Summary Of The Protection Of Information Act (POPI Act)
Act's purpose is to protect personal information. It also aims to strike a balance among privacy rights and the need to allow information to flow freely and be accessible to all. It also regulates how personal data is processed.
Act's purpose is to protect personal information. It also aims to strike a balance among privacy rights and the need to allow information to flow freely and be accessible to all. It also regulates how personal data is processed.
The POPI Act's foundation
POPI Act outlines that companies must behave responsibly. Responsible corporate citizenship is the foundation of the Act. Organizations must not only be responsible but also be responsible corporate citizens. This responsibility includes protecting the information within the organization and being responsible for sharing and storing personal information. Personal information should be considered precious goods, and organisations must exercise control over this valuable commodity.
What is personal information in the POPI Act?
- Passport number or identity
- Date of birth and age
- Telephone numbers
- Email address
- Online messaging identities
- Physical address
- Gender, race, and ethnic origin
- Photos, voice recordings, video footage
- Family relations and marital relationship
- Criminal record
- Private correspondence
- A variety of religious or philosophical beliefs, including personal and political opinions
- Information about your employment history and your salary
- Financial information
- Information about education
- Information about your physical and mental health, including medical history
- Joining an organization
Technology's impact on personal data protection
Technology convergence has increased the likelihood of attacks. Cybercriminals can be assisted and encouraged by anyone with a smartphone, an iPad or a laptop. Hackers can gain access to personal information from any device. LinkedIn and Facebook are two of the most popular social media platforms. They can also be used as a source for personal information. Criminals could use this information to cause severe harm to individuals and organizations. Everyone has a responsibility to protect themselves. The POPI Act can't protect someone who doesn't take care of himself.
To whom does the act apply?
This act applies to any person other than a natural individual. It also covers companies and any other legal entity. All organizations are data subjects and have the same protection rights. The Act covers anyone who maintains any records that relate to personal information, except if such records are protected by other legislation. This Act sets minimum standards for protecting personal information. It governs the "processing of personal information." "Processing" refers to the collection, receipt, recording, organisation, retrieval, or use of personal information. It also includes disseminating or distributing such personal information. You will also be subject to the Act if you have any records already in your possession.
POPI is a form of application
Many countries have a POPI Act, and South Africa's POPI Act was based on UK legislation. Companies cannot ignore the law and must update their IT systems. It is important to start training and educating employees as soon as possible.
When will it enter into force?
The Act became effective on July 2020. The Act will give companies 12 months to comply. The act will be effective on the 1st of July 2021.
What are your rights?
All individuals have the right of being informed if any person is using our personal data. You have the right of access to your personal information. You also have the right request that your personal information be rectified or destroyed or that we object to its processing.
Personal information that is processed as part of a household or personal activity or when the processing authority involves in national security, defense, public safety, anti money laundering, the Cabinet or Executive Council of the Province, or in a judicial function, does not fall under the Act.
Only the following personal information can be processed: (section 11).
- With the consent of the "data subject",
- If it is necessary to conclude or perform a contract to the which the "data subject", is a party, or
- It is required by law.
- It protects the legitimate interest of the "data subject",
- It is necessary to protect your legitimate interests, or those of third parties to whom the information was provided.
All individuals have the right to oppose processing of their personal data. If we have legitimate grounds to object, we can either withdraw our consent or object.
The Responsible Party must collect personal information directly from the "data subject", except:
- This information is either in a public record or was published intentionally by the data subject.
- The subject is not affected by the information obtained from another source.
- It is required for a public purpose or to protect your personal interests.
- Obtained information directly from the subject would be detrimental to a lawful purpose, or not reasonable.
Personal information can only be collected for a legally defined, specific purpose. The subject must also know the purpose. (section 13)
If the personal information is no more needed for that specific purpose, it must not be kept (the subject must be "deidentified"), unless it is required by law or permitted to be kept. (section 14)
If you have created safeguards to protect the information from being used for other purposes, you are allowed to keep personal data for historical, statistical and research purposes.
Records must be destroyed so that they cannot be reconstructed.
Only personal information you have collected can be used for the purposes for which it was collected. (section 15)
As per section 14 and 51 of the Promotion of Access to Information Act, documentation relating to personal data and how it was processed must be kept.
Subjects must be informed when information is collected (section 18).
- The information being collected, and the reason why it is not.
- The subject should be informed about the source of the information.
- The name and address of the person or organization collecting the information.
- The purpose of collecting information. Whether the subject has to supply the information.
- What the consequences are of failing to provide the information?
- What level of protection is provided for the information once it leaves South Africa?
- Who will receive the information
- The subject has the right to access the information and to correct any errors.
- The subject can object to the processing of the information (if such right exists).
- The subject is entitled to file a complaint with the Information Regulator. You must also provide the contact information for the Information Regulator.
These requirements must be met before any information is collected from the subject. If the information is not collected from the subject directly, then the subject should know about these rights. You must go through the process again if you need additional information about a subject to fulfill a different purpose. S18(3)
Therefore, I envision all estate agents' clients signing a form acknowledging their rights before they fill out any personal information on a mandate, an offer to buy or FICA form.
If the subject has not consented to the non-compliance of these requirements, if compliance would not prejudice any public interest or if compliance would cause prejudice to some public interest, if the information will only be used for statistical research purposes or if it is not possible to identify the subject, then complying with these requirements is not required.
How do we deal with personal data that we have collected?
Anyone who has access to personal information must take precautions to avoid the unauthorised destruction, loss, or damage. They must also prevent illegal access to and unlawful processing of personal information. (section 19)
It is important to first identify and then maintain all potential risks. We must ensure that safeguards are properly implemented, and then update them as necessary to address new risks or deficiencies.
Anyone who processes personal information for an employer must be authorized by the employer. They must treat personal information confidentially. (section 20)
This person must sign a written contract with the employer in which they are obligated to protect the privacy and confidentiality of personal information as well as to take appropriate safeguards to avoid identified risks.
The employee must also notify their employer if they suspect that personal information has been misused (section 21(2)).
To comply with the requirements, I can see new employment contracts for data capturers and administrative staff.
You must notify the Information Regulator if personal information has been accessed by unauthorised persons. Notification to the subject must contain sufficient information for the subject to be protected against any potential consequences of personal information falling into wrong hands.
All individuals have the right of inquiry as to whether someone has our personal data. We only need to provide proof of identification and this information must also be provided at no cost. You can also determine what the information is and whether it has been disclosed to third parties. These last bits of information may require us to pay a fee. Access to these information is also subject to The Promotion of Access to Information Act.
You have the right to request that your personal data be corrected or erased if it is incorrect, irrelevant, excessive or dated.
"Special personal information" is a category of personal data created by the Act. This includes religious or philosophical beliefs as well as race, ethnic origin, trade union membership, political persuasions, health, sex life, and biometric information. Information relating to any alleged offense or proceedings in relation to any alleged offence, and the outcome thereof, are also included. (section 26)
This information is not permitted to be processed unless consent is given or required by law.
I don't think this will stop the processing of information regarding the conviction of a subject of a criminal offense, since such an offence won't be "alleged".
There are limited exceptions to this prohibition.
These are situations where the information is relevant and serves the purpose of the collection, such as for BEE or insurance purposes.
Children's personal data is subject to special rules. (section 35)
If the public interest is greater than the privacy rights of the subject or if there is clear benefit to them, the Information Regulator can grant exemptions that allow individuals to process personal data without complying to the Act. These exemptions can be granted subject to conditions.
For the purpose of fulfilling a "relevant function", exemptions can also be granted. Personal information that is processed with the purpose of protecting members of public from:
- Financial loss as a result of dishonesty in the banking and financial services industries
- anyone authorised to practice any profession or engage in any other activity.
Direct Marketing
Section 69 of this Act prohibits direct marketing via electronic communications unless consent has been given by the subject. This electronic communication includes SMSs and emails. Automated calling machines are also included. To obtain consent, a subject must only be approached once. If consent is not obtained, it will be refused forever.
If the subject is a customer, there are slightly different rules. The customer's contact information must have been collected in connection with the sale of a product, or service. Direct marketing via electronic communication can only be related to suppliers own products or services. The customer must have had the opportunity to opt out at the time the information was collected, and every time such communication is sent.
Direct marketing electronic communications must disclose the identity and address of the advertiser to enable the customer to opt out.
Subjects whose names are included in any directory should be informed about the purpose and any future uses of the directory, using search functions embedded in electronic versions. Subjects who are not able to consent to the use of their personal information must be informed. However, this does not apply to directories which were printed or created off-line electronically prior to the start of this section.
Your personal information may still be included in public subscriber directories that have been prepared in accordance to the Act's safeguards. However, the subject must be notified about the purposes and future uses of the directory. The subject must again be given an opportunity to opt-out. (section 70)
The Act regulates the transfer of personal data from South Africa to other countries. It prohibits it unless: (section 71)
- The person who receives the information is subjected to similar laws.
- The subject has consented to the information being transferred.
- Such transfer is part and parcel of the performance of a contract to which the subject is a member;
- Transfer is made for the benefit and is not possible to obtain consent from the subject. However, it is likely that such consent will be given. (section 72)
Penalties, offenses and administrative fees
Sections 100-106 discuss instances in which parties could be "guilty" of an offense. These are the most pertinent:
- Anyone who hinders, obstructs, or illegally influences the Regulator
- Failure to comply with an enforcement order by a responsible party
- Witnesses may be accused of lying under oath, or failing to appear at hearings.
- Account numbers can be the subject of unlawful acts by the responsible party
- Third parties may commit illegal acts in relation to account numbers
Section 107 of this Act outlines the penalties that will apply to each offense. The maximum penalties for the above-mentioned offenses are either a fine or imprisonment not exceeding 10 years, or both. The maximum penalty for the lesser offenses, such as hindering an official from executing a search warrant, would be a jail sentence or a fine for a period of 12 months or both.