Protection of Personal Information Act (POPIA)
POPI promotes transparency with regard to what information is collected and how it is to be processed. Openness increases customer trust in the organisation.
POPI compliance involves capturing the minimum required data, ensuring accuracy, and removing data that is no longer required. These measures should improve the overall efficiency and reliability of the organisation’s databases. Less data also means less storage / archiving cost and a reduced magnitude in the event of a breach (the safest data is that which you don’t unnecessarily store in the first place).
Compliance demands identifying Personal Information and taking reasonable measures to protect the data. This will minimise the risk of data breaches and the associated public relations and legal ramifications for the organisation.
Non-compliance with the Act could expose the Responsible Party to a penalty of a fine and / or imprisonment of up to 12 months. In certain cases, the penalty for non-compliance could be a fine and / or imprisonment of up 10 years. Section 107
Customers’ or People’s information refers to:
What is “personal information”?
Information relating to an identifiable person (living natural person/ existing juristic person as far as applicable), i.e.:
- Race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture and birth
- Education or medical, financial, criminal or employment history
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assigned to the person
- Personal opinions, views or preferences
- The views or opinions of another individual about the person
- Correspondence sent by the person that is implicitly or explicitly of a private/confidential nature
- The name of the person if it appears with other personal information relating to the person, or if the disclosure of the name itself would reveal information about the person
- Contact details: email, telephone, address etc.
- Demographic information: age, sex, race, birth date, ethnicity etc.
- History: employment, financial, educational, criminal, medical history
- Biometric information: blood type etc.
- Opinions of and about the person
- private correspondence etc.
What is “special personal information”?
personal information concerning-
- The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
- The criminal behaviour of a data subject to the extent that such information relates to:
> the alleged commission by a data subject of any offence; or
> any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings
What is “processing”?
Any activity concerning personal information, e.g.
- The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use
- Dissemination by means of transmission, distribution or making available in any other form
- Merging, linking, restriction, degradation, erasure or destruction of information.
Some of the obligations under POPI are to:
- only collect information that you need for a specific purpose
- apply reasonable security measures to protect it
- ensure it is relevant and up to date
- only hold as much as you need, and only for as long as you need it
- allow the data subject of the information to see it upon request
Who are the role players?
- Data Subject: the person to whom the information relates
- Responsible Party: a private or public body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information
- Operator: a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of the responsible party
- Regulator: The Regulator established by POPIA
The 8 processing conditions