To whom does POPI apply?
There are very few businesses in South Africa that will not be impacted by POPI. POPI applies to -
- any public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information ("responsible party"); and
- any person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of the responsible party.
Does POPI also apply to personal information of companies?
Are there any exemptions or exclusions from compliance with POPI?
Yes, there are numerous exclusions and exemptions from compliance with the information processing principles prescribed by POPI. These exclusions and exemptions apply depending on the type of information being processed and how it is processed.
What is "personal information"?
"Personal information" is extremely widely stated and includes any information that can identify a person.
What is "processing"?
"Processing" is also very widely stated and includes a vast number of activities whether or not undertaken by automatic means, concerning personal information.
What is a "record"?
A "record" is also any recorded information regardless of form or medium in the possession or under the control of a responsible party, whether or not it was created by a responsible party and regardless of when it came into existence.
What is "special personal information"?
A higher degree of protection is given to special personal information under POPI given the highly sensitive nature of such information. Special personal information includes information concerning a child and personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, DNA, sexual life or criminal behaviour of a data subject.
What are the information processing principles?
There are eight information processing principles which form the
core of POPI. These are -
- accountability: the responsible party must ensure that the eight information processing principles are complied with;
- processing limitation: processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed;
- purpose specification: Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. The responsible party must take steps to ensure that the data subject is aware of the purpose for which his/her personal information is being collected;
- further processing limitation: this is where personal information is received from a third party and passed on to the responsible party for further processing. In these circumstances, the further processing must be compatible with the purpose for which it was initially collected;
- information quality: the responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, taking into account the purposes for which it was collected;
- openness: Personal information may only be processed by a responsible party that has notified the Information Protection Regulator. Further certain prescribed information must be provided to the data subject by the responsible party including what information is being collected, the name and address of the responsible party, the purpose for which the information is collected and whether or not the supply of the information by that data subject is voluntary or mandatory;
- security safeguards: the responsible party must secure the integrity of personal information in its possession or under its control by taking prescribed measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information;
- data subject participation: A data subject has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject and request from a responsible party the record or a description of the personal information held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information;
- A data subject may request a responsible party to –
- correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, misleading or obtained unlawfully; or
- destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain.
Can I send personal information overseas and can personal information be returned to South Africa?
Yes, but there are restrictions on the sending of personal information outside South Africa as well as on the transfer of personal information back to South Africa. The applicable restrictions will depend on the laws of the country to whom the data is transferred or from where the data is returned, as the case may be.
Do I need to provide an opt in or opt out for direct marketing?
Yes. Responsible parties should make use of both opt in and opt out options to make sure that the data subject understands and knows what he or she is consenting and objecting to.
For how long do I need to retain personal information under POPI?
Subject to exemptions provided for in POPI, personal information must not be retained (any) longer than (is) necessary for achieving the purpose for which the information was collected. In addition, if a responsible party has used the personal information of a data subject to make a decision about the data subject, it must retain the record for such period as may be required or prescribed by law or a code of conduct. If there is no law or code of conduct prescribing a retention period, it must retain the record for a period which will afford the data subject a reasonable opportunity to request access to the record.
A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record.
Who is the Information Regulator and what are its powers?
The Information Regulator is a juristic body that will be
appointed in terms of POPI and will have wide ranging powers and
duties including -
- to educate the public about POPI;
- to monitor and enforce compliance with POPI;
- to handle complaints about alleged violations of the protection of personal information of data subjects;
- to attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation; and
- to issue, from time to time, codes of conduct and make guidelines to assist bodies to develop codes of conduct or to apply codes of conduct.
What is the sanction for non-compliance with POPI?
Sanctions include fines and imprisonment as well as administrative fines up to R1million. What are the transitional provisions provided for by POPI? Processing of personal information which is taking place on the date when POPI comes into force and does not conform to POPI must comply within one year of such date.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.