The Protection of Personal Information (PoPI) Bill was enacted by Parliament early in 2014. This new Act will allow organisations only one year to comply from inception and some pretty strict penalties will be levied against organisations and individuals that intentionally continue to ignore the correct governance when interacting with individuals and their information. Over the course of the next few months, each of the eight core information protection principles will be discussed in turn to provide an indication of how the Act Is likely to impact every organisation that processes personal information
Overview of principles
The Act is founded on a set of eight core information protection principles that have evolved over time in various jurisdictions around the world. These jurisdictions include the European Union and the regions belonging to the Organisation for Economic Cooperation and Development (OECD), the Commonwealth and the Asia-Pacific Economic Cooperation (APEC). Over the years, the principles contained in the Act have become recognised as the leading practice baseline for effective data privacy regulation around the world. They are generally believed to reflect an acceptable compromise between the right to privacy and the legitimate need to use personal information for private sector business purposes and, the duty of both the public and private sectors to give effect to the equally fundamental right of access to information on the other hand.
The eight information protection principles contained in the Bill are the following:
- Principle 1: Accountability
- Principle 2: Processing Limitation
- Principle 3: Purpose Specification
- Principle 4: Further Processing Limitation
- Principle 5: Information Quality
- Principle 6: Openness
- Principle 7: Security Safeguards
- Principle 8: Data Subject Participation
A discussion of the principals contained in the Bill:
- Principle 1: Accountability ◦This principle contemplates the assigning of responsibility by organisations for overseeing compliance with the Bill.
- Principle 2: Processing Limitation ◦This principle requires that personal information may only be processed in a fair and lawful manner.
- Principle 3: Purpose Specification ◦The principle of Purpose Specification helps to determine the scope within which personal information may be processed by an organisation.
- Principle 4: Further Processing Limitation ◦Once an organisation has identified and obtained consent for specific, legitimate and explicitly defined purposes, the processing of such personal information may only occur insofar as it is necessary for the fulfilment of those purposes.
- Principle 5: Information Quality ◦Clause 16 of the Bill sets out, in general terms, the responsibility of organisations to ensure and maintain the quality of the personal information that they process.
- Principle 6: Openness ◦The sixth principle of “Openness” is linked directly to an organisation’s duty to process information in a fair and transparent manner.
- Principle 7: Security Safeguards ◦The underlying theme of Principle 7 is that all personal information should be kept secure against the risk of loss, unauthorised access, interference, modification, destruction or disclosure
- Principle 8: Data Subject Participation ◦Principle 8 empowers individuals to access and/or request the correction or deletion of any personal information held about them that may be inaccurate, misleading or outdated.
What if we told you it is possible to comply as an organisation and that this is also something you would want as an individual? Ask us how.
TO WHOM DOES POPI APPLY?
There are very few businesses in South Africa that will not be impacted by POPI. POPI applies to –
- any public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information (-responsible party-); and
- any person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of the responsible party.
DOES POPI ALSO APPLY TO PERSONAL INFORMATION OF COMPANIES?
ARE THERE ANY EXEMPTIONS OR EXCLUSIONS FROM COMPLIANCE WITH POPI?
Yes, there are numerous exclusions and exemptions from compliance with the information processing principles prescribed by POPI. These exclusions and exemptions apply depending on the type of information being processed and how it is processed.
WHAT IS “PERSONAL INFORMATION”?
“Personal information” is extremely widely stated and includes any information that can identify a person.
WHAT IS “PROCESSING”?
“Processing” is also very widely stated and includes a vast number of activities whether or not undertaken by automatic means, concerning personal information.
WHAT IS A “RECORD”?
A “record” is also any recorded information regardless of form or medium in the possession or under the control of a responsible party, whether or not it was created by a responsible party and regardless of when it came into existence.
WHAT IS “SPECIAL PERSONAL INFORMATION”?
A higher degree of protection is given to special personal information under POPI given the highly sensitive nature of such information. Special personal information includes information concerning a child and personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, DNA, sexual life or criminal behaviour of a data subject.
WHAT ARE THE INFORMATION PROCESSING PRINCIPLES?
There are eight information processing principles which form the core of POPI. These are:
accountability: the responsible party must ensure that the eight information processing principles are complied with;
processing limitation: processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed;
purpose specification: Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. The responsible party must take steps to ensure that the data subject is aware of the purpose for which his/her personal information is being collected;
further processing limitation: this is where personal information is received from a third party and passed on to the responsible party for further processing. In these circumstances, the further processing must be compatible with the purpose for which it was initially collected;
information quality: the responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, taking into account the purposes for which it was collected;
openness: Personal information may only be processed by a responsible party that has notified the Information Protection Regulator. Further certain prescribed information must be provided to the data subject by the responsible party including what information is being collected, the name and address of the responsible party, the purpose for which the information is collected and whether or not the supply of the information by that data subject is voluntary or mandatory;
security safeguards: the responsible party must secure the integrity of personal information in its possession or under its control by taking prescribed measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information;
data subject participation: A data subject has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject and request from a responsible party the record or a description of the personal information held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information;
A data subject may request a responsible party to -”
correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, misleading or obtained unlawfully; or
destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain.
CAN I SEND PERSONAL INFORMATION OVERSEAS AND CAN PERSONAL INFORMATION BE RETURNED TO SOUTH AFRICA?
Yes, but there are restrictions on the sending of personal information outside South Africa as well as on the transfer of personal information back to South Africa. The applicable restrictions will depend on the laws of the country to whom the data is transferred or from where the data is returned, as the case may be.
DO I NEED TO PROVIDE AN OPT IN OR OPT OUT FOR DIRECT MARKETING?
Yes. Responsible parties should make use of both opt in and opt out options to make sure that the data subject understands and knows what he or she is consenting and objecting to.
FOR HOW LONG DO I NEED TO RETAIN PERSONAL INFORMATION UNDER POPI?
Subject to exemptions provided for in POPI, personal information must not be retained (any) longer than (is) necessary for achieving the purpose for which the information was collected. In addition, if a responsible party has used the personal information of a data subject to make a decision about the data subject, it must retain the record for such period as may be required or prescribed by law or a code of conduct. If there is no law or code of conduct prescribing a retention period, it must retain the record for a period which will afford the data subject a reasonable opportunity to request access to the record.
A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record.
WHO IS THE INFORMATION REGULATOR AND WHAT ARE ITS POWERS?
The Information Regulator is a juristic body that will be appointed in terms of POPI and will have wide ranging powers and duties including:
to educate the public about POPI;
to monitor and enforce compliance with POPI;
to handle complaints about alleged violations of the protection of personal information of data subjects;
to attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation; and
to issue, from time to time, codes of conduct and make guidelines to assist bodies to develop codes of conduct or to apply codes of conduct.
WHAT IS THE SANCTION FOR NON-COMPLIANCE WITH POPI?
Sanctions include fines and imprisonment as well as administrative fines up to R1million. What are the transitional provisions provided for by POPI? Processing of personal information which is taking place on the date when POPI comes into force and does not conform to POPI must comply within one year of such date.