The Protection of Personal Information Bill 2009 (POPI or the
Bill*) aims to bring South Africa in line with international data
protection laws. The impact of this legislation will be
far-reaching and will significantly affect the way companies
collect, store and disseminate personal information. Members of our
Information Law and Data Protection Group provide some insight into
the implications of POPI in this series of Snapshots.
The Bill sets out eight conditions that responsible parties will
need to take into consideration for the processing of personal
information to be lawful. This Snapshot considers the first of
these eight conditions, namely accountability.
Condition 1 - Accountability
Under POPI, a responsible party processing personal information
must comply with eight conditions and the measures necessary to
give effect to these conditions. Compliance must be achieved not
only when the actual processing of information takes place, but
also when determining the purpose and means of processing the
Accountability refers to accountability supported by legal
sanctions, as well as to accountability established by codes of
An organisation will be responsible for personal information in
its possession or custody, including information that has been
transferred to service providers for processing. Thus a responsible
party should use contractual or other means to provide a comparable
level of protection while the information is being processed by a
third party processor.
In addition, when personal information is to be transferred to
another person or organisation, whether domestically or
internationally, an organisation should:
obtain the consent of the individual; or
exercise due diligence and take reasonable steps to ensure that
the recipient person or organisation will protect the information
consistently with these conditions.
The impact of this condition on organisations that process
personal information is that it will need to implement measures to
ensure that its employees are aware of the conditions, and monitor
compliance by its employees.
*The Bill has been adopted by the Portfolio Committee
on Justice and Constitutional Development and by the National
Assembly (NA). This Snapshot has been drafted using the latest
version of the Bill as passed by the NA.
The Bill will now be referred to the National Council
of Provinces for consideration and thereafter signed into law. It
is anticipated that this process could take anything from one to
six months. The Bill provides for a one year grace period before
POPI's provisions become effective.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Nigerian Communications Commission (NCC) has concluded plans to introduce Lawful Interception (LI); a legally sanctioned official access to private communications, such as telephone calls or email messages
After 10 years of debate, South Africa’s President Jacob Zuma has finally signed South Africa’s first framework privacy bill into law, the Protection of Personal Information Bill.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).