Every time you use a service, buy a product online, go to your doctor, pay your taxes, or enter into any contract or service request, you are required hand over some of your Personal Information. Even without your knowledge, information about you is being generated and processed by companies that you may have never interacted with. To empower us to control our Personal Information and protect us from abuse, it is essential that data protection laws are put in place to protect how our Personal Information is used and handled, and it is for this reason that the Protection of Personal Information Act, 4 of 2013 (the “POPI Act” or “POPI”) is relevant and so important.
Information privacy laws have been implemented in most parts of the world, with it becoming a core focus internationally given the rate at which Personal Information is stored, processed and accessed through technological advances.
In South Africa, the right to Privacy is a constitutional right that is protected in our Bill of Rights. The POPI Act is one of the legislative measures that aims to protect our right to Privacy. The POPI Act brings South Africa in line with international data protection laws and is based on many of the core principles of data protection that are found in data protection laws around the world.
What is the POPI Act
The POPI Act applies to all Processing of personal Information, for whatever reason. It seeks to regulate every step of how Personal Information must be handled from the moment it is collected until the moment it is destroyed.
The POPI Act identifies three parties, the Data Subject, the Responsible Party and the Operator.
The Data Subject is the person that the Personal Information belongs to or is about (for example, a business’ clients, suppliers, employees, etc.). You are a Data Subject in relation to your own Personal Information. Under the POPI Act, a Data Subject can be a natural person (i.e. an individual) or a juristic person (i.e. a company).
The Responsible Party is the party who determines the purpose of collecting the Personal Information and the manner in which the Personal Information will be Processed (for example, the Business that needs the Personal Information for a particular purpose).
The Operator is the party who Processes Personal Information on behalf of the Responsible Party under a contract or mandate (for example, a third party contracted to Process or store information on behalf of the Business, such as an outsourced contractor).
The definitions of Personal Information and Processing are key to POPI.
The definition of Personal Information is very broad and includes all information that identifies or is about a person. This includes information about a person’s:
- race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person and the views or opinions of another individual about the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original private or confidential correspondence; and
- the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person.
The definition of Processing is equally as broad and covers everything that is done with that Personal Information from the moment it is collected until the moment it is destroyed. Processing includes any operation or activity concerning Personal Information, whether or not by automatic means (so it applies to both hard copy and electronic information), including:
- the collection, receipt, Recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information.
The POPI Act also classifies certain Personal Information as Special Personal Information. Special Personal Information includes religious or philosophical beliefs, race or ethnic origin, Trade Union membership, political persuasion, health and sex life, biometric information, and criminal behaviour (alleged prior to conviction). The POPI Act imposes greater restrictions on the Processing of Special Personal Information, as well as Personal information of children (under the age of 18).
Does the POPI Act apply to your business?
Do you have employees in your business? Do you collect Personal Information (as defined above) from your clients or customers? Do you collect Personal Information from your suppliers or contractors? Do you receive, collect or Process (as defined above) Personal Information for or on behalf of your clients? If so, then it is more than likely that your business uses or “Processes” Personal Information, and that the POPI Act applies. You therefore need to start taking steps towards become POPI Compliant and protecting the Personal Information that your business Processes.
What do you need to do to start your POPI Compliance journey?
If the POPI Act applies to your business, you will need to start looking at what steps need to be taken to start your POPI Compliance journey. The extent of work needed to become compliant with the POPI Act, and the length of time needed to do so, will vary from business to business, and really depends on the size of the business and the amount of Personal Information that a business Processes.
One of the first steps is training and awareness. Not only will training guide you through what the POPI Act is about, and what it requires of you to protect the Personal Information that your business Processes, but it will also make you and your employees privacy-aware now, as you process Personal Information in your day to day business operations.
Once you have covered the basics of the POPI Act and have an understanding of what the POPI Act and Information Privacy is all about, you will then be in a position to start conducting a POPI Gap Assessment of your business. A Gap Assessment will enable you to assess how the Act will truly affect your business and where your main POPI compliance gaps lie. Once you have identified the businesses main POPI compliance gaps, you can then start identifying what needs to be done in your business to start becoming POPI compliant and begin with POPI compliance implementation.
Practically, POPI compliance measures will include the drafting of terms between your business and the Data Subjects whose Personal Information it Processes, making the data subjects aware that their Personal Information is being Processed, the purpose/s of such Processing, the steps to be taken for the amendment, correction or destruction of their Personal Information; and obtaining consent from the Data Subject for Processing.
The POPI Act was signed into law in November 2013. Certain sections of the Act relating to the establishment of an Information Regulator and the development of Regulations to the Act have commenced. The Information Regulator has been appointed and draft Regulations have been published by the Information Regulator’s office. The commencement date of the Act is yet to be published and many in the industry are anticipating that the POPI Act will commence within the next 6 months to 1 year.
Businesses will have 1 year from the commencement date of the Act to become fully POPI compliant. Depending on the nature of your business and the volume of Personal Information your business Processes, it is recommended that you start your POPI Compliance journey sooner rather than later. In some instances, a 1-year period to become fully POPI compliant will be insufficient. The fines that the Information Regulator may impose (once the POPI Act is fully operational) and the potential reputational damage to your business can be far reaching in the event of a Data Breach and your business can only benefit from starting to put measures in place to protect the privacy of the Personal Information your business is entrusted with and responsible for protecting.
Natasha has a BCom LLB and was admitted as an attorney in 2008. She rose to the level of senior associate at Hogan Lovells before leaving to join Deloitte Legal as a senior manager and subsequently the Life Healthcare Group as Senior Legal Counsel and then Deputy-Head Legal. Natasha left to focus on her commercial practice and joined Caveat in 2017.
Natasha provides specialised legal services on Information Privacy and the POPI Act. With over 4.5 years of POPI experience, she is well placed to assist your business, small, medium or large, with all your POPI compliance needs including awareness, training, legal advice around POPI compliance, implementation advice and assistance, and drafting of Privacy related documents, policies and agreements. Please contact us for more information about the POPI training and awareness programmes Natasha offers and for more information about how we can walk you through your businesses POPI compliance journey.