purpose for the processing must be “adequate, relevant and not excessive.”[11]
  • Thirdly, the data subject must consent to the processing in situations where the processing is necessary for the conclusion or performance of a contract.  The responsible party will bear the burden of proof for such consent, and the data subject may withdraw their consent at any time.  The data subject may also object, at any time, to the processing of personal information, on reasonable grounds. If this is done, no processing is allowed, unless legislation provides for it.
  • Lastly, the personal information must be collected directly from the data subject, unless they consent to collection from another source.

Purpose Specification (sections 13 – 14)

  • Personal information must be collected for a specific, explicitly defined and lawful purpose,[12] and the data subject must be made aware of the purpose of the collection.
  • The records may not be retained “any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed.”[13]  There are, however, certain instances where these records can be kept longer. These include but are not limited to circumstances wherein retention of the records is required by law.  In the event of the information being kept, the responsible party must ensure that it has established “appropriate safeguards” against the records being used for any other purpose.[14]

Further Processing limitation (section 15)

The “further processing” or use of personal information must be conducted in accordance with the purpose for which it was originally collected.

Types of processing that are deemed to be compatible with the purpose, include but are not limited to:

  • processing information that is “derived from a public record”[15],
  • processing information to “avoid prejudice to the maintenance of the law”[16], and

where processing is necessary to prevent or mitigate a serious and imminent threat to public health, public safety or the life or health of the data subject or another individual.[17]

Information Quality (section 16)

The responsible party must take steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.[18]

Openness (sections 17 – 18)

The responsible party must maintain the documentation of all processing operations under its responsibility and needs to take reasonably practical steps to ensure that the data subject is aware of, amongst others:

  1. the information being collected and the purpose for the collection;
  2. the identity of the responsible party; and
  3. any consequences of not supplying the information.

The responsible party must communicate the above to the data subject before the information is collected or as soon as reasonably possible after the collection.

Security safeguards (sections 19 – 22)

“A responsible party must secure the integrity and confidentiality of personal information … to prevent a) loss of, damage to or unauthorised destruction of personal information; and b) unlawful access to or processing of personal information.”[19]

These sections continue to highlight certain measures and procedures a responsible party must undertake to ensure the above, including steps to be taken in the case of security compromises.

Data subject participation (sections 23 – 25)

Section 23 provides a detailed account of the different rights the data subjects have with regards to accessing their personal information.  These include the right to know which personal information is being held by the responsible party, the right to request access to the personal information (with some requirements) and the right to correct the personal information (further detailed in section 24).  It also provides situations in which the responsible party may refuse access to personal information, based on the Promotion of Access to Information Act 2 of 2000[20].

Knowing your rights around privacy and the way your personal information is accessed and used can help you maintain the integrity of personal data that is shared with others. The PoPI Act’s aim is to reduce the misuse of personal information. Familiarising yourself with the precepts from the Act can help create a safer, better online environment for all of us.

 

 

[1] Section 13 (1).

[2] Section 14 (1).

[3] Section 14 (2).

[4] PoPI Act, Section 1.

[5] PoPI Act, Section 1.

[6] Section 1.

[7] Section 109: In the case of an administrative fine, the amount may not exceed R10 million.  This amount is, however, at the discretion of the Cabinet member responsible for the administration of justice and he/she can adjust this amount.

[8] Section 107: Imprisonment can be any length of time, ranging from a few months to 10 years (depending on the transgression).

[9] Section 8.

[10] Processing, in the context of the PoPI Act, “means the operation or activity or any set of operations, whether or not by automatic means, concerning personal information” and includes:

  1. “the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  2. dissemination by means of transmission, distribution or making available in any other form; or
  3. merging, linking, as well as restriction, degradation, erasure or destruction of information.”

[11] Section 10.

[12] Section 13 (1).

[13] Section 14 (1).

[14] Section 14 (2).

[15] Section 15 (3)(b).

[16] Section 15 (3)(c)(i).

[17] Section 15 (3)(d)(i) and (ii).

[18] Section 16 (1).

[19] Section 19 (1)(a) and (b).

[20] Government Gazette No 20852 (3 February 2000).

 

 

 

Written by: Michael Craies, 02 February 2021