We have come a long way since the Protection of Personal Information Act, Act 04 of 2013 (herein referred to as ”POPIA”), was assented to in 2013, but POPIA has officially been proclaimed to have commenced on the 01st of July 2020.
Companies have 12 months, from 1 July 2020 to comply with the provisions of POPIA. In order to become compliant, an organisation will have to critically assess its processes and ensure that appropriate compliance protocols are implemented to ensure the protection of personal information. For larger organisations with complex processing systems, 12 months may not be enough.
To assist you and get you going with the daunting task of implementing the requirements of POPIA, we have compiled a list of general questions and answers.
Is POPIA applicable to my business?
- The provisions of POPIA will find application to all businesses, persons and organisations that ”processes” any ”personal information”.
- Whether you collect or receive ”personal information” from suppliers, contractors, clients or customers, for whatever reason, you will have to comply with POPIA.
What constitutes ”Personal Information”?
- ”Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.
- Personal information may include, but is not limited, to any information of a natural or juristic person relating to race, gender, sexual orientation, culture, religious beliefs, education, medical history, financial or criminal records, identifying numbers, addresses, blood types or personal preferences.
What or who is a ”Responsible Party”?
- A responsible party is anybody or person (natural or juristic), dictating the purpose and means for processing personal information.
- For example, should Company A outsource the capturing and managing of personnel files to Company B, Company A will be the responsible party.
What constitutes the ”processing of personal information”?
- The ”Processing of Personal Information” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including the collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation, use, transmission, distribution, making available in any other form, merging, linking, degradation, linking or destruction of a ”data subject’s” personal information.
- Therefore, the capturing of written information on a computer system or a ”filing system”, the sending of an email to a group of people, the removal or transmission of electronic files or the removal of cookies may constitute the ”processing of personal information”.
What is a Filing System?
- The provisions of POPIA applies to the ”processing of personal information” that is in ”record”‘ form or which forms part of a ”record”. A ”record” means any recorded information, regardless of form or medium, usually in a systematic form or chronological format.
- Therefore, one must comprehend the meaning of a ”filing system”, which is defined in POPIA to mean any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
What or who is a Data Subject?
- Means the person (natural or juristic) to whom personal information relates.
- For example, a company disclosing its bank account number and VAT number.
How do I implement POPIA in my business?
- According to POPIA, the head of the business or organisation will be responsible to implement POPIA properly, but he / she can appoint a privacy officer to oversee compliance.
Permissions required prior to processing personal information?
- According to POPIA, personal information may only be processed if the data subject (or a competent person where the data subject is a child) consents to the processing, or in instances where the processing:
- is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;
- complies with an obligation imposed by law on the responsible party;
- protects a legitimate interest of the data subject;
- is necessary for the proper performance of a public law duty by a public body; or
- is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
Does a client have the right to demand a reason for the collections and processing of his / her / its personal information?
- Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
- Steps must be taken in accordance with POPIA to ensure that the data subject is aware of the purpose of the collection, however there are exceptions to this rule.
Should we address POPIA in employment contracts?
- As a responsible party you must ensure that all employees or contractors you contract with, adhere to the provisions of POPIA.
- Many of the obligations imposed by POPIA should be recorded in the responsible person’s policies, such as privacy policies, infrastructure and disaster recovery policies, data security and data transfer policies, and can simply be referenced in the contracts concluded with employees or contractors.
Why is adherence to POPIA important?
- Should you or your organisation found to be in breach of the provisions of POPIA, it could result in penalties and fines, not to mention the reputational damage of your business and goodwill.
You may have a thousand more questions; however, it is paramount for every organisation to understand that compliance with POPIA means implementing lawful and transparent processes:
- for the collection of personal information;
- to protect the privacy of data subjects’ personal information against unjustified and adverse usage thereof; and
- to ensure the lawful and authorised processing of personal information by the responsible person and its employees.
We trust that this high-level overview will provide you with a better understanding of the process of implementing POPIA in your business. Should you have any aspects that you wish to discuss in detail, you are welcome to contact our offices. Our services in relation to POPIA includes the following:
- Compliance reviews and gap analysis;
- The development of detailed data management processes and policies;
- Assisting with general regulatory compliance in relation to data transfer processes, data processing, employee monitoring, data breaches and data retention; and
- Developing and implementing a POPIA compliance framework tailored to your business.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)