Guidelines to the Protection of Personal Information (POPI) Act
The Protection of Personal Information Act (POPI Act) was signed into law on 26 November 2013.
This legislation prescribes strict requirements for the handling and processing of personal information by any entity in control of such information. However this legislation has not yet come into effect and in anticipation of its implementation, it is prudent for parties to identify how the legislation will impact on their personal lives and businesses.
The starting point of the POPI Act is to give effect to Section 14 of the Constitution of the Republic of South Africa which provides for the Right to Privacy. This legislation also brings the South African legislation in line with international standards with regards to the handling of personal information.
Personal Information is defined in the act as information relating to an identifiable, living natural person, and where it is applicable, an identifiable, existing juristic person. The aspect of personal information protected by the legislation includes information relating to race, gender, marital status, ethnicity, sexual orientation, medical, financial, criminal and/or biometric information, among others.
Eight minimum requirements for processing of Personal Information are introduced in this new legislation, namely:
- Accountability: The entity responsible for the information must ensure that the conditions and measures set out in the legislation are complied with.
- Processing Limitations: Personal information must be processed lawfully either by obtaining consent from the subject of the personal information, or it may be processed as part of a legal obligation or as part of the public record.
- Specific Purpose: Personal information must be collected for a specific, explicitly defined purpose related to the function or activity of the collecting entity and the subject of the information must be made aware of the information collected.
- Further Processing Limitations: The further processing of personal information must be in accordance with the purpose for which it was collected or unless it is required or authorised by law.
- Information Quality: The entity in control of personal information must take reasonable practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
- Openness: The entity in control of personal information must maintain the records of all information under control. They must also make the subject of the personal information aware of the information being collected and the purpose for which it is being collected.
- Security Safeguards: The entity in control of personal information must secure the integrity and confidentiality of personal information in its possession or under their control by taking reasonable technical and organisational measures to prevent loss, damage, unauthorised access, processing or destruction.
- Data Subject Participation: A data subject having provided adequate proof of identity, has a right to request a responsible party to confirm personal information they hold about the subject.
In addition to the above, the legislation also prohibits the processing of personal information for the purpose of direct marketing by means of any form of electronic communication, including automated calling machines, fax, sms or emails without the individual’s explicit consent to receive direct marketing.
All of the above is meant to ensure that all entities conduct themselves in a responsible manner when collecting, processing, storing and sharing personal information of another individual, in that the legislation holds the entity in control of the information accountable should they abuse or compromise an individual’s personal information in any way.
It is clear that the proposed legislation, which is complex in nature, will present challenges to businesses to put in place effective and compliant systems and procedures.
Our team of specialists at Abrahams & Gross can assist with this task – large or small – by auditing what your business currently has in place and how to amend this to bring your operations in line with the POPI Act.
If you need more information or legal advice on the subject, please contact Abrahams & Gross Attorneys for assistance.
t. 021 422 1323 | e. email@example.com