The Protection of Personal Information Act 4 of 2013, or “POPI”, promotes the protection of personal information which is processed by both public and private bodies. POPI was signed into law by the President of South Africa on 19 November 2013. However, a majority of its provisions have not yet come into force, and although there is a hope that it will do so before the end of this year, there is no certainty as to when this will actually occur. When POPI does fully come into effect, those persons and entities it effects will have a one-year period in which to become compliant with its provisions.
Any person or entity, with a few exceptions, who collects, stores, modifies, uses, disseminates or destructs information will fall under the ambit of POPI. Thus, POPI applies to those who process private information, whether this is done in an automated manner or not. Such persons and entities must abide by the requirements of POPI. Should this not be done, the processing of the information held will not be lawful. Through this Act, South Africa will bring itself in line with international standards and trends, with the privacy of private individuals being enhanced and improved.
The aim of POPI is to regulate private information and to promote transparency as to the type of information entities collect, and how such information is processed. This is important in light of the fact that such information becomes accessible to third parties and therefore individuals must be protected from important information being misplaced or put in the wrong hands, as well as ensuring that entities’ databases are reliable to third parties, containing information that is accurate and not misleading.
There are eight information-protection principles established by POPI, called ‘Conditions’. These are:
- Accountability;
- Processing limitation;
- Purpose specification;
- Further processing limitation;
- Information quality;
- Openness;
- Security safeguards; and
- Data subject participation.
Individuals and entities will therefore have to look into considerations such as the following:
How is information collected?
- Who is to be held accountable for such collection processes?
- How is it ensured that the information held is accurate and up to date?
- How (in what form) is information held?
- Has permission been received from the private person?
- Are staff members aware of the implications of POPI?
- With whom is information held shared?
- Are private persons informed when information held is disseminated to other persons or entitles?
- When is personal information destroyed and how is this effected?
An Information Protection Regulator is to be appointed by the President, and will be involved in educating, monitoring and enforcing compliance with POPI, facilitating the operation of POPI across South African borders, and handling complaints. In terms of dealing with complaints, the Information Protection Regulator will be entitled to weigh up an individual’s right to privacy against the public interest, should such a consideration be necessary.
POPI does provide for certain exceptions to the Act’s application. These are specifically:
Information processed in terms of purely household or personal activities;
- Sufficiently de-identified information;
- Information processed by/on behalf of a public body which involves national security, the prevention of money laundering activities, and criminal prosecutions;
- Information processed by the Cabinet or the Executive Council of a province; and
- Information processed by the judiciary.
POPI will mean personal information may only be processed by an entity or person if the consent is obtained from the relevant private person is voluntary, specific and informed. Failure to abide by POPI and its requirements could result in fines or legal proceedings being brought against the offender.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE).