A Brief Analysis of South Africa's Protection of Personal Information ACT, No. 4 2013

This is a brief summary of the South African POPI Legislation, and it highlights relevant sections of the POPI Act, which ensures the sanctity of private personal data and information by persons and institutions within South Africa.

‍

History/ Background

South Africa’s Protection of Personal Information Act (POPI Act) was signed into law in November 2013, and partial implementation of the law commenced in 2014.

The POPI Act regulates how anyone or organisation in South Africa, involved in processing personal information must handle, keep and secure that information.

The POPI Act ensures that South African institutions conduct themselves responsibly when collecting, processing, storing and sharing other entity’s personal information by holding them accountable should they abuse or compromise personal information in any way.

POPI gives actual effect to the citizen’s right to privacy, by introducing measures to ensure that the personal information of a data subject (individual) is safeguarded and protected when it is processed by responsible parties (public or private body which determine the purpose of and means of processing data).

POPI Act also aims to balance the right to privacy against other rights, particularly the right of access to information, and to generally protect important interests, including the free flow of information within and across the borders of the South African Republic[1].

It is expected that full commencement of the Act, should be sometime in early 2017.

‍

TO WHOM DOES THE POPI ACT APPLY

1. Any public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information (Responsible party)

2. Any person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of the responsible party (Operator).

‍

SUMMARY OF THE POPI ACT

The Act allows a data subject the right to control;

When and how you choose to share your information (requires data subject’s consent – Section 11)

- The type and extent of information you choose to share (must be collected for valid reasons)

- Transparency and accountability on how your data will be used (limited to the purpose) - Section 18

- Notification if/when the data is compromised – Section 22

- Providing the individual with access to your own information as well as the right to  have your data removed and/or destroyed should you so wish – Section 24

- Who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same organisation, from accessing your information – Section 8

- How and where your information is stored (there must be adequate measures and     controls in place to safeguard your information to protect it from theft, or being compromised) – Section 19

- The integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it)

‍

CONCLUSION

Putting all of the above into consideration from a legal point of view, the manner in which personal information (as above defined) is processed can open an organisation to various liabilities if due diligence and compliance measures are not available.

It is strongly advised that institutions which receive, and process personal information and data, put in place strong policies and methods to ensure minimal risks and exposure to criminal and civil liabilities which may occur as a result of negligence, or oversight.

‍

‍

‍

PLEASE NOTE: This article is for general information only. It is not offered as advice, on any particular matter, whether legal, procedural or otherwise.

‍

References

[1] Section 2, POPI Act

‍

‍

‍