POPI Act (4 of 2013)
In terms of the provisions of Chapter 2 (Bill of Rights) of the Constitution of South Africa, specifically section 14 (d), everyone has the right to privacy, which includes the right not to have their communications infringed, that the state must respect, protect, promote and fulfil the rights in the Bill of Rights.
POPIA ensures that both individuals and institutions (Public or private) operate in a responsible manner when acquiring, processing (including transferring or sharing) and storing personal information. The legislation holds individuals and institutions accountable when information is compromised or used outside the intended purpose.
An important key aspect of POPIA, is that it describes the conditions for lawful processing ie. the conditions that need to be met to manage personal information correctly. Meeting these conditions is mandatory if the organisation is seeking compliance to POPIA.
The responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions, are complied with at the time of the determining the purpose and means of the processing.
Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject. One of the requirements of the Act is that any personal information must be obtained directly from the Data Subject. Consent from the Data Subject is essential before gathering or processing any personal information.
Personal information may only be processed for specific, explicitly defined and legitimate reasons. This purpose must be documented and adhered to. Data Subject has the right to know what information you have and for what purpose it was gathered.
Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose, in case where responsible part want to use existing personal information for any other purpose other than what the information was gathered for, confirmation will be required from the Data Subject again.
The responsible party must take reasonable steps to ensure that the personal information collected is complete, accurate, not misleading and updated, where necessary. By obtaining information directly from the data source, accuracy is more probable. It is always advisable to validate the personal information as it is being captured. If it is not possible for the data subject to input their own information, or if the information is captured from one format to another (i.e. from a paper form to an IT system), then the information should be sent to the data subject for validation. When advising Data Subjects of the information you hold and for what purpose you hold it, they must be given details of how to update their information or withdraw consent.
The data subject whose information is collected must be aware that a responsible party is collecting such personal information and for what purpose the information will be used. When gathering information, Data Subjects must be given the details of the responsible person in the organisation, including contact details. At the time that the personal information is gathered, the Data Subject must be advised of his/her rights to complain to the Information Regulator if misuse is suspected. The Information Regulator’s information and contact details must be provided to the Data Subject.
Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction and disclosure.”> Strict policies and procedures are required regarding who has access, and how it is obtained.
- Sharing personal information with an external operator – A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator establishes and maintains the required security measures. The operator must advise immediately if there is the possibility that personal data has been accessed or acquired by any unauthorized person.The Information Regulator must be informed in the event of a security breach where personal information could be compromised.
Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them.
Commencement of the Act
The sections of the legislation were published periodically from 2014 – 2021 as follows:
- 1 April 2014, Section 1, Part A of Chapter 5 (Sections 39 to 54), Sections 112 and 113 (Gazette 37544 if 11 April 2014)
- 1 July 2020, Sections 2 to 38, Sections 55 to 109, Section 111, Section 114(1), (2) and (3) (Gazette 43461 of 22 June 2020)
- 30 June 2021, Sections 110 and 114(4) (Gazette 43461 of 22 June 2020)
- 1 July 2021, Section 58(2) (Gazette 44383 of 1 April 2021)