POPI Act - Article 2: Conditions of Lawful Processing

With the POPI Act becoming effective on 1 July 2021, there are only a few months left to ensure your company is compliant. Continuing from my previous article about the POPI Act that can be accessed HERE, Chapter 3 of the Protection of Personal Information (POPI) Act of 2013 deals with the Conditions for Lawful Processing of Information, which pretty much forms the backbone of the Act.

There are eight basic Information Protection Principles in the POPI Act that deal with the lawful processing of personal information by or for a responsible party. The second part of the chapter deals with the processing of special personal information (e.g., of children) with specific exemptions. 

Compliance with POPI requires adherence to eight fundamental Information Protection principles:

The eight principles ensure that

·        persons are told why their information is being collected,

·        they agree with it and provide specific approval,

·        the information is being used only for the purpose for which it was collected,

·        that it is safely and securely stored and

·        only retained as long as necessary

Firstly, the POPI Act definitions of the roles referred to below:

 “Regulator’’ means the Information Protection Regulator that is established in terms of the POPI Act

‘‘responsible party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information

‘‘operator’’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;

‘‘information protection officer’’ of, or in relation to, a—

(a) public body means an information officer or deputy information officer as per the Promotion of Access to Information Act (PAIA) Act of 2000

(b) private body means the head of a private body as per the PAIA Act of 2000

‘‘data subject’’ means the person to whom personal information relates

 1.       Accountability - POPI Section 8

The Responsible Party must take accountability for all the information in their domain and for the processing by the Operators of such data. In fact, the responsible party is accountable for all the principles.

2.       Processing limitation – POPI Sections 9 to 12

Processing of information must be lawful, minimal, with consent and must allow for objection to processing. It must be just adequate (not excessive) and relevant to the purpose for which it was collected. Information can only be collected directly from, and with consent by the data subject unless it is data in the public domain or for an exempted reason such as law enforcement. 

3.       Purpose specification – POPI Sections 13 and 14

Information should only be collected for a specific, explicitly defined and lawful purpose related to the business of the responsible party. The responsible party must restrict the processing. Data must be destroyed as soon as possible after processing.

4.       Further processing limitation – POPI Section 15

Any further processing of information must be aligned with the purpose of collection. There are lawful exemptions such as prevention of an imminent threat to public health or safety.

5.       Information quality – POPI Section 16

The responsible party should ensure that information is correct, complete and up to date in respect of the purpose of processing.

6.       Openness – POPI Sections 17 and 18

‘A responsible party must maintain the documentation of all processing operations under its responsibility’ according to the Act. This requires the responsible party to know and record all data types that he collects and processes, and be able to disclose it to the data subjects. 

7.       Security safeguards – POPI Sections 19 to 22

The responsible party must safeguard the information by taking appropriate, reasonable technical and organisational measures to prevent loss or unauthorised damage or destruction of personal information or unlawful access to personal information. 

8.      Data subject participation – POPI Sections 23 to 25

A data subject has the right to request to know if a responsible party holds information about the subject. He may further ask for the information to be disclosed, as well as a record of third parties who have access to that information. The responsible party is thus required to keep a record thereof. Data subjects also have the right to request changes and receive confirmation of the change having been done.

Processing of Special Personal Information

In addition to the principles, the processing of special types of personal information is restricted.

A responsible party may not process personal information such as the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject or the criminal behaviour of a person unless it is done with the consent of the data subject or some obligation in law. There are specific exceptions to this rule.

Processing of information of children younger than 18 years is prohibited unless with specific consent of an authorised person, again with specific exceptions.

That’s it for this week. 

Watch out for my next article in which I will start dealing with the steps you as business owner or manager can (and should) take towards compliance. For general background about the POPI Act, you can access the previous article HERE

Please leave a comment and look us up at www.hbh.solutions.