The Protection of Personal Information Act, 2013 (Act No. 4 of 2013) or POPI has only been partially implemented, with the focus mainly on establishing a national Information Regulator. But many commentators believe that full implementation will probably not be delayed past 2018.
Are organisations ready?
Teryl Schroenn, CEO of Accsys believes that the majority of organisations are not adequately prepared for compliance. “At conferences, we see a small show of hands when asking how many have POPI-ready systems and processes in place.”
Schroenn asserts that a successful POPI rollout starts with total buy-in from senior executives and management. “Organisations need a strong committee with the authority to drive change,” she says.
“In addition, they’ll require thorough guidance from legal, subject matter, technical and change management experts.”
It’s also important to have at least a broad understanding of the Act.
Firstly, there are 8 conditions that a data collector must meet: making themselves accountable to the law; limiting personal information collection and use to a minimum; collecting data for a specified purpose only; allowing third party processing only in terms of the original purpose; preserving the quality of the data; documenting how the data is processed, and informing the subject of its use and effect; securing the integrity and confidentiality of the data; and ensuring the data subject has access to and control of their information.
Certain information is considered sensitive and subject to greater restrictions. This includes
religious and philosophical beliefs; race and ethnic origin; trade union membership; political persuasion; health or sex life; criminal behaviour or biometrics; and personal information of children.
The Act establishes an Information Regulator, tasked with providing public services for and enforcing POPI. Data collectors must appoint an Information Officer as per the Promotion of Access to Information Act 2 of 2000.
To use personal information for certain purposes, data collectors must obtain authorisation from the Regulator first. These include processing data outside its original purpose, linking it to data from third parties, or transferring it to a foreign country lacking adequate protection.
Data subjects have specific rights regarding unsolicited electronic communications from direct marketers, being listed in public directories, and decisions made about them by automated decision making processes.
Restrictions for transmitting personal information to foreign countries apply but don’t prohibit the data collector from doing so when necessary to their function.
The Act dictates how complaints are processed, the conditions for warrants, search and seizure of data, how violations are assessed, and the right of a data collector to appeal. Certain acts are unlawful and may carry a prison sentence of up to 10 years or a fine of up to R10 million. However, the Regulator will consider the nature and extent of each transgression.
(The above summary is for information purposes only. The reader is encouraged to seek legal and technical counsel before addressing POPI.)
Why should organisations start implementing POPI now? “While POPI provides a mandate for the cause,” says Schroenn, “organisations should already be protecting their customers’ and employees’ information simply because it’s the right thing to do.”