Introduction to Protection of Personal Information (“POPI”)
Why is the Protection of Personal Information Act necessary?
The need to protect personal information stems from a person’s “right to privacy”. The “right to privacy” implies inter alia that any person should have “the right to be left alone” and entitled to control his or her personal information.
The right to privacy is entrenched in the Bill of Rights in the Constitution of the Republic of South Africa, as Section 14 reads as follows:
“Everyone has the right to privacy, which includes the right not to have:
(a) Their personal home searched;
(b) Their property searched;
(c) Their possessions searched; or
(d) The privacy o the communications infringed.”
In the course of trade, it is inevitable that customers and supplier will exchange certain details. Due to the nature of data collecting processes, especially via different forms of technology, consumers sharing personal information with suppliers become vulnerable to physically lose control over the use of their personal information. Loss or misuse of personal information may, for instance, lead to damages, inconvenience, possible physical dangers and/or identity theft.
The main objection of the proposed Protection of Personal Information Act (“POPI” Act) is thus to set national legislation in place to give effect of the constitutional “right of privacy” in trade, by establishing a person’s rights and remedies to protect his or her personal information, and establishing a regulatory framework to help enforce the protection for personal information.
In addition, as personal information may often be shared cross-country borders, the protection of personal information is an universal issue and the POPI Act should ensure that South Africa maintain an adequate level of data protection to meet the requirements of the leading EU Directive and other international standards.
What information is “personal information”?
Chapter 1 of the proposed POPI Act provides the following definition:
“personal information” means the information relating to an identifiable, living, natural person, and where it is applicable, and identifiable, existing juristic person, including, but not limited to-
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethical or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, email address, physical address, telephone number or other particular assignment to the person;
(d) the blood type or any other biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person”.
What personal information is exempted?
Chapter 4 of the proposed POPI Act provides for exemptions from the 8 information protection principles referred to above, and set out fully Chapter 3, Part A. In this regard, the Commission may authorise a responsible party (data collector) to process personal information, even though that processing would otherwise be in breach of an information protection principle, if the Commission is satisfied that, in the special circumstances of the case:
(a) the public interest in that processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from that processing; or
(b) that processing involves a clear benefit to the data subject or a third party that outweighs any interference with the privacy of the data subject or third party that could result from that processing.
What are the “principles” for personal information protection?
Chapter 3, Part A of the proposed POPI Act provides for the principles for the processing of personal information, which are in line with main principles set out in the EU Directive and includes in short the following:
(a) Principle 1: Accountability: The responsible person (data collector) must ensure that these universal principles, and all measures that give effect to these principles, are complied with.
(b) Principle 2: Processing limitation: Personal information must be processed in accordance with the law and in a proper and careful manner in order not to intrude upon the privacy of the data subject to an unreasonable extent.
(c) Principle 3: Purpose specific: Personal information must be collected for a specific, explicitly defined and legitimate purpose. Personal information may not be kept for longer than is necessary for archiving purposes.
(d) Principle 4: Further process limitation: Personal information must not be further processed in a way incompatible with a purpose for which it has been collected in the first instance.
(e) Principle 5: Information quality: The data collector collecting and processing personal information must take practical steps to ensure that the personal information is complete, not misleading, and accurate.
(f) Principle 6: Openness: Personal information may only be collected by a data collector which has give notice and has been recorded in a Register kept by the Commissioner.
(g) Principle 7: Security safeguards: Appropriate technical and organisational measures must be taken to secure the integrity of personal data by safeguarding against the risk of loss of, or damage or destruction of personal information and against the unauthorised or unlawful access to, or processing of personal information.
(h) Principle 8: Individual participation: Where personal information is collected, the data subject is entitled to obtain, free of charge, confirmation whether and what personal information is being kept.
What happens if businesses do not comply with POPI?
Any person may submit a complaint to the proposed Commission alleging that any action is, or appears to be, for instance, a breach of any information protection principle. A complaint may be made either orally or in writing. A complaint made orally must be put in writing as soon as reasonably practicable. The Commission must provide such reasonable assistance which is necessary in the circumstances to enable an individual who wishes to make a complaint to the Commission, to put the complaint in writing. It is the function of the Commission to then conduct investigations and decide whether to take formal action or not.
If the Commission is satisfied that a responsible party has interfered with the protection of the personal information of a person by, for instance, breaching the information protection principles, the Commissioner may serve a notice on the responsible party requiring the responsible party to refrain from proceeding with the processing of personal information within a specified period.
A data subject (individual involved) or the Commission may also institute civil court proceedings against any responsible party who has contravened the provision of the Act for inter alia payment of damages, interest and costs of suit.
Any person who hinders, obstructs or unduly influences the Commission or any person acting on behalf of, or under the direction of the Commission in the performance of the Commission’s duties and functions under this Act, will be guilty of an offence. Any person convicted of an offence may be imprisoned or fined or both.
How can we help you?
We would be happy to assist in helping you complying with the proposed POPI Act. In this regard, we inter alia offer the following legal services:
- Analysing and changing data collection and archiving processes.
- Drafting or updating internal data protection policies.
- Drafting or updating order forms, client forms or other consumer agreements.
- Drafting or updating website terms and conditions to comply with the POPI Act.
- Drafting or updating agreements with service providers assisting data processes
Kindly note that the above information are general remarks and not formal legal advice as each business’ needs and circumstances may vary, please contact us with your specific query. We look forward to hearing from you.