Help

The POPI Act aims to encourage the protection of personal information that is processed by both public and private bodies. To do this, the Act will introduce certain conditions that will establish the minimum requirements that businesses must comply with when processing personal information.

The Act also is aimed at providing rights to people when it comes to unsolicited electronic communications.

Basically, it’s a code of conduct that all businesses must comply with.

In a briefing on 13 February 2017, advocate Pansy Tlakula (the appointed chairperson of the Information Regulator) said that the majority of the provisions of the POPI Act would only come into operation once the Regulator was fully operational. It was expected that the Regulator would be up and running around December 2018.

While the Act hasn’t been implemented just yet, it’s fair to assume that it will be some time this year. Once the Act is in place, parties will be given a one-year transition period to comply — but the roll-out of a comprehensive POPI compliance plan can take between six months and two years to finalise. So if you haven’t already — you’d best start working on it!

In terms of the Act, personal information is data that can be used to identify a person. It is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”

This information about a person includes, but is not limited to:

• Race
• Gender
• Sex
• Pregnancy
• Marital status
• National / ethnic / social origin
• Colour
• Sexual orientation
• Age
• Physical or mental health
• Disability
• Religion / beliefs / culture
• Language
• Educational / medical / financial / criminal or employment history
• ID number
• Email address
• Physical address
• Telephone number
• Location
• Biometric information
• Personal opinions, views or preferences

Put simply — just about everyone.

All companies will be affected by the Act, but in particular, companies that deal with a large amount of personal information — think banks, insurance companies, medical aids, etc.

However, all companies need to have systems in place to deal with personal information. Plus, the POPI Act also has guidelines about direct marketing — so any brand sending messages or emails to consumers without them opting in, beware!

Firstly, it will affect the way you manage information. You’ll need to classify any consumer data that you hold and identify whether it constitutes as ‘personal information’. You’ll also be required to identify any ‘records’ and ‘sensitive’ information you might hold — remember that there is different criteria for handling personal information and non-personal information.

It will also affect the way you notify stakeholders. Third parties will have to be notified as soon as possible if there is a privacy breach and personal information is compromised.

It’s the law.

Also, there are other benefits to complying with the Act. According to POPI.biz, consumer studies have shown that in 90% of cases, consumers would rather do business with companies that are transparent and comply with legislation than any other business.

Sort of, but not really. It’s best to think of them as different flavours of the same thing. Pretty much, if you’re GDPR— (that’s General Data Protection Regulation, for those of you living under a rock) compliant — you’re pretty much POPI-compliant.

They are similar in some ways. Namely, they both lay down the law for processing and storing personal information and the rules for notifying third parties if there are security breaches.

However, they are different in the sense that the security regulations differ slightly, as follows:

GDPR: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security and appropriate to risks represented by the processing and the nature of the personal data to be protected.”

POPI: “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.”

Further, the penalties for a breach of each differs, with a breach under the GDPR can be a fine of up to four percent of annual global turnover or €20-million, whichever is greater. This kind of fine would cripple most South African companies.

The POPI Act’s aims is to:

• Promote the protection of personal information processed by public and private bodies.
• Introduce certain conditions to establish minimum requirements for the processing of personal information.
• Provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of both this Act as well as the Promotion of Access to Information Act, 2000.
• Provide for the issuing of codes of conduct.
• Provide for the rights of persons regarding unsolicited electronic communications and automated decision making.
• Regulate the flow of personal information across the borders of the Republic; and
• Provide for matters connected therewith.

If you hold any of the types of data mentioned below then you need the individual’s permission to have possession of it.

• Gender, race, marital status, nationality, sex, mental health, religion, belief, language, etc.
• Education or financial, criminal, medical and employment history.
• Biometrics, including physical, behaviour and/or physiological characterisations (DNA analysis, retinal scanning, blood type, etc.)
• Email address, telephone number, location information, online identifier, etc.
• Correspondence of a private nature.
• Opinions or views that another person has relating to the individual.
• The individual’s name, if disclosure of the name would lead to the revealing of information about the individual.

• Any public or private body, or any other person which, unaided or in combination with others, regulates the purpose of and means for processing personal information (Responsible Party).
• The ‘Responsible Party’ of every company is accountable for ensuring and enforcing its own compliance.
• Any person who processes personal information for a Responsible Party in terms of a mandate or agreement, without coming under the direct authority of the Responsible Party.

• If you act recklessly with this information, you not only face regulatory sanctions, but you also run an actual risk of damaging client relationships and overall business reputation.
• Non-compliance may have far-reaching consequences and could expose the Responsible Party to a penalty or fine of R10 million and/or imprisonment of 12 months up to 10 years.

• There are no legal requirements for a formal qualification to be obtained by the information Officer, but larger organisations tend to use someone with legal qualifications.
• The Information Officer can be a full-time or part-time role, depending on the company’s size and requirements.

• Notifications need to be done currently before the deadline on 01 July 2021 and afterwards.
• Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Regulator (section 22).
• Any number of breaches requires a notification to the Regulator, including just one minor breach.

If data on a device is encrypted then the theft of the device does not need to be notified to the Regulator, but without encryption a cell phone, tablet, laptop, or computer theft needs to be registered with the Regulator.

• The aim is to have it up and running by the 30 June 2021. This gives responsible companies and data owners plenty of time to train staff and be compliant before that date.

In a nutshell it is all about taking special care of the personal information that is entrusted to you by your customers and prospective customers.

As mentioned, on 1 July next year, the entire POPI Act will be fully enacted. Organisations have one year to become fully complaint or face possible sanctions.

All personal information processed is required to be processed lawfully. The definition of personal information is wide, but includes:

• Names, email addresses, identity number, physical and postal addresses.
• Opinions, political and trade union affiliation.
• Religion, race, gender, sexual orientation, age, mental health.
• Education, medical, financial, criminal or employment history.
• Biometric information.

In summary, any information that can be used to identify a data subject, is personal information. Importantly, in terms of POPI, both natural and juristic persons are considered data subjects.

Any touching of the data is considered processing, subject to the exclusions of pure household  or journalistic purposes.

Who the Responsible Party is, is one of the most important questions. The Responsible Party is the party who chooses how the data is collected, why it is collected, what the data is used for, and how it is destroyed. The Responsible Party bears the onus of ensuring that when they collect the data, and make any decisions regarding the data, that they do so in terms of POPI.

In terms of POPI, the Information Regulator can issue a fine of up to R10 million, or imprisonment of up to 10 years for the Information Officer in the event of a breach or a POPI infringement. If it can be shown that a company has taken pro-active steps towards compliance, the Information Regulator is more likely to look favourably on that company in the event of a breach.

Security safeguards are just one element of data protection. The best IT security in the world is not fool proof if measures are not put in place at a human level. POPI requires compliance at every step. POPI is a people problem. POPI requires planning and buy in from all stakeholders in an organisation. First, assess your POPI readiness and what you have in place now. 12 months may seem like a long time but for some organisations it will be difficult to turn around longstanding practices and procedures around data collection, storage, management, retention and destruction. Once companies have established their risk and requirements, they will have a better idea of how much time will be needed  and what measures will be appropriate to implement, by the 1 July 2021 deadline.

• The way you manage information: in terms of the Protection of Personal Information Bill (“POPI”), you will now have to classify what information you hold constitutes “personal information” (PI). King 3 also requires companies to identify what “records” and “sensitive” information they hold. You can therefore ‘kill three birds with one stone’  when doing a PI classification.  There will be different handling criteria for PI and non PI.
• You will have to notify third parties of breaches of their personal info due to a privacy breach.
• If you want more information on how POPI will affect you, read here and attend one of our webinars.

It is envisaged that POPI will be the primary legislation dealing with the protection of information. This does not mean that it will necessarily be the only one. However, any other Act will have to comply with the principles set out in POPI. Existing legislation will therefore have to be amended (a huge number of Acts will have to be dealt with in consequential amendments when POPI is enacted) to ensure compatibility and any new legislation will have to comply from the start. According to the SA Law Commission which drafted POPI, the following is envisaged in respect of the most important pieces of legislation that has been  identified: The privacy provisions in the Electronic Communications and Transactions Act will fall away in instances of duplication. Sections in the Promotion of Access to Information Act dealing with a person’s own personal information (as opposed to third party information and general information) will fall away and be dealt with in POPI. The National Credit Act (“NCA”) and the Consumer Protection Act (“CPA”) will have to be amended to comply with all the privacy principles or the sections dealing with privacy removed and dealt with in POPI. An arrangement to this effect is already in place with the DTI in so far as the NCA is concerned (the NCA was enacted before the PPI draft was available) and consultation regarding the CPB will still have to take place.

How is sensitive information like a persons “race” protected through the new privacy bill when it is required to submit this information for employment equity purposes?

“Protected” is misleading. If it constitutes “personal information” it has to be processed ito PPI.

Information security is distinct from the concept of privacy, although the two concepts often overlap. “Privacy” involves the protection of a person’s personal information by inter alia limiting the amount and kind of personal information gathered, notifying the person of the ways in which the person’s information is used or disclosed, obtaining the person’s consent to such use and disclosure and providing means for a person to review and update his own personal information. The concept of privacy also entails that a person’s private information will be kept secure against loss, theft, modification, unauthorised access, use or disclosure. Because the concept of privacy therefore encompasses security, but not vice versa, it is possible to have security without privacy. However, it is not possible to have privacy without security. Privacy is therefore broader than security. There is however a considerable overlap between privacy compliance and security obligations.

One has to factor in the cost of:

• a privacy impact assessment;
• the identification of PI;
• drafting and implementation of policies, training and technology.

All companies, but in particular companies that deal with a lot of sensitive PI such as banks, insurance companies and other companies in the financial services sector and companies that deal with medical information: medical aids etc…

The abbreviation is otherwise known as, the Protection of Personal Information Act. The POPI Act is South Africa’s equivalent of the European Union’s General Data Protection Regulation (GDPR). 

The main goal of the POPI Act is to protect data subjects from security breaches, theft, and discrimination. You can visit the South African Government website to find out what the rest of their aims are for this Act.  

It will include conditions for the lawful processing of personal data of South Africans (both South African citizens and those living in South Africa). The Act includes eight general conditions and three less descriptive conditions.

Out of all the questions, this one has been asked and asked again – and each time the answer seems to keep changing. POPIA was signed by then-president Jacob Zuma on the 19th November 2013 and was published in the Government Gazette on 26 November 2013. 

Parts of the law became effective on 11th April 2014, while the rest of the law was still inactive on the books in 2019. Once the Act becomes formal law, there will be a one year grace period to comply. 

That being said, the Information Regulator’s office stated that POPIA will commence in the second half of 2020, after speaking at the International Conference on Computers, Privacy and Data Protection that took place in Brussels earlier this year. 

The roll-out of a comprehensive POPI compliance plan can take between six months and two years to finalise. So if you haven’t already — you’d best start working on it as soon as possible!

Personal information is data that can be used to identify a person. This includes, but is not limited to the following:

• ID Number, 
• Email Address, 
• Telephone Number, 
• Physical Address, 
• Physical or Mental Health, 
• Disability, 
• Marital Status, 
• Pregnancy, 
• Religion/Beliefs/Culture, 
• Educational/Medical/Financial/Criminal or Employment History, 
• National/Ethnic/Social Origin, etc. 

To put it simply, just about all companies in South Africa will be affected, but in particular, those that deal with a large amount of personal information such as banks, insurance companies, medical aids, etc.

The biggest change is the introduction of restrictions for processing special types of personal information (including children’s data). All companies need to have systems in place to deal with personal information. 

The POPI Act will place an extra responsibility on healthcare professionals to monitor and self-report their own flow of personal information. This is especially important as the medical industry has a large amount of personal information in their possession. 

It’s natural for practitioners to collect personal information from their patients as they mainly use their data for diagnostic purposes and then for billing. The key will then be to keep the information safe from loss, damage, and unauthorised personnel as well as unlawful processing of this personal information. 

We have already covered the importance of backing up, using a cloud-based medical software, as well as the type of access each role should have in a practice. This will give you a better understanding and guideline in preparation for such measures. 

Don’t underestimate the POPIA and don’t just see it as a burden, instead, try to view it as an opportunity to create your own data strategy that will guard your company/practice and your clients/patients. 

However, failure to comply to this act can lead to a variety of implications – these include: 

• A complaint lodged with the Information Regulator, 
• Receiving a civil claim for payment of any damages, 
• Criminal prosecution – if convicted there could be a fine of up to R10 million or a prison sentence of up to ten years, or even both. 

As we have mentioned at the beginning of this blog, the POPI Act is South Africa’s equivalent of the European Union’s General Data Protection Regulation (GDPR). They are similar in some ways. 

They’re similar in the sense that both lay down the law for processing and storing personal information and the rules for notifying third parties if there are security breaches. And yet, they differ from each other in terms of their security regulations:  

• GDPR: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to risks represented by the processing and the nature of the personal data to be protected.”

• POPI: “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.”

For the purposes of section 3 of the Act any equipment capable of operating automatically in response to instructions given for the purpose of processing information

Personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country

A technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition

A natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him­ or herself

A code of conduct issued in terms of Chapter 7

Any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child

Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

The person to whom personal information relates

In relation to personal information of a data subject, means to delete any information that—

• identifies the data subject;
• can be used or manipulated by a reasonably foreseeable method to identify the data subject; or

can be linked by a reasonably foreseeable method to other information that identifies the data subject,

To approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of—

• promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
• requesting the data subject to make a donation of any kind for any reason

Any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient;

A notice issued in terms of section 95

Any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria

A controlling undertaking and its controlled undertakings

The comparison, whether manually or by means of any electronic or other device, of any document that contains personal information about ten or more data subjects with one or more documents that contain personal information of ten or more data subjects, for the purpose of producing or verifying information that may be used for the purpose of taking any action in regard to an identifiable data subject;

In relation to, a—

• public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
• private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;

A person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party

A natural person or a juristic person

Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

• information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well­being, disability, religion, conscience, belief, culture, language and birth of the person;
• information relating to the education or the medical, financial, criminal or employment history of the person;
• any identifying number, symbol, e­mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
• the biometric information of the person;
• the personal opinions, views or preferences of the person;
• correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
• the views or opinions of another individual about the person; and
• the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

Means—

• a natural person who carries or has carried on any trade, business or profession, but only in such capacity;
• a partnership which carries or has carried on any trade, business or profession; or
• any former or existing juristic person, but excludes a public body;

any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

• the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
• dissemination by means of transmission, distribution or making available in any other form; or
• merging, linking, as well as restriction, degradation, erasure or destruction of information;

Any legally qualified person, whether in private practice or not, who lawfully provides a client, at his or her or its request, with independent, confidential legal advice

Any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government or any other functionary or institution when—

• exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
• exercising a public power or performing a public function in terms of any legislation

Means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body; “record” means any recorded information—

• regardless of form or medium, including any of the following—
  • Writing on any material;
  • information produced, recorded or stored by means of any tape­recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
  • label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;
  • book, map, plan, graph or drawing;
  • photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
• in the possession or under the control of a responsible party;
• whether or not it was created by a responsible party; and

regardless of when it came into existence;

The Information Regulator established in terms of section 39

In relation to personal information of a data subject, means to resurrect any information that has been de­identified, that—

• identifies the data subject;
• can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
• can be linked by a reasonably foreseeable method to other information that identifies the data subject,

A public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information

To withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information

Personal information as referred to in section 26 as:

• Religious or philosophical beliefs
• Race or ethnic origin
• Trade union membership
• Political persuasion
• Health or sex life
• Biometric information
• Criminal behaviour  

Any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.