THE RIGHT TO PRIVACY
POPIA or the POPI Act is a South African law that is intended to give effect to the Constitutional right to privacy. The protection is specific to ‘personal information’ when it is ‘processed’. However, POPI also brings South Africa closer to international requirements for the protection of data and privacy. The most common benchmark is the General Data Protection Regulation or ‘GDPR’ which applies within the European Economic Area, and to data of its citizens that is processed outside of this area.
Personal information is a wide category including names; addresses; identity and passport numbers; dates of birth; physical characteristics; marital status; sex; gender preference; mental health; biometric information; email addresses; personal views; education; criminal, financial and employment information.
Personal information includes a subset called ‘special personal information’ for which specific consent use is required, in other words, for this information, the responsible party (see below) must say exactly what the information will be used for and obtain specific consent for that use. This subset includes religious or political beliefs, race or ethnic origin, and trade union membership.
In short, personal information is any type of information that could identify a person. A person includes a legal or juristic person as well as a natural person. The person whose personal information is being processed is called the ‘data subject’.
This important term covers most activities in relation to personal information. It includes collection, storage, modification, deletion, distribution, publication, even organisation, retrieval and destruction. In short, any type of use of personal information is likely to constitute ‘processing’. A responsible party may only process personal information with the consent of, a data subject.
It is often the case that a third party will need personal information to carry out certain services for data subjects; patients will need to give their healthcare workers their personal information, students will need to give educators their personal information, online buyers will need to provide personal information to purchase goods and services online, and banks will need personal information to open bank accounts and even provide credit facilities. These third parties are called ‘responsible parties’.
There are other third parties that will need to process personal information, however they are not
responsible parties because they are carrying out the processing on behalf of the responsible party. These entities are called ‘operators’. They are not directly affected by the POPI Act unless the responsible party specifically incorporates the requirements of the Act in its contract for services from operators.
THE KEY RULES
The POPI Act must be read with a number of guidelines and regulations that are published on the Information Regulator’s website. This regulator is part of the Department of Justice. However, there are several important and primary rules in relation to the lawful processing of personal information set out in the Act, referred to as the 8 principles. These are:
Consent to processing is not needed for processing personal information if another law requires it, if the Information Regulator has given permission for that processing, or the processing is in relation to personal information about race or ethnic origin in order to comply with anti-discrimination or positive discrimination laws. The POPI Act does not apply to data processed for personal reasons, or data that has been de-deidentified (allocated a code) which cannot be reinstated, data processed by or for a public body relating to national security, law enforcement or the justice system, and data processed by Cabinet and committees or Executive Council. Consent is not necessary to process personal information for literary or artistic expression and journalism, as these activities are regarded as a matter of public interest
THE INFORMATION OFFICER
All private and public bodies must appoint an Information Officer (IO). In the case of private companies, the head of the organisation (usually the CEO) is automatically the IO unless he or she delegates this role to someone else. There are forms available on the Information Regulator’s website that must be completed for both the appointment of the IO and the delegation of the IO’s duties.
The IO has specific duties including the creation and implementation of a compliance framework within the company, the publication of a Promotion of Access to Information Act Manual (also known as a PAIA manual), receiving and dealing with requests for access to personal information, and training. The PAIA manual is a document that takes a standard form, which can be downloaded at Understanding PAIA (sahrc.org.za). However, the information that is included in the manual is specific to each organisation. Every company must have a PAIA manual that is published to their website and available at their offices. This manual deals with the rules for accessing information needed by a person to protect or enforce a right.
The IO must, in order to properly deal with personal information and processing, ensure that every kind of risk to personal information is addressed by implementing various rules and safeguards within the company.
In addition to the manual, the IO must establish the processes for obtaining consent from existing data subjects i.e. those people whose personal information the company already has, and future data subjects. The processes for collecting, storing, using, accessing and destroying that information must all be documented and enforced.
Not every company or person will be processing personal information. This Act requires a thorough assessment of what it is that you do, how you might use personal information and if so, how you should collect, use and store it. It is likely that more guidance including litigation will clarify certain aspects of the Act and its application in practise. Make sure your IO is up to date.