×
 
Introduction to POPIA

Jeroen Seynhaeve / Word count [ 3632 ] View all [ 41 ] / Vertaal naar Nederlands


 

 
Do you manage a database with client, customer, member or patient details? A list of suppliers with contact details and personal notes? An online shop? Records about your employees, or a mailing list for email marketing? Then this is for you. Welcome to the world of POPIA. May Section 4 be with you …

 

The Protection of Personal Information Act (“POPIA”) aims to balance the information society’s need for the free flow of digital data with everyone’s right to control what happens with their private information.

 

POPIA introduces 5 role players and 8 conditions for lawful processing of personal information.

POPIA gives effect to the Constitution’s Section 14 Right to Privacy, and regulates the ways in which people and companies process personal information about other people and companies. POPIA does not protect all personal information: its application is restricted to 4 definitions of who, what, how, and where. To make your company POPIA compliant, people need to be appointed, procedures established, and documents compiled and (some) made publicly available.
 

Jump to 4Definitions 5Role players 8Conditions

 

Says who? My name is Jeroen Seynhaeve. I’m a Master in Laws with a background in human rights. I also have a degree in philosophy, and I’m currently a postgraduate Master student at the University of Stellenbosch specialising in the (applied) ethics of privacy.

 

It’s a balancing act … POPIA does not prohibit the processing of personal information as such, but establishes eight conditions for how this processing must be conducted, and five role players that must see to it that these conditions are at all times complied with.

7 things to do before 1 July

OK … but what’s in it for me?

The legal fraternity will be keen to mention the conciliatory, investigative, administrative, criminal and civil procedures that may be lodged against you in terms of sections 73-109 of POPIA – for not complying with POPIA, for not cooperating with the Information Regulator, or for the harm this has caused. But there are other reasons too. Firstly, as part of their own compliance requirements, companies within your supply or service chain need to ensure that the companies (like yours) they work with are POPIA compliant. Secondly, a data breach harms your company’s reputation and consumer trust. And thirdly, good quality, well organised and well secured personal data about your customers or suppliers is a great asset for your business, and raises its market value.

 
 

4 Definitions

POPIA applies to (1) “personal information” that is (2) “processed” in a (3) “record or filing system” in (4) “South Africa”.

 

1. Personal information

POPIA gives a broad interpretation to “personal information”, and defines it in its Section 1 as information relating to an identifiable, living, natural person, or relating to an identifiable, existing juristic person. It follows that POPIA does not apply to the personal information of deceased persons, or to personal information that has been ‘de-identified’ (in other words, when one is no longer able to identify a person by means of the information, eg. by converting a name to a random number).

So, if you process “personal information”, you must at all times do this compliant with POPIA’s conditions. BUT, two exceptions!

 

  1. Section 26-35 POPIA: unless you fall into a particular category and you comply with the special conditions listed in sections 26-35 POPIA, you MAY NOT process “special personal information” concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, and criminal behaviour of a data subject, or personal information of children (<18).
  2. Section 57-59 POPIA: if you intend to process information listed in section 57 POPIA, including further processing and linking of unique identifiers, criminal behaviour, credit reporting, or transferring “special personal information” to a third party in a foreign country, you need to apply for “prior authorisation” from the Information Regulator.

 

View full definition
Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

  • (a) information relating to the race, gender, sex, pregnancy, marital status,
    national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • (b) information relating to the education or the medical, financial, criminal or employment history of the person;
  • (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment
    to the person;
  • (d) the biometric information of the person;
  • (e) the personal opinions, views or preferences of the person;
  • (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • (g) the views or opinions of another individual about the person; and
  • (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information
    about the person;

 
 

2. Processing

Processing gets an equally broad interpretation in Section 1 of POPIA. As soon as you get near information about a person, it is safe to assume that you are “processing” it. Or for those who prefer more formal definitions: processing is any operation or activity or any set of operations, concerning personal information, whether digital or physical, automatic or manual.

POPIA, in other words, applies to the ‘full life-cycle’ of personal information: from its creation, collection, storage, usage, transfer and amendment to its destruction.

POPIA supports the concept of ‘privacy by design’ – data processors need to respect privacy from the very first step in the life-cycle of personal information, to the very last.

 

View full definition
Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

  • (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • (b) dissemination by means of transmission, distribution or making available in
    any other form; or
  • (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

 
 

3. Record or filing system

POPIA only applies to personal information that has been “entered in a record” – which can be just about any known format, including writing (on any material), taping, recording, labelling, drawing, and photographing. Don’t worry, this does not include personal information you have stored in your brain – you are still free to process your own memories, even those that contain very personal information about other people 😉 “Entering in a record” is not necessarily the same thing as “creating” – transferring existing personal information to a database, for example, is covered by the definition of “entering into a record”.

POPIA makes a further distinction between “automated” and “non-automated” means of entering a record. Only in the case of non-automated entering does POPIA require that the information forms part (or is intended to form part) of a structured “filing system” (some kind of list, record or database).

POPIA does not apply to personal information collected for personal or household purposes, or for journalistic, literary or artistic purposes.

 

View full definition
3. (1) This Act applies to the processing of personal information— (a) entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof.
 
Record means any recorded information-
(a) regardless of form or medium, including any of the following:

  • (i) Writing on any material;
  • (ii) information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
  • (iii) label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;
  • (iv) book, map, plan, graph or drawing;
  • (v) photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;

 
(b) in the possession or under the control of a responsible party;
(c) whether or not it was created by a responsible party; and
(d) regardless of when it came into existence;
 
Filing system means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;
 
Automated means, for the purposes of [section 3], means any equipment capable of operating automatically in response to instructions given for the purpose of processing information.

 
 

4. South Africa

For POPIA to apply, the Responsible Party (the person or company that determines the purpose and means for processing, see below) must be domiciled in South Africa, or make use of “means” (equipment, like servers, etc) located in South Africa, unless those means are only used to “forward” personal information. Remember: processing information in “the cloud”, on servers stored outside of South Africa, does not discharge you of the need to comply with POPIA.

View full definition
3. (1) This Act applies to the processing of personal information— (b) where the responsible party is—

  • (i) domiciled in the Republic; or
  • (ii) not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic.

 
 

OK … but what about the GDPR?

If you process personal information of EU citizens, then the GDPR (the General Data Protection Regulation 2016/679) applies. But because the principles for lawful processing of personal information are more or less the same in the GDPR and POPIA, it is safe to assume that complying with the one ensures compliance with the other. Remember that POPIA and the GDPR are “principles-based” legislation (see below).

 
 

5 Role players

POPIA introduces five role players that must see to it that its lawful conditions for processing personal information are at all times complied with.

 

1. Information Regulator

The Information Regulator is the national, independent body that is empowered by POPIA to encourage, monitor and enforce compliance by Responsible Parties with the provisions of POPIA and PAIA. When a complaint is submitted to, or initiated by, the Regulator, it can decide to investigate, conciliate, take no further action (s77), or refer to the Enforcement Committee – an independent judicial tribunal established to adjudicate POPIA matters (a bit like the CCMA for labour disputes).
 

2. Responsible Party

The Responsible Party (GDPR “controller”) is the person or company that determines the purpose and means for processing personal information, and is responsible and liable for compliance with POPIA and PAIA. Liability may include administrative fines, criminal convictions and civil damages.
 

3. Information Officer

Because there is some overlap between POPIA and PAIA (the “Promotion of Access to Information Act”), I will be mentioning both regulations here. The Information Officer is defined in POPIA and PAIA as the head of a private body and is responsible for ongoing compliance by the Responsible Party with POPIA and PAIA. One or more Deputy Information Officers may be appointed. The Information Officer’s duties and responsibilities are stated in POPIA and PAIA and related regulations and notices, and may include personal liabilities for destroying, damaging, altering, concealing, falsifying or making a false record with intent to deny a right of access in terms of PAIA, for wilfully or in a grossly negligent manner failing to make available a PAIA manual as per section 51 of PAIA or for non-compliance with an Enforcement Notice. While POPIA or PAIA say nothing about it, the Information Regulator’s Guidance Notice of 1 April 2021 states that Information Officers and Deputies must be “an employee of a private body at a level of management and above”.
 

4. Operator

An Operator (GDPR “processor”) is an independent contractor that processes personal information on behalf of the Responsible Party. Section 20 and 21 of POPIA state that an operator may only act with the (written) knowledge or authorisation of the Responsible Party, and must treat personal information confidentially.
 

5. Data Subject

A Data Subject is the person the “personal information” relates to. Put differently, the person that may be ‘identified’ by the personal information.

 
 

7 things to do before 1 July 2021

 

  1. Register your Information Officer at justice.gov.za/inforeg/
  2. Conduct a detailed personal information impact assessment: how are you currently processing personal information (who, what, how, where?), what are the risks?
  3. In reply to the personal information and the risks you have identified in your impact assessment, develop a compliance framework: an internal document that will be the point of reference for the Information Officer, staff and (if requested) the Information Regulator to implement, monitor and verify your POPIA compliance
  4. What is your legal basis for processing personal information? Is it based on (documented!) consent or necessary to protect your, a data subject’s or a third party’s legitimate interest? Is it imposed by law or by a contractual obligation?
  5. Compile a (“Section 51”) POPIA/PAIA manual and make it publicly available (eg. via your website) You’ll find guidelines on how to develop a PAIA manual here
  6. Establish internal procedures to process requests for access, objection, amendment or deletion of personal information from data subjects or the Information Regulator
  7. Educate your staff on how to lawfully process personal information of employees, clients, customers, suppliers, guests, etc.

 

Keep an eye out for “codes of conduct” for your business sector. POPIA allows organisations that “sufficiently represent any class of bodies, or any industry, profession, or vocation” to draw up their own, more specific conditions for processing personal information.

 
 

8 Conditions

POPIA is “principles-based” legislation. It tells you what to do, but it doesn’t tell you how to do it. This allows POPIA to be applied to a wide and diverse range of circumstances under the general banner of “reasonability”. Central to POPIA are its eight principles for processing personal information. These principles are:-

 

1. Accountability

By default, the head of the company, usually the CEO, is responsible for compliance with POPIA. POPIA refers to this company as the “Responsible Party” and to the head as the “Information Officer”. The administration (but not accountability) of the responsibilities and duties of the Information Officer may be delegated to one or more Deputy Information Officers. Processing operations (but not accountability) may be outsourced to third parties (“Operators”) – independent persons or companies that process personal information on behalf, with full knowledge and authorisation in writing by the Responsible Party.
 

2. Processing Limitation

This is the “Minimality Principle”. Firstly, processing of personal information must be adequate, relevant and not excessive in relation to the (specific) purpose for which is it processed. Secondly, personal information may only be processed if the data subject has consented (and for as long as this consent is not withdrawn), when it is necessary to meet contractual obligations with the data subject, when it is imposed by law, or when it is necessary to protect a legitimate interest of the data subject, responsible party or a third party.
 

3. Purpose Specification

Personal information may only be collected for a specific, explicitly defined and lawful purpose, and not be retained for longer than is necessary for achieving that purpose.
 

4. Further Processing Limitation

Once collected, personal information must be processed (stored, used, shared, etc) in accordance and compatible with the purpose for which it was initially collected.
 

5. Information Quality

The processor of personal information must ensure that the information is complete, accurate, not misleading and updated.
 

6. Openness

Data Processors must be transparent about how they process personal information at the moment of collection, and keep record of processing operations for the duration of the processing. Collection – At the time of collection (or as soon as possible after) the person whose information is collected must be made aware of which information is being collected, the contact details of the processor, the purpose for which it is collected, whether the supply of the information is voluntary or mandatory, the consequences of failure to supply the information, the processor’s intention to transfer the information outside of South Africa’s borders and the level of privacy protection offered in that country, the recipients of the information, the right of access and the right to rectify the information, the right to object, and the right to lodge a complaint with the Information Regulator. Processing – All processing activities in terms of Section 51 of PAIA must be recorded
 

7. Security Safeguards

The integrity and confidentiality of personal information must be secured by means of appropriate, reasonable technical and organisational measures, to prevent loss, damage, and unauthorised access to, or destruction of information. Foreseeable risks must be identified, and safeguards implemented and updated as need be. Should there be reason to believe that personal information has been accessed by an unauthorised person, the Information Regulator and the person to whom the information relates must be notified (as per s22 POPIA) as soon as possible.
 

8. Data Subject Participation

A person or a company, subject to providing adequate proof of identity, may request confirmation of the fact that personal information is being processed (free of charge), request the record or a description of the information (at a fee), and request the correction of the information, in the manner prescribed by Section 53 PAIA (Form C).