The Protection of Personal Information Act is law: Where to from here? (2014-05-16)

February 20, 2015  3092  3092   

Article by Dr Peter Tobin, John Cato and Professor David Taylor

That’s right, the one about the stick and the carrot! Well now we have something new to focus our attention on, namely the Protection of Personal Information Act No.4 of 2013 (‘POPI’). POPI was gazetted in late 2013, with partial commencement in April 2014; indeed now is the time to get things moving in terms of compliance with this important Act.

So where is the “stick and carrot” for POPI?

Think about how broad the definition of “personal information” can be: customers, employees, suppliers, in fact anyone we interact with as a business.  The POPI Act was signed into law in November 2013 and is expected to become effective in the next few months.  Organisations will then have twelve months to become fully compliant or face the prospect of some potentially stiff penalties (including fines of up to R10 million) or worse reputational damage and loss of customers. That’s the “stick” part of the deal.

The “carrot” aspect is the opportunity to boost confidence in your business by demonstrating the way you manage sensitive personal data. Personal information includes data of customers, suppliers and employees, whether they are in emails, invoices, databases or printouts. This means showing you have processes and procedures in place to handle effectively and securely all aspects of what’s covered in the POPI Act.

Where does POPI come from?

Privacy and Data Protection Acts have already existed in other countries for several years. Examples of these are the European Union (EU) Data Protection Act which came into effect in 1995, the UK Data Protection Act (1998). The POPI Act is modelled on the EU legislation to a large extent, and POPI has been written to ensure that South Africa is line with international best practice.

Conditions for lawful processing of personal information in the POPI Act

Accountability = assigning ownership in your business;
Processing limitation = processing information for lawful  reasons and in a manner that does not infringe privacy;
Purpose  specification = only obtaining and holding personal information for a specific purpose;
Further processing limitation = further processing of personal information must be compatible with the purpose for which it was collected;
Information quality = ensuring that information is complete and accurate;
Openness = informing individuals that their information has been obtained and the purpose thereof;
Security safeguards = the integrity of personal information must be secured using reasonable technical and organisational measures;
Data subject participation = an individual has the right to request whether an organisation holds their personal information. An individual may request the information is deleted or corrected if it is incorrectly stored.

Attached Files

• 20140516_The_protection_of_Personal_Information_Act_is_law_Where_to_from_here 281.59 KB