As POPI becomes mainstream, the issues around privacy are readily becoming topics of conversation around the braai, at the pub, the dinner table and lunch with the ladies. This awareness by individuals is causing people to be more sensitive as to how their personal information is being treated by the companies they support, and as a business owner you need to be willingly and transparently showing your POPI compliance, or risk losing your most valued clients.
A study conducted in February 2019 revealed that only 34% of South African organisations are ready to comply with POPI, many of whom only have a basic understanding of the Act.
The Protection of Personal Information Act 41 aka POPI
The Protection of Personal Information Act 41 of 2013 (simply known as “POPI”) is designed to give effect to the Constitutional right to privacy; to regulate how personal information is processed; create rights and remedies in respect of the protection of personal information; and to create an Information Regulator to give effect to all of these rights and regulations.
POPI was signed into law in November 2013, but to date only certain sections of the Act, mostly relating to its administrative framework, have come into force. The rest of POPI is awaiting its final commencement date and once it is fully implemented, businesses will have twelve months to bring their practices into line with the standard. The Information Regulator has requested that the President issue a commencement date of 1 April 2020 for the remaining provisions, but to date no confirmation of this date has been received.
POPI is designed to protect the ‘personal information’ belonging to a ‘data subject’, an identifiable, living natural person or existing juristic person. ‘Personal information’ is broadly defined to include information relating to:
- a person’s physical attributes (e.g. race, gender, marital status)
- one’s background (e.g. education, criminal history, employment history)
- identifying information (e.g. e-mail address, telephone number)
- biometric information, personal views and opinions (either of the person or about the person), and
- private or confidential correspondence, and one’s name.
We know that personal information can only be ‘processed’ with the data subject’s consent. Processing essentially means conducting any operation or activity, either personally or by automated means, which concerns a subject’s personal information. If there is no consent, then the processing can take place only if it is necessary for the agreement or fulfilment of a contract including the data subject; if it is required by law; if it protects the legitimate interests of the data subject; or if it is necessary to pursue legitimate interests of the person controlling the data or a third party.
Special personal information
POPI also includes a higher level of protection for a specific category of information called ‘special personal information’, which includes highly personal information such as religious or philosophical beliefs, race or ethnic origin, trade union membership, alleged criminal history, political views, and biometric or health information. This kind of personal information cannot be ‘processed’ unless it is done with consent; is necessary in law; has been deliberately made public by the subject, or is being used for historical, statistical or research purposes. There are also special rules for dealing with children’s personal information.
The responsible party
A ‘responsible party’ is defined as a public or private body or any other person that, acting either alone or together with others, determines the purpose of and means for processing a data subject’s personal information. Since a private body is defined to include “any former or existing juristic person”, all companies and businesses can be so defined. A responsible party, or a person acting on their behalf, has an obligation to ensure that the ‘processing’ of the personal information must then take place in accordance with eight information protection principles, namely
- processing limitation
- purpose specification
- further processing limitation
- information quality
- security safeguards
- data subject participation.
Who’s in charge?
POPI will be implemented by a body called the Information Regulator, which will report to the National Assembly. Along with a host of other functions, they will handle complaints about violations of POPI and enforce the provisions of the Act.
Any person can submit a complaint to the Information Regulator, and the Regulator can make recommendations following an investigation. The Information Regulator is also able to hand out penalties, including a fine or imprisonment, for offences committed in terms of the Act. POPI also allows a data subject to institute a civil action against a responsible party for failing to comply with the Act if damage is suffered.
It is worth noting here that the Act appears to create an onus of strict liability for the responsible party. In other words, it does not matter whether there has been any intention or negligence on their part for them to be held liable for the damage caused.
A company’s obligations
The same survey revealed that 77% of South African decision-makers admitted that their organisations would suffer reputational damage if fined for non-compliance with the POPI Act.
Ultimately, your company’s obligations in terms of POPI will depend on what kind of personal information you hold and deal with on a regular basis. However, the possibility of penalties and other sanctions through the Information Regulator for failure to comply, particularly when taken together with the reputational risk of failing to protect customers’ personal information, means that it is definitely worth making sure that the proper protections, be they additional software or updated contracts with clients or employees, are in place.
Essentially, POPI brings the South African legislative framework in line with international best practice in respect of the protection of personal information. Failure to implement a solid data protection strategy that guards against loss of data will result not only in the incumbent penalties and fines but will also incur enormous reputational damage, resulting in loss of goodwill and customer trust.
Author: Katherine Timoney, Associate, General Litigation