OVERVIEW OF THE PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013
Below is a brief overview of the POPI Act:
WHAT IS THE PURPOSE OF POPIA?
- Promote protection of personal information (“PI”) processed by public and private bodies.
- Introduce Minimum requirements for the processing of PI.
- Establish Information Regulator.
- Provide for issuing of Codes of Conduct for handling of PI (Industry Specific).
- Provide for Right to be left alone (direct marketing).
- Regulate the flow of PI across borders.
WHO MUST COMPLY?
Anyone who PROCESSES personal information has a duty to comply with POPIA to protect that personal information. To PROCESS includes, but is not limited to, collecting, receiving, recording, organizing, retrieving, using, disseminating and destruction of personal information.
WHAT CONSTITUTES “PERSONAL INFORMATION”?
Information relating to an identifiable natural or juristic person, including, but not restricted to: age, gender identity number, marital status, employment history, e-mail address, contact number, physical address, nationality, financial history, education, views and opinions.
REQUIREMENT OF CONSENT
You can only collect information for a specific, explicitly defined and lawful purpose. The subject must be aware of the purpose for which the information is being collected. Information has to be collected directly from the individual! (exceptions: Public records; Consent given to a third party; Not prejudicial; Law enforcement).
YOUR RIGHTS
- Right to be told if someone is collecting our PI.
- Right to access our PI.
- Right to require our PI to be corrected or destroyed.
REASONABLE MEASURES
POPIA requires reasonable measures when processing personal information. Once the PI is no longer needed for the specific purpose, it must be disposed of!
DATA SECURITY
Technical and organizational security measures to prevent data loss or damage or unlawful access to PI are ESSENTIAL.
DIRECT MARKETING
Customer must consent before electronic direct marketing can take place. POPIA requires an “opt-in” method as opposed to an “opt-out” method.
“OPT–IN” VERSUS “OPT–OUT”
OPT-IN: consent has to be obtained before direct marketing can be directed at the subject. OPT-OUT: subject indicates that he/she no longer wishes to receive direct marketing by “opting out”. i.e. clicking on the unsubscribe or stop button.
CONSEQUENCES OF NON-COMPLIANCE?
Official Complaint process via the Information Regulator. Serious Offences = R10 million fine or 10 years imprisonment, or both. Less Serious Offences = a fine or imprisonment not exceeding 12 months, or both.
DEADLINE FOR COMPLIANCE
1 JULY 2021!!!
WHERE TO START
- Assess what PI you process, how you process it and why (is it necessary? Limit where possible).
- Review and update business documents to ensure POPIA compliance (Privacy Policy, Contracts, Data Breach Policy…).
- Appoint Information Officer: responsible person to ensure and deal with POPIA implementation, compliance and monitoring (usually CEO or Managing Partner).
- Train staff on correct implementation and procedures.
For more information and professional legal advise, contact Sandy Scholtz or Nicole Scholtz at Goldberg & de Villiers Inc. on 041 5019800.