POPI: What you need to know right now
The Protection of Personal Information Act 4 of 2013 (“POPI”) was initially implemented in April 2014. It was however implemented incrementally as only certain sections came into force.
The President has announced that remaining sections will now be implemented as follows:
Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) shall commence on 1 July 2020; and
Sections 110 and 114(4) shall commence on 30 June 2021.
POPI protects the rights of individuals to privacy as it restores the autonomy of the client allowing them to decide whether they want to share or receive information as the POPI regulates the collection, retention, dissemination and use of personal information.
The sections which will commence on 1 July 2020 are essential parts of the Act and are summarised as follows:
1.The following 8 conditions set out the requirements for the lawful processing of personal information:
Accountability- Responsible parties (a public or private body who determines the purpose of processing personal information) must ensure that the conditions set out in POPI are complied with.
Processing limitation- Personal information must be processed lawfully and in a reasonable manner i.e. data collection must be proportionate to the purpose and the data subject must give consent to the information processing.
Openness- The data subject must be aware of the collection of the data and must be provided with the name and address of the responsible party.
Data subject participation- A data subject must be provided with access to the personal information and may request that personal information be corrected.
Purpose specifications- Personal information must be collected for a specifically defined and lawful purpose related to a function of the responsible party. The data subject must be aware of this purpose.
Security safeguards- The responsible party must ensure compliance with the regulations of the Information Regulator by ensuring integrity and confidentiality of personal information.
Further processing limitations- If the information is shared with third parties, it must be a continuation of the original purpose only.
Information quality- The responsible party must ensure the accuracy of the personal information by taking steps to ensure that personal information is complete, updated and not misleading.
2. The regulation of the processing of special personal information:
A higher degree of protection is given to special personal information under POPI, given the highly sensitive nature of such information. Special personal information includes the following:
Religious or philosophical beliefs
race or ethnic origin
trade union membership
health or sex life
criminal behaviour or biometric information
3. Codes of Conduct issued by the Information Regulator:
If a code of conduct is issued by the Information Regulator it must be published in the Government Gazette, as soon as reasonably practicable after the code is issued. The code of conduct will come into force on the 28th day after the date of its notification in the Gazette or on such later date as may be specified in the code and is binding on every class or classes of body, industry, profession or vocation referred to therein.
4. Procedures for dealing with complaints:
A code of conduct may prescribe procedures for making and dealing with complaints alleging a breach of the code. The code of conduct will provide for the appointment of an independent adjudicator to whom complaints may be made.
5. Provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of POPI:
The processing of personal information for the purpose of direct marketing by any form of electronic communication, including automatic calling machines, SMS or e-mail is prohibited unless the data subject has given consent to the processing; or has not previously withheld such consent. The requirement of consent in cases where the data subject is not a customer of the responsible party, would be better served by an opt-in or opt-out provision.
6. Section 114(1) is of particular importance as it states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the Act. This means that entities (both in the form of private and public bodies) will have to ensure compliance with the Act by 1 July 2021.
Non-compliance with POPI can potentially lead to claims for civil damages, administrative fines, or criminal prosecution where fines and imprisonment of between 1 and 10 years are prescribed.
For more information or assistance, contact our offices on 041 363 6044 or firstname.lastname@example.org.