On August 22, 2013, the South African Parliament passed the first comprehensive data protection legislation in South Africa, the Protection of Personal Information (POPI) Bill. This Bill supports the existing right to privacy found in section 14 of the Constitution of the Republic of South Africa, 1996, and is designed to prevent the negligent disclosure of South African citizens’ Personally Identifiable Data (PID). Modeled on the current EU data protection regime, the Bill establishes the Office of the Information Regulator (OIR) as a data protection office, and outlines requirements for out-of-country transfers of PID, explicit consent for the collection and use of PID, time limits on PID retention, disclosure requirements, and minimum security and protection measures associated with the storage of PID. POPI provides exclusions for purely household or personal activity; “sufficiently de-identified information;” and state, national security, judiciary, and journalistic functions. In contrast, violations invoke civil and criminal penalties, for which the OIR may seek fines up to ZAR 10 Million (~$1 Million US), as well as compensatory and/or aggravated damages.
“Personal information” means information relating to a person and includes all information about that person, including his or her characteristics and identifying information and correspondence that are implicitly or explicitly of a private or confidential nature.
POPI provides that personal information:
i) Must be processed lawfully and in a reasonable manner that does not unnecessarily infringe upon the privacy of employees;
ii) May only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive;
iii) Must be collected for a specific, explicitly defined and lawful purpose related to the function or activity of the employer;
iv) Except in cases of emergency (such as when an employee may be out of office and an employer needs to collect data from his or her computer, urgently) the employer must inform the employee that it is collecting personal information, and inform him or her of the purpose of the collection of the information, save in limited circumstances.