POPI – What you need to know

Protection of Personal Information Act (POPI)

So what is the POPI exactly?

The Protection of Personal Information Act (“POPIA”) has new legislative terms for organisations and could significantly change how organisations receive, use and review personal information of natural and juristic persons. The purpose of POPIA is to give effect to the Constitutional right of Privacy. Zooming in particularly on the growing problem of Identity Theft and Misuse of Personal Information. POPIA has been in the developing stages for several years but it seems that the process is coming to an end. Initially, POPIA was scheduled for enactment on 1 July 2020 and a grace period of 12 months was allowed as to allow all organisations to align their policies with the legislative framework of POPIA. In a recent publication by the Government Gazette the grace period for processing activities that have been notified to the Information Regulator for prior authorisation in terms of section 58(2) has been extended to 1 February 2022. It is important to note that the only portion of the Act that has been extended is section 58(2) and therefore the bulk of the Act remains effective from 1 July 2021.

What is the scope of POPIA’S application?

POPIA will apply to all organisations that process personal information. The processing of personal Information is widely defined in the Act and includes but is not limited to the collection, storage, receipt, updating, distribution and destruction of personal information. The term “personal information” also has a broad definition and includes the information of a natural persons and where applicable juristic persons. The information that will be considered personal information includes:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • information relating to the education, medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that will reveal the contents of the original correspondence
  • the views or opinions of another individual relating to the initial customer or person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

How do companies lawfully process Personal Information?

POPIA has 8 principles that organisations will have to comply with in order to process information lawfully. They include:

  • Accountability as stipulated by section 8;
  • Processing Limitation as stipulated by section 9 – 12;
  • Purpose Specification as stipulated by section 13 -14;
  • Further Processing Limitation as stipulated by section 15;
  • Information Quality section as stipulated by section 16;
  • Openness as stipulated by section 17 – 18;
  • Security Safeguards as stipulated by section 19 -22;
  • Data Subject Participation as stipulated by section 23 -25;

If personal information is processed for the purpose of direct marketing (e.g., unsolicited electronic communications, directories and automated decision making), organisations will be mandated to comply with the above-mentioned principles. Furthermore, organisations will have to comply with section 69 of the Act, for the processing of information to be deemed lawful. Thus, the impact of POPIA on direct marketing is widespread. Organisations often contact potential customers directly via electronic media for marketing purposes on a regular basis. Those individuals are given the option to “opt out” in case they are not interested in the product or service advertised to them. However, POPIA gives way to a new “opt – in” option, this is where potential customers will have to option to be contacted initially before advertising even starts.

Needless to say, POPIA requires the revision of a number of the organisations polices. These policies consist of the revision of the following:

  • non-disclosure agreements;
  • confidentiality agreements;
  • terms of sale; instruction forms;
  • client information forms;
  • credit applications;
  • the amendment of any other form and/or document that contains personal information of a client or deals with the collection, distribution or any other form of processing of personal information of a client.

Organisations are to ensure that proper precaution is in place to protect the integrity of personal information and to ensure that such information does not end in unverified hands. Security measures should therefore be taken and can include alarm systems, cameras, and firewall systems. The organisations are mandated to make sure that all personal information kept on any database is protected by passwords and that only designated staff have access to such passwords. Staff members that have access to personal information are obligated to sign non-disclosure and confidentially agreements preventing the distribution of such personal information. Finally, all staff must be made aware and fully understand the risks involved with POPIA as well as how to process information lawfully.

What are the Penalties for non-compliance?

After the grace period has passed for POPIA there are penalties that non-compliant organisations may face. Non-compliance with the conditions of the Act could result in serious reputational and financial harm which could even result in imprisonment.

Fines can be up to R10 million and additionally a term of imprisonment that could range from 12 months to 10 years. In conclusion the enforcement date of POPIA is speedily approaching, 1 July 2021, and its effects will be extensive. Thus, there is a need for companies to consolidate their policies with the principles of the Act or risk the hardship of a bad reputation, a fine or even imprisonment.

This article was written by Candice Belang. Candice is a candidate attorney at Mayet & Associates