POPIA: A Guide to the Protection of Personal Information Act of South Africa

POPIA or POPI was promulgated on 26 November 2013. The Protection of Personal Information Act (POPIA) is intended to promote the right to privacy in the Constitution, while at the same time protecting the flow of information and advancing the right of access to and protection of information.

POPIA establishes the rights and duties that are designed to safeguard personal data. In terms of POPIA, the legitimate needs of organisations to collect and use personal data for business and other purposes are balanced against the right of individuals to have their right of privacy, in the form of their personal details, respected.

POPIA applies to a particular activity, i.e. the processing of personal data, rather than a particular person or organisation. Therefore, if you process personal data then you must comply with POPIA and, in particular, you must handle personal data in accordance with POPIA’s data protection principles.

Therefore, if you collect or hold information about an identifiable individual or if you use, disclose, retain or destroy that information, you are likely to be processing personal data. The scope of POPIA is very wide and it applies to almost everything you might do with an individual’s personal details including details of your employees.

POPIA Framework

• sets out the rules and practices which must be followed when processing information about individuals and juristic persons;
• grants rights to individuals in respect of their information;
• and creates an independent regulator to enforce these rules, rights and practices.

It should be noted that POPIA applies to:

• information that is processed automatically;
• information recorded on paper;
• and health records and certain public authority records.

Implementing POPIA

The term “processing” in terms of POPIA has a very wide meaning. It is intended to cover any conceivable operation on data, ranging from collecting, recording and holding, to the subsequent disclosure and eventually destruction of data. Going forward, it is of the utmost importance that any responsible party should review, on a regular basis, its data processing activities. In particular a responsible party i.e. an organisation should form a view and take steps in order to:

• fairly understand the data processing activities that an organisation engages in;
• training of relevant staff should be conducted on a continuous basis to ensure that staff are trained to understand the impact of POPIA on their particular area of focus within the organisation;
• consider whether appropriate written contracts are in place with third parties for whom personal data is processed, or to whom the processing of personal data is outsourced;
• evaluate the security measures in place to keep personal data secure at all times;
• the terms under which intra-group transfers of personal data are made;
• consider, in detail, the cross-border transfer of personal data; and
• review internal procedures ensuring continued compliance with POPIA and the effective and efficient handling of enquiries and complaints by individuals.

It is always important to note that your organisation’s duties under POPIA apply throughout the period that the organisation is processing personal data and so do the rights of individuals in respect of that personal data. Therefore, an organisation must comply with POPIA from the moment it obtains the data until the time when the data has been returned, deleted or destroyed. In addition, the duties extend to the way the organisation disposes of personal data when it no longer needs to keep such data. Data must be disposed of securely and in a way which does not prejudice the interests and rights of the individual concerned.

The Fundamentals to POPIA

It is important that every organisation understands at minimum the following about POPIA compliance:

• the legitimate grounds for collecting and using personal data collected in order to ensure that data is not used in ways that have unjustified adverse effects on the individuals concerned;
• the lawful purpose for which data is being collected to ensure that the data shall not be further processed in any manner that is contrary to that purpose or the purposes for which the data were collected;
• the extent of information that is required for the purpose as intended and to ensure that they collect adequate and relevant information and prevent any excessive information collection;
• the information retention periods and requirements applicable together with destruction processes and procedures;
• the rights of individuals, i.e. data subjects, in terms of POPIA;
• security measures required to prevent the unauthorised or unlawful processing of personal data or access to personal data, including accidental loss or destruction or damage to personal data;
• when it becomes necessary to transfer data outside the country, to understand the roles, duties and responsibilities of all parties involved; and
• what processes and procedures should be in place to ensure that data is kept up to date and current and accurate at all times;
• Werksmans advises clients on all aspects related to data protection and privacy.

Conclusion

This overview is intended to assist you in understanding the process of implementing POPIA compliance in your organisation. Information control is central to creating an environment in which POPIA processes and procedures may be successfully implemented and its principles maintained in your organisation.

Our services include:

• Compliance review by determining existing practices and procedures in order to formulate an “as is” gap analysis
• Assisting in the development of detailed data management processes and procedures to ensure compliance with legislation.
• Advising on general regulatory compliance, data transfers, subject access requests, employee monitoring and surveillance, cyber security, data breaches, data retention and global data compliance.
• Guidance and assistance with the development of policy documentation and internal process flows, guidance scripts and re-alignment of legal documents.
• Advising on employment related issues.
• Formulation of incident management processes and procedures.
• Development of an overall POPIA compliance roadmap in terms of understanding current practice and arrangements.
• Clearly understanding the way forward in terms of a risk management plan.
• Enabling staff and empowering the organisation through an organisation specific plan.
• Creating a compliance culture.

Werksmans advises clients on all aspects related to data privacy and protection.

Additional Resources:

Compliance With POPIA – Data Protection and Privacy
Find out more

Werksmans POPI e-learning Course
Sign up now