FACT SHEET: THE PROTECTION OF PERSONAL INFORMATION ACT, 2013

POPIA or the POPI Act is a South African law that is intended to give effect to the Constitutional right to privacy.  The protection is specific to ‘personal information’ when it is ‘processed’.  However, POPI also brings South Africa closer to international requirements for the protection of data and privacy.  The most common benchmark is the General Data Protection Regulation or ‘GDPR’ which applies within the European Economic Area, and to data of its citizens that is processed outside of this area.

Personal information is a wide category including names; addresses; identity and passport numbers; dates of birth; physical characteristics; marital status; sex; gender preference; mental health; biometric information; email addresses; personal views; education; criminal, financial and employment information.  Personal information includes a subset called ‘special personal information’ for which specific consent use is required, in other words, for this information, the responsible party (see below) must say exactly what the information will be used for and obtain specific consent for that use.  This subset includes religious or political beliefs, race or ethnic origin, and trade union membership.

In short, personal information is any type of information that could identify a person.  A person includes a legal or juristic person as well as a natural person.  The person whose personal information is being processed is called the ‘data subject’.

This important term covers most activities in relation to personal information.  It includes collection, storage, modification, deletion, distribution, publication, even organisation, retrieval and destruction.  In short, any type of use of personal information is likely to constitute ‘processing’.  A responsible party may only process personal information with the consent of, a data subject.

It is often the case that a third party will need personal information to carry out certain services for data subjects; patients will need to give their healthcare workers their personal information, students will need to give educators their personal information, online buyers will need to provide personal information to purchase goods and services online, and banks will need personal information to open bank accounts and even provide credit facilities.  These third parties are called ‘responsible parties’.

There are other third parties that will need to process personal information, however they are not

responsible parties because they are carrying out the processing on behalf of the responsible party.  These entities are called ‘operators’.  They are not directly affected by the POPI Act unless the responsible party specifically incorporates the requirements of the Act in its contract for services from operators.

The POPI Act must be read with a number of guidelines and regulations that are published on the Information Regulator’s website.  This regulator is part of the Department of Justice. However, there are several important and primary rules in relation to the lawful processing of personal information set out in the Act, referred to as the 8 principles.  These are:

1. Accountability – the responsible party remains accountable even if an operator carries out processing
2. Limitations on processing – personal information cannot simply be collected and used; only the personal information that is necessary to achieve a particular purpose can be collected and then, only with the consent of the data subject. In addition, processing must be adequate, relevant and not excessive, considering the purpose of processing
3. Purpose specification – the purpose of the processing must be fully disclosed to the data subject, and once it has been achieved, personal information should not be retained or used (unless another legal obligation requires document retention)
4. Further limitation – this is closely related to the previous 2 principles. Once collected for processing for a particular purpose, the personal information must not then be used for anything else, unless new consent is given by the data subject
5. Information quality – as far as possible, the responsible party must ensure that the information it collects is complete, accurate, not misleading and updated where necessary
6. Openness – this principle is about disclosure. Data subjects must be given all the details of the responsible party, as well as the purpose, prior to handing over their personal information.  In some cases, personal information will be mandatory for the service to be provided and this must be disclosed along with the consequences of failing to do so.  If the responsible party will share the personal information with anyone else then that fact must also be disclosed, along with the purpose of sharing the information.  Finally, if the personal information is going to be transferred outside of South Africa, this must be disclosed and the way in which the information will be protected thereafter should also be disclosed
7. Security safeguards – the Act requires a certain standard of protection to be adopted by responsible parties. They must take appropriate and reasonable technical and organisational measures to secure the integrity and confidentiality of the personal information that they process, and prevent loss, damage or unauthorised destruction of personal information; and unlawful access to or processing of personal information.  This principle requires a responsible party to look closely at the systems used to process personal information – both technical (IT) and human
8. Data subject participation – data subjects may ask whether a responsible party has any personal information about them and what it consists of, and may ask for and receive a copy of the information as well as details of anyone who has had access to it. A data subject may also ask for personal information to be corrected or deleted particularly if it is not accurate, not relevant, out of date, incomplete, misleading or was unlawfully obtained; and if the authority given to the responsible party is no longer applicable.  This principle also applies to direct marketing by electronic means (spam or initial contacts).

Consent to processing is not needed for processing personal information if another law requires it, if the Information Regulator has given permission for that processing, or the processing is in relation to personal information about race or ethnic origin in order to comply with anti-discrimination or positive discrimination laws.  The POPI Act does not apply to data processed for personal reasons, or data that has been de-deidentified (allocated a code) which cannot be reinstated, data processed by or for a public body relating to national security, law enforcement or the justice system, and data processed by Cabinet and committees or Executive Council.  Consent is not necessary to process personal information for literary or artistic expression and journalism, as these activities are regarded as a matter of public interest

All private and public bodies must appoint an Information Officer (IO).  In the case of private companies, the head of the organisation (usually the CEO) is automatically the IO unless he or she delegates this role to someone else. There are forms available on the Information Regulator’s website that must be completed for both the appointment of the IO and the delegation of the IO’s duties.

The IO has specific duties including the creation and implementation of a compliance framework within the company, the publication of a Promotion of Access to Information Act Manual (also known as a PAIA manual), receiving and dealing with requests for access to personal information, and training.  The PAIA manual is a document that takes a standard form, which can be downloaded at Understanding PAIA (sahrc.org.za).  However, the information that is included in the manual is specific to each organisation.  Every company must have a PAIA manual that is published to their website and available at their offices.  This manual deals with the rules for accessing information needed by a person to protect or enforce a right.

The IO must, in order to properly deal with personal information and processing, ensure that every kind of risk to personal information is addressed by implementing various rules and safeguards within the company.

In addition to the manual, the IO must establish the processes for obtaining consent from existing data subjects i.e. those people whose personal information the company already has, and future data subjects.  The processes for collecting, storing, using, accessing and destroying that information must all be documented and enforced.

Not every company or person will be processing personal information. This Act requires a thorough assessment of what it is that you do, how you might use personal information and if so, how you should collect, use and store it.  It is likely that more guidance including litigation will clarify certain aspects of the Act and its application in practise. Make sure your IO is up to date.