POPIA ACt

INFORMATION RELATING TO THE PROTECTION OF PERSONAL INFORMATION ACT (POPIA)

 CONTENT

  1.  INTRODUCTION
  2. POPIA QUICK BREAKDOWN
  3. PURPOSE OF THE POPI ACT
  4. RULES FOR PROCESSING OR USE OF PERSONAL INFORMATION OF A DATA SUBJECT
  5.  RECORD KEEPING
  6.  PROCESSING LIMITATIONS
  7. QUALITY OF INFORMATION
  8. OPENNESS
  9.  SECURITY SAFEGUARDS
  10.  ACCESS TO INFORMATION AND THE CORRECTION THEREOF
  11. PROHIBITION ON PROCESSING OF PERSONAL INFORMATION
  12. GENERAL PRINCIPLES
  13. OFFENCES AND PENALTIES REGARDS DATA PRIVACY IN SOUTH AFRICA
  14. SUMMARY OF POPIA IN SOUTH AFRICA
  15. FAQ

 

  1. INTRODUCTION

1.1 South Africa’s legal regime and POPIA was drafted way back in 2003, closely modelled after the European data privacy legislation at the time, the ePrivacy Directive, but halted and changed over several occasions in the subsequent years, when the General Data Protection Regulation (GDPR) came into force and significantly updated the EU’s data privacy regime.

1.2 South Africa’s Protection of Personal Information Act (POPIA) took effect on 1 July 2020 with a grace period of 12 months, meaning that enforcement will begin 1 July 2021.

1.3 South Africa’s POPIA is the latest major data privacy law in the world to be modelled closely after the EU’s GDPR (and the ePrivacy Directive), empowering its citizens with enforceable rights over their personal information, establishing eight minimum requirements for data processing (e.g. introducing consent as a required legal basis), creating a broad definition of personal information for comprehensive end-user protection, as well as forming the Information Regulator (SAIR) as lead enforcer and supervisor of the law.

1.4 The legal data privacy regime in South Africa consists of the Constitution itself (that guarantees its citizens the right to privacy) and the Electronic Communications and Transactions Act (ECTA) from 2002, which do regulate the collection of personal information, but makes compliance with it voluntary for companies and organizations.

1.4 On 24 March 2021, with 100 days to the enforcement of POPIA, South Africa’s Information Regulator released a statement detailing its prioritized focus areas, including:

1.4.1 Creating codes of conduct for POPIA compliance.

1.4.2 Reviewing draft guidelines for information officer registrations

1.4.3 Finalizing guidance notes and templates for prior authorization, and security compromise and cross-border personal information notifications.

1.4.5 South Africa’s Information Regulator also states in the March 24 statement that the compulsory registration of information officers will be available on their website from 1 May 2021 under the title Guidance Note on Information Officers.

1.4.6 POPIA applies to any processing (collection, recording, organizing, sharing, using, storing etc.) of personal information by a responsible party (website, company or organization) located in South Africa or outside, if they use means to process in South Africa.

1.4.7 If your website, company or organization is located in South Africa and you process personal information, you’re automatically obligated to comply with POPIA.

  1. POPIA QUICK BREAKDOWN

2.1 POPIA applies to any company or organization processing personal information in South Africa, who is domiciled in the country, or not domiciled but making use of automated or non-automated means of processing in the country.

2.2 Fines for non-compliance with POPIA can range up to ZAR 10m.

2.3 Transfers of personal information outside of South Africa is prohibited by POPIA (with exceptions).

POPIA creates nine actionable rights for South African citizens (data subjects), including but not limited to the right to access, right to correction and right to deletion.

2.4 POPIA also creates eight conditions for lawful data processing, in which the consent of the data subject is central. It is up to websites, companies and organizations (“responsible parties”) to prove that their processing is lawful, e.g. that correct consents have been obtained from users.

  • POPIA defines consent as:
  • Any voluntary, specific and informed expression of will.
  • Processing as collection, receipt, recording, organization, storage, merging and linking.
  • Personal information as any information relating to not only a natural person but also a company or legal entity, but not limited to:
  • Names, addresses, telephone numbers, email addresses.
  • Information about age, race, gender, appearance, characteristics, sexual orientation, political convictions, religious beliefs, language.
  • Health data such as physical or mental health, well-being, disabilities.
  • Online identifiers such email addresses, IP addresses, cookies, unique IDs, search and browser history.
  • Location data.
  • POPIA allows companies and organizations to process data if it’s deemed in the user’s “legitimate interest”, creating a point of ambiguity for possible abuse and enforcement difficulties.

 

3.PURPOSE OF THE POPI ACT

3.1 The purpose is to give effect to:

3.1.1 The right of the privacy and safeguarding of personal information once processed by a third party.2 Regulate the manner, in which information may be processed, provide persons with rights and remedies if personal information is not used within the framework of the Act and to provide for the establishment of an Information Protection Regulator.

3.1.3 Ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information.

3.1.4 Ensure the Act is intended to hold institutions accountable should they abuse or compromise personal information in any way.

3.2 The POPIA involves three parties (who can be natural or juristic persons)

3.2.1 The data subject: the person to whom the information relates.

3.2.2 The responsible party: the person who determines why and how to process, for example, profit companies, non-profit companies, governments, state agencies and people (or called controllers in other jurisdictions).

3.2.3 The operator: a person who processes personal information on behalf of the responsible party, for example, an IT vendor (called Processors in other jurisdictions). 

  1. RULES FOR PROCESSING OR USE OF PERSONAL INFORMATION OF A DATA SUBJECT

4.1 Personal information may only be processed if the person consents to the processing, the processing is necessary to carry out actions for the conclusion or performance of a contract. Consent is given by clients via the signing of a contract.

4.2 A person may object to the use of his personnel information in a prescribed manner according to the Privacy Policy and the person receiving the information must then refrain from using the information. The office will comply with any request as and when received.

  • Information collected must be for specific, explicitly defined and lawful purpose relating to the business. The person providing the information must be aware of the purpose for which the information is collected. The information collected via a contract is for the use by the Copwatch control room in case of an alarm activation or emergency only. The administration department of Copwatch may also use certain information from the contract for financial purposes in the collection of money.
  1. RECORD KEEPING

5.1 Records must not be retained for longer than necessary.

  • Records must be kept for periods as required by law.
  • Where records are deleted it must be done in a manner that prevents reconstruction. Hard copy records are shredded and electronic copies deleted as follows:

5.3.1 In boxes are deleted daily with only needed docs filed separately.

5.3.2 Send items are held for 3 years where after they are all deleted.

5.3.3 The other documents on the system are deleted after 5 years unless they are really required going forward.

  • You are entitled to keep records of personal information for historical, statistical or research purposes if you have established safeguards to prevent the records being used for any other purposes. Records are not used for anything else than what it is intended for and records are locked in the office and systems only accessible with passwords.
  • PROCESSING LIMITATIONS

6.1 The information collected must only be further (extra) processed if it is in line with the original purpose it was collected for or with the consent of the provider.

  • QUALITY OF INFORMATION

7.1 Personal information provided must be accurate, complete and not misleading and updated where necessary.

  • OPENNESS

8.1 You can only process information if you notify the Regulator. Refer chapter 6 of the Act.

8.2 You must ensure that the person providing the information is aware of the information being collected the company that is collecting the information, the purpose of the information, etc. See section 17 for the full list.

  • SECURITY SAFEGUARDS

9.1 The company that collects the information must secure the integrity of the info and take appropriate steps to prevent loss, damage or unauthorised destruction of or unlawful access to the information. See Annexure enclosed of the personal information we maintain in the office. All systems are backed up via the cloud and hard copy information will be reconstructed as and when necessary. All documents are in cupboards in the office.

Unauthorised destruction or unlawful access is addressed by way of very restricted access to the offices with locked cupboards. Systems access are protected by passwords on all computers.

9.2 To give effect to bullet point 1 the collector must identify all internal and external risk to personal info in its possession, establish appropriate safeguards against these risks, regularly verify that the safeguards are effectively implemented and continuously update the safeguards in response to new risks and deficiencies in previous safeguards. We have anti intrusion protection software on our computers. All computers are installed with antivirus software. Systems and programs are updated regularly by our IT service provider. Offices and cupboards are locked.

9.3 The collector must have due regards to generally accepted information security practises. The office has practised and will continue practising good information security principles.

9.4 The operator/s of the collector can only process the info with the knowledge and authority of the collector and treat the info as confidential and not disclose it. This must be governed by a written contract.

9.5 If the collector believes that the info in his possession has been accessed or acquired by an unauthorised person the provider of the personal information and the Regulator must be notified in writing. As much information about the unlawful access must be provided for the provider to take the necessary preventative steps.

  • ACCESS TO INFORMATION AND THE CORRECTION THEREOF

10.1 The provider of information has the right to ask the collector what information is kept and who else accept the collector has access to his information.

10.2 The provider of information may ask the collector to correct or delete personal information or delete records which the collector is no longer authorised to retain.

  • PROHIBITION ON PROCESSING OF PERSONAL INFORMATION

11.1 Unless specifically permitted you may not collect information concerning a child or religious beliefs, race (unless complied by law), trade union membership, political opinion, health, sexual orientation or criminal behaviour. There are various exemptions on these prohibitions.

GENERAL PRINCIPLES

12.1 The processing of information is not in breach of the information protection principle if the processing authority authorised such processing.

12.2 The Regulator may authorise the processing of information even if the processing is in breach of the information protection principle. 

12.3 People often provide information for one reason and do not realise that it may be used for other purposes as well. Therefore POPIA prescribes eight specific principles for the lawful processing and use of personal information.

12.4 In a nutshell, the POPIA principles are:

12.4.1 The responsible party must ensure that all principles set out below are in fact complied with.

12.4.2 The processing of information is limited which means that personal information must be obtained in a lawfully and fair manner.

12.4.3 The information can only be used for the specified purpose it was originally obtained for.

12.4.4 The POPI Act limits the further processing of personal information. If the processing takes place for purposes beyond the original scope that was agreed to by the data subject, the processing is prohibited.

12.4.5 The person who processes the information must ensure the quality of the information by taking reasonable steps to ensure that the information is complete, not misleading, up to date and accurate.

12.4.6 The data subject and the Information Regulator must be notified that data is being processed and the data subject must know for what purpose the information is being used.

12.4.7 The person processing data must ensure that the proper security safeguards and measures to safeguard against loss, damage, destruction and unauthorised or unlawful access or processing of the information, has been put in place.

12.4.8 The data subject must be able to access the personal information that a responsible party has on them and must be able to correct the information.

  • OFFENCES AND PENALTIES REGARDS DATA PRIVACY IN SOUTH AFRICA

14.1 The offences as articulated in the POPIA Act are:

14.1.1 Hindering and obstructing the Information Regulator in the execution of its obligations and duties.

14.1.2 Non-compliance to an Enforcement Order.

14.2 The penalties for breaches are:

14.2.1 A fine or

14.2.2 Imprisonment for a period not exceeding 10 years, or

  • SUMMARY OF POPIA IN SOUTH AFRICA

14.1 With the Protection of Personal Information Act (POPIA) in South Africa in effect, another strong, protective data privacy law has emerged to join the expanding network of end-user empowerment spreading across the globe and the Internet.

14.2 Closely aligned with the EU’s General Data Protection Regulation, POPIA ensures thorough data privacy protection for citizens of South Africa and makes an adequacy decision by the EU likely, paving the way for smooth and secure transfers of personal data between the two.

  • FAQ’S

15.1 What is POPIA in South Africa?

15.1.1 The Protection of Personal Information Act (POPIA) is South Africa’s data privacy law that empowers citizens with enforceable rights over their personal information, requires websites, companies and organizations to live up to minimum conditions for lawful processing, and establishes the Information Regulator to supervise and enforce compliance with POPIA.

15.2 Who does POPIA apply to?

15.2.1 The Protection of Personal Information Act (POPIA) applies to websites, companies, organizations and other legal entities who are located inside South Africa and who process personal information. However, POPIA also applies to responsible parties who are located outside South Africa, if they process personal information inside the country (not only transferring it through it).

15.3 How can I become compliant with POPIA in South Africa?

15.3.1 Compliance with POPIA means asking for and obtaining the prior consent of end-users before any processing of their personal information. Compliance also means meeting several minimum requirements for lawful processing, such as documentation, security and confidentiality and ensuring that end-users can exercise their right to access, correct and have deleted already collected data.

Scroll to Top