You may have heard about the PoPI Act, but might not fully understand what it entails or whether it is relevant to you. If you have a business that collects personal information in any shape of form, for whatsoever reason, then the chances are that the PoPI Act is applicable to you. This article aims to provide an overview of the Act in simple terms by highlighting its purpose, what constitutes “personal information”, and provides a few concluding suggestions to aid in developing implementation strategies.
The PoPI Act of 2013
Although the President has not yet proclaimed the official PoPI commencement date, it is anticipated that it would occur towards the second half of 2016. A yearlong compliance grace period would apply, yet various sources discuss the importance of businesses getting a head-start on developing and implementing a PoPI compliance strategy, as the regulations set out in the Act are not bound to change much by that time, if at all. Implementing a PoPI compliance strategy early on would allow businesses the time to review whether they comply and to make the necessary adjustments to the ways in which they collect, store and utilise personal information.
According to the PoPI Act of 2013, the purpose of the Act is:
“To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate flow of personal information across the borders of the Republic; and to provide for matters connected therewith.”
In short, the purpose of the Act is to ensure that all South African institutions adhere to responsible conduct when collecting, processing, storing and sharing another entity's personal information.
PoPI legislation aims to bestow certain rights upon the owner of the personal information that are aimed at protecting this information, and includes the ability to exercise control over:
- When and how one chooses to share personal information (requires consent)
- The type and extent of information you choose to share (must be collected for valid reasons)
- Transparency and accountability on how data will be used (limited to the purpose) and notification if/when the data is compromised
- Gaining access to one’s own information, and the right to have data removed and/or destroyed if required
- Who has access (adequate measures and controls in place to track access & prevent unauthorised persons from gaining access)
- How and where information is stored (adequate measures and controls to safeguard information from theft, or being compromised)
- Integrity & continued accuracy of information (information must be captured correctly & once collected, the institution is responsible to maintain it)
What Constitutes ‘Personal Information’?
Any information relating to an identifiable, living natural person or juristic person (companies, CC’s etc.) includes, but is not limited to:
- Contact details: Email, telephone, address etc.
- Demographic information: Age, sex, race, birth date, ethnicity etc.
- History: Employment, financial, educational, criminal, medical history
- Biometric information: Blood type etc.
- Private correspondence
It should be noted that some personal information, on its own, does not necessarily allow a third party to confirm or infer someone's identity to the extent that this information can be used/abused for other purposes. For instance, the combination of someone's name and phone number and/or email address is a lot more significant than merely a name or phone number on their own. Consequently, the Act defines a "unique identifier" to be data that "uniquely identifies that data subject in relation to that Responsible Party (the entity responsible for safeguarding personal information).“
“Non-compliance with the Act could expose the Responsible Party to a penalty of a fine and / or imprisonment of up to 12 months. In certain cases the penalty could be a fine and / or imprisonment of up 10 years.” (Section 99)
Some exceptions include the following information types:
- Purely Household
- De-identified information
- Journalism, under code of ethics
- When pertaining to information used in judiciary, criminal or national security cases
Implications for Data Collection
Entities collecting personal information will have to make use of an explicit opt-in component as opposed to the traditional “opt-out” option, which assumed that people want to be – by default – contacted for marketing purposes. Should the data subject choose to opt in, their information may be shared with marketing partners. The person or entity from whom the information is collected should be notified of which information is collected, from which source, who would be responsible for safeguarding their information, the purpose for collection, whether or not the supply of information is compulsory or voluntary, consequences involved in failure to provide requested information, and information pertaining to any law authorising or requiring the collection of the information.
The data subject should further be made aware of the existence of the right of access to and the right to rectify the information collected; the existence of the right to object to the processing of personal information (as referred to in section 11(3)); and the right to lodge a complaint to the Information Regulator (a body to be appointed by the President to preside over all PoPI-related matters).
Conclusions and Recommendations
It is recommended that an information piece be added to any user registration forms contained on a website, informing the user of the necessity of providing certain personal information, as well as all of their rights as set out in the PoPi Act.
Upon providing personal information, the entity should, first and foremost, have the option to opt in to certain communications, as well as to opt out should they no longer want to make their personal details available – the latter instance should ensure that their details are no longer available to third-parties, although it may be stored separately as historical data.
Safeguards need to be put in place to enhance the security of information, as well as protocols for handling personal information (e.g. whom is allowed to work with the information/ gain access to the information and under which circumstances).
Protocols for retaining and destroying information need to be discussed and developed with key stakeholders in a business, as per Section 14 of the PoPI Act.
We recommend that the below sources be consulted in order to familiarise yourself and your business with the requirements and restrictions imposed by the PoPO Act.