The Protection of Personal Information Act, 2013 (or “POPI” as it has colloquially become known) promotes the protection of personal information by requiring that public and private bodies comply with certain standards when collecting, processing, storing and sharing personal information. While POPI has yet to come into effect, there have been some developments moving it closer to implementation.
POPI has its roots in section 14 of the Constitution of the Republic of South Africa, 1996, which provides that everyone has the right to privacy. The State is also required to respect, protect, promote and fulfill this right. POPI, which was passed in 2013, is a key piece of legislation giving effect to this right and the State’s obligation and, in particular, regulates the right to protection against the unlawful collection, retention, dissemination and use of personal information.
“Personal information”, in the context of POPI, means information relating to an identifiable, living, natural person, and, in certain instances, to companies, close corporations, trusts and other juristic persons and, includes:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the name of the person, if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person.
Certain administrative provisions of POPI have been in force since 2014, but the heart and soul of POPI has yet to come into effect (and will only come into force on a date to be determined by the President). From that date, there will then be a 12-month grace period before full compliance with POPI will be required.
During the initial flurry of activity following the passing of POPI, business and legal communities have been waiting with nervous anticipation for the commencement of POPI to be announced. However, after the passing of nearly four years, and perhaps because the initial hype has died down, with no announcement being made, many have placed POPI compliance on the back-burner, or more dangerous still, forgotten about POPI entirely.
Be warned, however, the wheels have once again started turning.
Those who think that POPI does not apply to them or to their business or organisation and that there is no need to be concerned with POPI compliance, should take a moment to reconsider, as something as simple as requesting and obtaining a CV in order to consider an applicant for a job, may well fall within the ambit of POPI. Customer, and in some cases, even supplier databases, and the information contained in these databases, may also contain personal information which must be handled in a POPI-compliant manner.
In December 2016, Advocate Pansy Tlakula was appointed as South Africa’s Information Regulator and since then, she and her team have been hard at work to get the office of the Information Regulator up and running as soon as possible. The Information Regulator is responsible for protecting personal information and promoting access to information, and will educate the public, monitor and enforce compliance, handle complaints, perform research and facilitate cross-border cooperation.
In February 2017, the Information Regulator announced that a zero draft of the regulations to POPI had been produced and submitted to the law advisor’s office for refinement and finalisation before the public consultation process begins. It is the Information Regulator’s intention to table the regulations in Parliament before the end of 2017. The announcement of the POPI commencement date is likely to go hand in hand with the finalisation of the regulations. In fact, in the Information Regulator’s current strategic plan, it is envisaged that it will be ready to assess public and private bodies for lawful processing of personal information beginning in 2019.
The message is simple and clear – POPI will soon be in effect, and affected businesses and organisations should begin their preparations to ensure that they are compliant. The key principles of POPI have been known for some time, yet employers and their staff remain (largely) blissfully ignorant of the implications. POPI compliance will, at the very least, require virtually every business and organisation to audit their operations to identify areas in which personal information is handled, to devise compliance protocols, and to train staff accordingly.
In the alternative, failure to comply with POPI may result in a fine of up to R10-million and/or up to 10 years in prison, not to mention the reputational damage that could be suffered. Considering the serious consequences of non-compliance, is it not worth biting the bullet and tackling POPI head-on while there is still the luxury of time?