May 8,2014 / News / Legal Brief

The purpose of this Werksmans overview is to provide a basic understanding of the Protection of Personal Information Act and its practical significance to you and your business.

Protection of Personal Information Act No. 4 of 2013 (“POPI”)

AN INTRODUCTION TO POPI

POPI was promulgated on 26 November 2013. POPI is intended to promote the right to privacy in the Constitution, while at the same time protecting the flow of information and advancing the right of access to information.

POPI establishes the rights and duties that are designed to safeguard personal data. In terms of POPI, the legitimate needs of organisations to collect and use personal data for business and other purposes are balanced against the right of individuals to have their right of privacy, in the form of their personal details, respected.

POPI applies to a particular activity, i.e. the processing of personal data, rather than a particular person or organisation. Therefore, if you process personal data, you must then comply with POPI and in particular, you must handle personal data in accordance with POPI’s data protection principles.

Therefore, if you collect or hold information about an identifiable individual or if you use, disclose, retain or destroy that information, you are likely to be processing personal data. The scope of POPI is very wide and it applies to almost everything you might do with an individual’s personal details; including details of your employees.

THE POPI FRAMEWORK

Essentially, POPI:

  • sets out the rules and practices which must be followed when processing information about individuals
  • grants rights to individuals in respect of their information
  • creates an independent regulator to enforce these rules, rights and practices.

It should be noted that POPI applies to:

  • information that is processed automatically
  • information recorded on paper
  • health records and certain public authority records.

IMPLEMENTING POPI

The term “processing” in terms of POPI has a very wide meaning. It is intended to cover any conceivable operation on data, ranging from collecting, recording and holding, to the subsequent disclosure and eventually destruction of data. Going forward, it is of the utmost importance that any responsible party review on a regular basis its data processing activities. In particular a responsible party i.e. an organisation should form a view and take steps in order to:

  • fairly understand the data processing activities that an organisation engages in
  • train relevant staff members on a continual basis to ensure they fully understand the impact of POPI on their particular focus area within the organisation
  • consider whether appropriate written contracts are in place with third parties for whom personal data is processed, or to whom the processing of personal data is outsourced
  • evaluate the security measures in place to keep personal data secure at all times
  • clarify the terms under which intra-group transfers of personal data are made;
  • consider, in detail, the cross-border transfer of personal data
  • review internal procedures ensuring continued compliance with POPI and the effective and efficient handling of enquiries and complaints by individuals.

It is always important to note that your organisation’s duties under POPI apply throughout the period that the organisation is processing personal data, as do the rights of individuals in respect of that personal data.

Therefore, an organisation must comply with POPI from the moment it obtains the data until the time the data is returned, deleted or destroyed.

In addition, duties extend to the manner in which the organisation disposes of personal data which no longer is needed. Data must be disposed of securely and in a way which does not prejudice the interests and rights of the individual/s concerned.

THE FUNDAMENTALS OF POPI

It is important that every organisation understands at minimum the following about POPI compliance:

  • the legitimate grounds for collecting and using personal data in order to ensure that such data is not used in ways that have unjustified adverse effects on the individuals concerned;
  • the lawful purpose for which data is collected, so as to ensure that the data is not further processed in any manner contrary to the purpose/s for which the data was collected;
  • the extent of the information required for the purpose as intended, ensuring that only adequate and relevant information is collected and preventing any excessive information collection;
  • the information retention periods and requirements applicable, together with destruction processes and procedures;
  • the rights of individuals, i.e. data subjects, in terms of POPI;
  • security measures required to prevent the unauthorised or unlawful processing of personal data or access to personal data;, including accidental loss, destruction or damage to personal data;
  • understanding the roles, duties and responsibilities of all parties involved when it becomes necessary to transfer data outside the country;
  • processes and procedures to put in place to ensure that data remains current and accurate at all times.

 

CONCLUSION

Werksmans advises clients on all aspects related to data protection and privacy.

This overview is intended to assist you in understanding the process of implementing POPI compliance in your organisation. Information control is central to creating an environment in which POPI processes and procedures may be successfully implemented and its principles maintained in your organisation.

Our services include:

  • Compliance review through the determination of existing practices and procedures in order to formulate an “as is” gap analysis
  • Assisting in the development of detailed data management processes and procedures to ensure compliance with legislation
  • Interpreting POPI duties, taking into account other existing legislation e.g. National Credit Act, Electronic Communications & Transactions Act, Consumer Protection Act and the Promotion of Access to Information Act
  • Guidance and assistance with the development of policy documentation and internal process flows, guidance scripts and re-alignment of legal documents.
  • Advising on employment-related issues
  • Formulation of incident management processes and procedures
  • Development of an overall POPI compliance roadmap in terms of understanding current practice and arrangements
  • Clearly understanding the way forward in terms of a risk management plan
  • Enabling staff and empowering the organisation through an organisation-specific plan
  • Creating a culture of compliance.