POPI Act Part 1: An Introduction

In all instances, the Act refers to the POPI Act No. 4 of 2013.

You can download the Act here.

 The POPI Act was signed as law in 2013. A longer lead-in time was given to ensure bigger business have enough time to ensure compliance. The Act affects all business, including small business and start-ups. Even if you just run a little one-man business from home. If you - in any way - collect personal information for business purpose, you need to comply with the POPI Act.

Other than the Promotion to Access Information Act (PAIA), POPI is here to stay. The Protection of Personal Information is an international trend and most countries has already drafted laws to protect data privacy.

Thanks to the internet, information is easy to obtain and distribute, regardless of location and country. Privacy laws aim to protect citizens from unauthorised use of their personal information. If any country does not have the protection of privacy laws; and laws to protect their information in place, it will be excluded from trading with them. Given the current state of the economy, this is something South Africa can't afford.

1. The intention of the Act?

Follow this link for the definitions of all terms related to the POPI Act.

2. The purpose of the Act? 

The POPI Act gives effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party subject to justifiable limitations. Aimed at balancing the right to privacy against other rights like the right to access to information and protecting important interests, for example, the free flow of information within the Republic and across international borders.

The POPI Act gives effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party subject to justifiable limitations. Aimed at balancing the right to privacy against other rights like the right to access to information and protecting important interests, for example, the free flow of information within the Republic and across international borders.

It regulates the manner in which personal information may be processed by establishing conditions in harmony with international standards that prescribe the minimum threshold requirement for the lawful processing thereof. 

It provides persons with rights and remedies to protect their personal information from processing not in accordance with the POPI Act. It also establishes voluntary and compulsory measures, including the establishment of an Information Regulator to ensure respect for and promote, enforce and fulfil the rights protected by the Act.

Credit: Unsplash

3. Application and Interpretation

The POPI Act applies to the processing of personal information entered into a record - by or for a responsible party - by use of automated or non-automated means. When processed by non-automated means, it should form part of or be intended to form part of a filing system. The responsible party must be located in the Republic or if not, make use of an automated or not-automated means within the Republic. Unless the aim is only to forward personal information through the Republic.

If any other legislation provides conditions for the lawful processing of personal information that is more extensive than this Act, the most extensive conditions will apply.

Interpretation of the Act should give effect to its purpose. It shouldn't prevent any public or private body from exercising or performing its powers, duties and functions in terms of the law. It should be done in accordance with this Act or other legislation, that regulates the processing of personal information.

Automated means is any equipment capable of operating automatically in response to instructions given for the purpose of processing information.

A data subject has the right to have personal information processed in accordance with conditions for the lawful processing thereof. This means the right to be notified that personal information is being collected. And if personal information has been accessed or acquired by an unauthorised person. As well as the right to:

1.      discover if a responsible party holds personal information and to request access to this information.

2.     request as necessary correction, destruction or deletion of personal information.

3.     object on legitimate grounds relating to a particular situation to the processing of personal information.

4.     object at any time to the processing of personal information for direct marketing via unsolicited electronic communications.

5.     under no circumstances be subjected to a decision based solely on automated processing of personal information for the purpose of providing a profile of such a person.

6.     submit a complaint to the Information Regulator regarding alleged interference with the protection of personal information of any data subject. Or any complaint in respect of an adjudicator.

7.     institute civil proceedings regarding an alleged interference with regards to the protection of personal information.

4. Exclusions:

4.1 General:

The following exclusions apply to the processing of personal information:

·        if it is a purely personal or household activity

·        it has been de-identified to such an extent that it cannot be re-identified.

·        if processed by or on behalf of a public body which involves national security. Or if it assists in the identification of financing to terrorist and related activities. Or for the purpose of defence or public safety.

·        if the purpose is prevention, detection or assistance in identification of unlawful activities, such as money laundering. Or the investigation of proof of offences, prosecution of offenders or the execution of sentences or security measures. Adequate safeguards must be implemented for the protection of such personal information.

·        personal information processed by the Cabinet and its committees or the Executive Council of a province.

·        relating to the judicial functions of a court.

4.2 Journalistic, literary or artistic purposes

The POPI Act does not apply to the processing of personal information for the sole purpose of journalistic, literary or artistic expression. This exclusion is necessary to reconcile - as a matter of public interest - the right to privacy with the right to freedom of expression.

Any party that process personal information for a journalistic purpose, must adhere to a code of ethics. Which should provide adequate safeguards for the protection of personal information.

THE CODE OF ETHICS MUST COVER:

·        the special importance of the public interest in freedom of expression.

·        domestic and international standards balancing the public interest of free flow of information.

·        the public interest in safeguarding the personal information of data subjects.

·        the need to secure the integrity of personal information.

·        domestic and international standards of professional integrity for journalists.

·        the nature and self-regulatory forms of supervision provided by the profession.

Only Chapters 3, 8 and 9 of the POPI Act deals with the responsibilities of businesses. In the next part of this series, we will look at Chapter 3, dealing with the conditions for the lawful processing of information.

Source: Government Gazette Vol. 581; No. 37067 November 26, 2013 POPI Act No. 4 of 2013.

Next: POPI Act Part 2 - Conditions for the lawful processing of personal information