An overview of the POPI Act and its impact on businesses.

The Protection of Personal Information (POPI) Act has been signed into law by the President and published in the Government Gazette Notice 37067 in November 2013. The Act came into full effect on 1 July 2021.

The Protection of Personal Information (POPI) Act, No 4 of 2013, promotes the protection of personal information by all public and private entities. The POPI Act serves various purposes, namely:

  • Regulating how personal information may be process by means of establishing conditions that meet international standards for the lawful processing of personal information.
  • Ensuring the constitutional right to privacy by protecting personal information.
  • Establishing voluntary and compulsory measures, including Information Regulator.
 
To whom does POPI apply?
 
  • Any public or private body or any other person which, unaided or in combination with others, regulates the purpose of and means for processing personal information (Responsible Party). The "Responsible Party" of every company is accountable for ensuring and enforcing its own compliance.
  • Any person who processes personal information for a Responsible Party in terms of a mandate or agreement, without coming under the direct authority of the Responsible Party.

It’s really about taking special care of the personal information that is entrusted to you by your customers and clients. If you act recklessly with this information, you not only face regulatory sanctions, but you also run an actual risk of damaging client relationships and overall business reputation. Non-compliance may have far reaching consequences and could expose the Responsible Party to a penalty or fine of R10 million and/or imprisonment of 12 months up to 10 years.

What personal information does POPI apply to?

Most businesses in South Africa will be impacted by the POPI Act in one or more ways.The personal information that the POPI Act protects is that of an identifiable person, including information relating to:

  • Gender, race, marital status, nationality, sex, mental health, religion, belief, language, etc.
  • Education or financial, criminal, medical and employment history.
  • Biometrics, including physical, behaviour or physiological characterisations (DNA analysis, retinal scanning, blood type, etc.)
  • Email address, telephone number, location information, online identifier, etc.
  • Correspondence of a private nature.
  • Opinions or views that another person has relating to the person.
  • The person’s name, if disclosure of the name would lead to the reveal of information about the person.

Personal information does not refer to information that is already in the public domain or is not used or intended to be used for the purpose of trade or commerce.

What are the information processing conditions?

The POPI Act includes eight information processing principles or conditions, namely: accountability, data subject participation, and further processing limitation, information quality, openness, processing limitation, purpose specification and security safeguards. These conditions ensure improved data quality and business management.

Who is the Information Regulator?

The Information Regulator is an independent juristic body that has been appointed in 2016 in terms of POPI. The Information Regulator is, among others, responsible for educating the public about POPI, handling of complaints, enforcing and monitoring of compliance etc.