Is your business POPI compliant?
On 26 November 2013, the Protection of Personal Information Act (“POPI”) was passed into law. The effective date of POPI has not yet been proclaimed. POPI will have a dramatic impact on most businesses, if your business involves or utilises personal information for either internal or commercial purposes.
The Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy. The right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.
Personal Information is very broadly defined and includes“information about an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including but not limited to Information relating to the:
race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person; and the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
POPI seeks to regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.
We recommend that you conduct a POPI compliance assessment using the following diagram:
Is your business using Personal Information and for what purpose?Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of your business.
What types of Personal Information is your business currently using for internal and commercial purposes?
Is your business processing any Personal Information? Processing includes any operation or activity, whether or not by automatic means, concerning Personal Information, including the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use; dissemination and erasure or destruction of Personal Information.
Personal Information must be safely and securely stored and may only be accessed or acquired by authorised persons.
Interaction with the Data Subject:
Are you obtaining informed consent from all the persons (“Data Subjects”) whose Personal Information your business is using?The usage of Personal Information must be consented to by Data Subject and must be used only for its specified purpose that has been agreed to.
As a responsible party collecting Personal Information, you must take reasonably practicable steps to ensure that the Data Subject is aware of all the information being collected.
Dissemination & Transfer:
Is your business sharing personal information with other entities? Personal Information must not be distributed in any way which is incompatible with the purpose for which it was collected.
Having regard to your business’ use of Personal Information, will you be required to notify either the Data Subject or the Information Protection Regulator?
As the penalties for non compliance with the provisions of POPI are severe, we recommend you assess the impact of POPI on your business and you initiate practical measures to comply with POPI as soon as possible.
Should you need any further assistance in complying with the provisions of the Protection of Personal Information Act, then please contact our Commercial Department firstname.lastname@example.org or 011 324 3025.