POPI is the Protection of Personal Information Act that was signed into law by President Jacob Zuma in November 2013. The act sets the conditions for how personal information is processed in South Africa. We look at the ins and outs of this legislation and how it impacts on local businesses.
What is POPI?
POPI is a piece of legislation that is intended to promote the right to privacy, while also protecting the right of access to information. It provides sets of rules that must be followed when personal information is processed by private and public bodies. It was designed to prevent negligent disclosure of personal information, and to ensure that organisations act responsibly when processing this data.
What is personal information?
This has been given a very wide definition, and it broadly applies to anything than can be used to identify an individual or juristic person (such as a company or CC).
This extensive list includes:
- Contact details: name, physical address, ID number, company registration number, email
- Demographic information: sex, race, age, ethnicity
- History: education, financial, medical, employment, criminal
- Biometric information: blood type
- Online identifiers: Twitter handle
- Correspondence: private and confidential
- Opinions: personal preferences, and other people’s views
What are the principles of POPI?
There are eight main conditions set out in the act that organisations need to comply with:
1. Processing Limitations – process only what you need and only for as long as necessary.
2. Purpose Specification – only collect information for a specific, explicitly defined and lawful purpose.
3. Further Processing Limitations – the original purpose must be considered before passing on information, and additional consent is then needed.
4. Information Quality – collected information must be complete, relevant and up-to-date.
5. Openness – data can only be collected by a responsible party and it must be clearly communicated as to why this information is being processed and who will see it.
6. Security Safeguards – reasonable measures must be used to protect the integrity of all personal information.
7. Participation – the data subject is allowed access – free of charge – to details of information kept relating to them.
8. Accountability – the responsible party is ultimately accountable for the personal information, even if it is transferred to another party for processing.
Who does POPI apply to?
Any business that processes personal data – automatically or recorded on paper – must comply with POPI’s data protection principles. Processing includes collection, use, storage, distribution, modification or destroying any information about a consumer, employee or business customer.
From the very first moment that a business obtains personal information, until it has been returned or destroyed, that organisation must comply with POPI. If you are the responsible party, you are accountable for the complicity of the suppliers who use your customer data to execute their services and contractual obligations.
The POPI scope is extensive but there are some exceptions, including purely household or personal activities, and judiciary, criminal and national security.
What if you don’t comply with POPI?
An organisation that does not comply could face heavy fines and/or imprisonment of up to 10 years for certain offences.
Why is POPI good for business?
This legislation brings the South African data protection laws in line with other countries, and it has three main benefits:
Increases customer confidence – it promotes transparency about how personal information is collected and processed, and this openness is likely to improve customer confidence.
Database reliability – by capturing data accurately and securely, and removing obsolete information, it gives organisations the opportunity to simplify and streamline their operations and policies, ultimately increasing the reliability of databases.
Reduced risk – by taking reasonable measures to ensure personal information is protected, it decreases the chance of data breaches.
How to comply?
A business will need to understand the principles of POPI, and assess how they collect, store, use, disseminate and destroy personal information. They will have to implement adequate security systems and procedures in order to comply with POPI requirements, and maintain the confidentiality and integrity of personal information.
We live in a digital age where personal information is vital for successful communication in a business. While it is also the responsibility of each individual to protect their own information, the ultimate goal of POPI is to bring about positive and beneficial changes that will protect everyone’s personal information.
LEAP is an authority on providing business advice where you need it. For help and information contact us on 011 449 7074 or visit www.leapco.co.za.