The Protection of Personal Information Act, 2013 (the “POPIA”) became effective on 1 July except for certain provisions that only come into force on 30 June 2021 that allow for operational readiness of the Information Regulator who polices compliance.
There will be a one-year grace period within which to comply with POPIA and the Regulations enacted thereunder. Private and public bodies should ensure compliance by 1 July 2021.
POPIA reinforces a South African’s (called a ‘data subject’s’) constitutional right to privacy in both the public and private sectors by setting eight conditions for lawful processing of data. These conditions are: (1) accountability, (2) processing limitation, (3) purpose specification, (4) further processing limitation, (5) information quality, (6) openness, (7) security safeguards, and (8) data subject participation.
The act is not designed to prevent the processing of personal information but seeks to ensure that it is done fairly and without adversely affecting the rights of data subjects.
POPIA applies to the processing of personal information of a data subject entered in a record by a ‘responsible party’. He or she is the principal processor of personal data, who determines the purpose and means of processing. S/he processes the information in South Africa and is domiciled in South Africa or is domiciled elsewhere but uses automated or non-automated means in South Africa to process the personal information.
The POPIA defines “personal information,” as generally meaning information relating to an identifiable, living natural person and, where applicable, an identifiable company or other similar legal entity. The definition includes information relating to partnerships and unincorporated persons and provides a significantly detailed list of examples of personal information. These examples range from private correspondence and information about age, gender, sex and race to identifiers such as identity numbers, telephone numbers, location information, online identifiers, and personal opinions and preferences.
The responsible party processing personal information must comply with all eight conditions and the measures necessary to give effect to those conditions. Compliance must be achieved not only when the actual processing of information takes place, but also when determining the purpose and means of processing the personal information.
- Accountability: This condition requires that all processing of data occurs in compliance with POPIA. Practically, this requires that a data protection policy is established and that an internal information officer furthers the aims of and compliance with the legislation.
- Processing limitation: Personal data must be processed lawfully and in a reasonable manner that does not infringe on a data subject’s privacy. A responsible party must develop procedures and policies to ensure that personal information is processed in a “reasonable manner.”
- Purpose specification: Among other things, this entails that personal information may only be collected for a lawful, specific, and explicitly defined purpose related to the function or activity of the responsible party collecting the information. Data subjects must be informed of the purpose of the collection, except in exceptional circumstances, such as when the responsible party is required to comply with an obligation imposed by law.
- Further processing limitation: Once personal information has been collected and lawful processing has occurred, a responsible party may only further process that data in limited circumstances. These limited circumstances are determined based on whether the purpose of the further processing is “compatible” with the previously defined purpose.
- Information quality: A responsible party must ensure that any personal information in its possession is complete, accurate, not misleading and updated when necessary. In maintaining information quality, the responsible party must consider the purpose for which the personal information is collected or further processed.
- Openness: A responsible party must compile a manual that contains stipulated information as required by the South African Promotion of Access to Information Act, 2000, including details on the information that it holds. When personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of: (1) the information being collected and the source of the information; (2) the name and address of the responsible party; (3) the purpose for which the information is being collected; (4) whether the data subject is required to provide the requested information, or may do so voluntarily; (5) the consequences of failing to provide the information; (6) the legal basis for the collection of the information; (7) whether the responsible party intends to transfer the information to a third country and the level of protection afforded to the transferred information; and (8) any further information necessary for the processing to be reasonable under the circumstances.
- Security safeguards: A responsible party must secure the integrity and confidentiality of any personal information in its possession or under its control by taking appropriate and reasonable technical and organizational measures to prevent loss, damage, unauthorized destruction of, and unlawful access to the personal information in its possession.
- Data subject participation:
- The data subject has the right to request confirmation of whether a responsible party holds personal information about the data subject. The data subject also has the right to request a record or description of the personal information about the data subject being held by the responsible party, as well as information concerning the identity of all third parties who have had access to the data subject’s personal information.
data subject may request that a responsible party:
- correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained; and
- delete or destroy personal information that the responsible party is no longer authorized to retain.