The Protection of Personal Information Act (“POPIA”) regulates how personal information is collected, used, stored, retained, destroyed, and generally processed from the moment of collection until the moment of destruction, keeping data subjects’ right to privacy of their own personal information at the forefront of how organisations use, share and handle their information
POPIA was signed into law in November 2013 and the substantive provisions of the Act commenced on 01 July 2020. Businesses now have until 1 July 2021 to ensure full compliance with the Act before it becomes fully enforceable.
1. The data subject: a person that the personal information belongs to or is about. Under POPIA, a data subject can be a natural person (i.e. an individual) or a juristic person (i.e. legal entities such as companies), and therefore measures need to be put in place to protect the personal information of both individuals and legal entities.
2. The responsible party: a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
3. The operator: a party who processes personal information on behalf of the responsible party under a contract or mandate.
POPIA sets out eight conditions that businesses must comply with when processing the personal information of data subjects. These 8 conditions are the foundational principles of POPIA that, when complied with, ensure that a data subject’s personal information is being processed lawfully.
The responsible party is accountable for the personal information it processes and stays accountable responsible for that personal information even if it passes the information on to a third party (for example an operator, to process the information on its behalf).
The responsible party is the entity that needs the personal information for a particular purpose (the “why”) and determines how that personal information must be processed in order to achieve the purpose (the “how”). It is the responsible party’s duty to ensure that the 8 conditions for lawful processing of personal information are complied with at the time of determining this “why” and “how”.
Personal information must be processed lawfully and in a manner that does not infringe on the data subject’s privacy. When processing personal information, those processing activities must be adequate, relevant and not excessive, taking into account the purpose that the information is being collected and processed for.
Businesses should not collect or process more personal information than it needs in order to achieve the purpose that it is being collected for.
POPIA sets out a general obligation to obtain consent from data subjects in order to process their personal information and sets out certain justifications or instances where consent to process will not be required.
Personal information must be collected for a specific, explicitly defined and lawful purpose.
The responsible party needs to identify what the purpose for processing the personal information is, and then ensure that the data subject is made aware of that purpose.
The purpose specification condition also regulates document retention and document restriction, and generally requires that personal information must not be retained for any longer than is necessary to achieve the purpose that it was collected for (subject to any document retention periods prescribed by law).
POPIA requires that personal information only be processed for the purpose that it has been collected for, and for no other purpose.
Further processing of personal information (i.e. additional processing for reasons other than the original processing activity) must be compatible with the original purpose that the personal information was collected for, otherwise the responsible party will need to get a new consent from the data subject for the additional or new processing activity.
The responsible party must take reasonably practicable steps to ensure that personal information records are complete, accurate, not misleading, and updated where necessary.
This condition requires businesses to be open about why they need the data subject’s personal information and how they intend using and process it.
Data subjects must be made aware of who is collecting their Personal Information (i.e. the business collecting and processing the Personal Information needs to be specified with details including name, address and contact details) together with other prescribed information that data subjects must be advised of when collecting the information, as set out in section 18 of POPIA, such as the purpose for collecting the information, whether the information being requested is voluntary or mandatory and the consequences of failing to provide the information requested, whether there is any law requiring or authorising the collection of the information, making data subjects aware of any third parties that the responsible party will be sharing the personal information with and for what purpose, and whether the responsible party intends to transfer that personal information outside of South Africa to another country and the level of protection afforded to that information if transferred cross border.
POPIA provides that the responsible party must take appropriate, reasonable, technical and organisational measures to secure the integrity and confidentiality of the personal information it processes and to prevent:
Security safeguards are not limited to IT systems and IT infrastructure; they need to be focused on across the business. Physical and technical security safeguards must be considered and implemented together with organisational measures such as security processes and procedures. Both electronic and hard copy records of personal information must be secured. It is therefore important not to overlook the security of hard copy records of personal information processed, stored and retained by a business.
Security measures must be reasonable taking into account generally accepted information security practices and procedures that apply to businesses generally and that are required in terms of specific industry or professional rules.
Under POPIA a data subject has the right to ask whether the responsible party holds any personal information about him/her, and to request the details of what personal information is being held, a copy of his/her personal information record and details of all third parties who have or had access to that information.
A data subject also has the right to request that his/her personal information record be corrected or deleted, if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully or that the personal information or record be destroyed or deleted if the responsible party is no longer authorised to retain it.