PoPIA
FAQs
Do you have a question about the PoPI Act?
We’ve compiled a list of the most frequently asked questions we’ve encountered in our years of experience in PoPI Act implementations. If you can’t find the answer you are looking for, please contact our PoPIA team directly. One of our privacy experts will get in touch with you soon.
The Protection of Personal Information Act, Act No.4 of 2013.
The purpose is to regulate the processing of Personal Information. It is aimed to encourage the flow of information in a secure and responsible manner. The spirit of the Act is to ensure that organisations that hold and process personal information do so carefully and with respect for the rights and interests of the people to whom it pertains.
- Public and Private Sector
- Natural and Juristic persons (meaning registered companies and organisations)
- Paper and electronic records
PI is information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing, juristic person. Therefore, any information about an identifiable human being or an identifiable company.
Examples of PI include:
Race, Gender, Sex, Marital Status, Nationality, Sexual Orientation, Age, Physical or Mental Health, Disability, Religion, Language, Education, Medical, Financial, Employment, ID, Email, Address, Telephone Number, Location information, Blood Type, Biometric Information, Personal Opinions, Preferences, Private or Confidential Correspondence, Views or Opinions of another person
In the rapid evolving technology and information age, it is becoming more difficult to protect the privacy of information, as it becomes increasingly more vulnerable to new threats that keep emerging. Worldwide data protection (e.g General Data Protection Regulation or GDPR of Europe) is becoming more recognised as a fundamental business practice which cannot be ignored. Failure to do so could have fatal consequences for our brand and reputation.
The the bulk of the PoPI Act went into effect on 1 July 2020. The Information Regulator has granted a grace period of 12 months for organisations to become compliant. This means everybody must be compliant by 1 July 2021, or else face prosecution form the Information Regulator when the final clauses of the Act comes into effect.
A person or company who collects, processes, stores and uses personal information.
A person or company who processes personal information on behalf of the responsible party.
There are various other laws that also protect personal information. The key ones are:
- Consumer Protection Act (CPA)
- National Credit Act (NCA)
- Regulation of Interception of Communications Act (RICA) Promotion of Access to Information Act (PAIA)
- Electronic Communication Act
- Cybercrime Bill
- your Constitutional Right to Privacy as defined in the Bill of Rights
A person who provides information about himself/herself. These can be individuals or businesses.
As stated in the condition of processing limitation, the PoPI Act requires you to apply the principle of minimality and only collect PI that you absolutely need to be able to service a customer, staff member or third party. Since the PoPI Act also requires that you specify the reasons for the collection of PI, if you don’t have a valid reason for why you need certain personal information, you shouldn’t be collecting it.
The Information Officer is responsible for ensuring that the organisation complies with PAIA and the PoPI Act. They must be registered with the Information Regulator.
Not all countries have adequate data protection or privacy legislation. Transferring personal information to such countries without taking appropriate measures will render the transfer illegal. It is important to have a contract in place with the other party where they agree to abide by the PoPI Act.
You may, when the recipient in the other country is subject to a law, binding corporate rules or agreements that provide an adequate level of protection that effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject in South Africa. If the other country does not have such rules in place, you can copy the PoPI Act stipulations into the contract agreement and ensure the other third party complies with it.
Consent means any voluntary, specific and informed expression of will in terms of which a data subject agrees to the processing of personal information relating to him or her or it.
Processing means any operation or activity, whether or not by automatic means, concerning personal information including:
OBTAINING:
Collection, Receipt, Recording, Organisation, Collation, Storage, Updating, Modification, Retrieval, Alteration
DISSEMINATION:
Transmission, Distribution, Making available
DESTROYING:
Merging, Linking, Restriction, Erasure, Destruction
- Loss of personal information due to inadequate security safeguards
- Collecting personal information without having obtained the necessary consent
- Sending personal information to people who are not supposed to have it
- Breach of security safeguards (network with personal information is hacked)
- Not complying with an enforcement notice issued by the Information Regulator
- Processing special personal information without there being a necessity
Use it for any purpose other than the purpose for which it was authorised.
Only people and organisations authorised by the data subject or those people and organisations allowed under the PoPI Act. Once you have established justification for forwarding the PI you must ensure that those people or organisations also comply with the PoPI Act and have appropriate security safeguards.
There are eight (8) conditions and four (4) special conditions. The eight conditions are Accountability, Processing Limitation, Purpose Specification, Further Processing Limitation, Information Quality, Openness, Security Safeguards and Data Subject Participation.
The four special conditions are Secure Cross Border Flow, Permission for Direct Marketing, Secure Special Personal Information and Automatic Decision Making.
Your Records Retention Policy will inform retention periods for all types of PI you collect from your data subjects. If there is a valid business reason as to why you should keep the information beyond the prescribed retention periods, you can do so, provided that you have informed the Regulator and the Data Subject of the intention and purpose
Where certain permissions were obtained from the Information Regulator. Certain laws may trump certain PoPI Act rules, for example data subject requests in the insurance industry where the only information available on a person is that they are a beneficiary on a person’s policy. In this instance, the Insurance Act forbids that a company disclose to a person if they are a beneficiary on someone’s policy. There may be other scenarios that emerge that could justify certain exemptions to the PoPI Act (these may typically be fraud-related issues where disclosing to data subjects the use of their information for investigations could be detrimental to the case).
- A person must have a choice whether to consent or not (it must be voluntary)
- The consent must relate to a specific purpose and you must specify your purpose.
- You must notify the data subject of various things as set out in section 18 of the PoPI Act.
- You must inform the person sufficiently to enable them to make a decision.
- The person must express their will in some form.
Authorised people using the specific personal information for its intended purpose.
A juristic person (non-natural) is regarded as an entity covered by the PoPI Act. Therefore, organisations also have personal information and special personal information as defined by the Act.
There are significant consequences for non-compliance, including up to R10 million in fines per offence and/or up to 10 years in prison per offence.
This must be defined in the Records Retention Policy on how long you retain PI and other confidential information for all data subjects. Only for as long as to fulfil the intended purpose for which the information was collected or processed. Keep in mind other legislative requirements.
The challenge and success of becoming PoPI Act compliant will depend largely on people’s adoption of various data protection practices. If you don’t bring your people on board, you will fail to achieve the desired behaviours you are trying to achieve (i.e. people taking personal accountability for protecting personal information).
Absolutely. You have the responsibility to ensure that we have a contract in place with your storage vendor to ensure that they have the appropriate controls in place to ensure all physical documents stored on their premises will be safeguarded and protected.
You must be registered with the Informational Regulator as a lawful processing entity.
No, although there are all sorts of exemptions in the Act for specific scenarios and everyone must be aware of what they are as they need to comply with certain criteria to then be able to invoke the exemption.
No as they are designed for two very different reasons. The Secrecy Bill is not actually a well–favoured piece of legislation as it is designed to classify certain pieces of data as “secret” which then means there is the concern that bodies with a vested interest can declare the detail “secret” and then conduct their activities in “secret” without being obliged to inform Joe Public. They are expressly protected by making it a crime if the data or information is divulged. The PoPI Act is the opposite as it protects our right to privacy and puts the accountability on the responsible parties to ensure they apply practical and reasonable measures to protect data subjects’ information from being comprised.
No. The PoPI Act is not going to put an end to direct marketing. Direct marketing happens all over the world in many countries that have had data protection laws for decades. Direct marketing is a legitimate interest that organisations can pursue to find new customers. The big change or implication of the PoPI Act is that in future direct electronic marketing to prospects will be on an opt-in basis.
Yes, you can. The PoPI Act will have a big impact on email and SMS marketing. You can currently email market on an opt-out basis. This means you can send anyone emails until the person asks you to stop. Under the PoPI Act, you will only be able to direct market on an opt-in basis – you can email someone only once to get their consent to send them more emails.
No, unless you have obtained their specific consent for this.
You are required by certain laws to keep records of staff (even when they leave) for certain periods of time. Beyond this retention period, you should dispose of the information. The retention period for employees that have left the organisation should be defined in the Records Retention Policy.
For the purposes on Business as Usual (BAU) and BAU only, with respect to the PoPI Act, employees may keep electronic records on their desktops and hard copies on their desks. The Record Retention Policy will shed more light on the retention of information held on desktops and local drives.
Yes and no. It depends on the context of the situation. If it is business-related, i.e. for the intention of servicing the customer (e.g. resolving a query or complaint) then yes, it is normal that a customer’s information would need to be shared across departments to get an issue resolved. If the employee is sharing customer’s information with a friend or relative to assist their business in finding customers or for example is sending a customer list to a competitor, then no that is strictly forbidden.
As the responsible party, you share certain personal information with suppliers that you interact with. It is important to have formal third–party agreements with all your suppliers, especially the ones that make use of your data subject’s personal information to provide services on your behalf. This contract between you and your supplier prescribes the privacy and requirements that you can hold your suppliers accountable to with regards to the processing of personal information.
Yes, if a third party or supplier breaches any of your customer, employee or other suppliers’ information, you will still remain accountable and liable to the data subject. You can be found to be in breach of the PoPI Act and will be liable for the penalties.
No. ISO 9000 – 2001 is an international standard and the PoPI Act is legislation. Being ISO 9000 – 2001 compliant will certainly assist you in meeting security compliance. You can have security without privacy, but you can’t have privacy without security. There are specific privacy requirements as laid down in the principles of the PoPI Act that you as an organisation needs to comply to, to become PoPI Act compliant.
A third party is held to be Operator in terms of the Act. That means they are still responsible for what happens by way of the contract they would have concluded with you before they started to act on your behalf. Your Head of Privacy will then have to deal with the breach according to your Incident and Breach Management procedures.
Absolutely. There is a vast array of concerns. While in transit, the PI must be protected (encrypted, de-identified if possible). The cloud environment, if in another country, must provide the same if not more protection as is required in South Africa.
Absolutely. If your cloud service is based in another country, it is your responsibility to ensure that the contracted provider, meet certain privacy requirements. You should also ensure that, if you enter into a relationship with them, they will uphold the same principles as prescribed in the PoPI Act.