The purpose of Act to is protect personal information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed.
The basis of the POPI Act
The basis of the POPI Act is that organisations need to conduct themselves responsibly – responsible corporate citizenship. Organisations should not only be responsible, but should be seen to be responsible corporate citizens. Part of this responsibility is to protect the information inside the organisation, to be responsible when it comes to the process of storing and sharing personal information. Personal information is to be seen as precious goods and that the act requires organisations to exercise control over these precious goods.
What constitutes as personal information under the POPI act?
- Identity or passport number
- Date of birth and age
- Phone numbers
- Email address
- Online messaging identities
- Physical address
- Gender, race and ethnic origin
- Photos, voice recordings, video footage
- Marital relationship and family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs including personal and political opinions
- Employment history and salary information
- Financial information
- Education information
- Physical and mental health information including medical history
- Membership of organisations
The impact of technology on protecting personal information
Due to technology convergence, there is an increased opportunity for attacks. Everyone with a cellphone, iPad and laptop are aiders and abettors to cyber criminals. Every device offers a hacker an opportunity to get into personal information. Social media sites like Facebook and LinkedIn also serve as a bank of personal information, which, in criminal hands, can cause serious harm to both individuals and organisations. Every person has a duty to protect him or herself, and the POPI Act cannot protect one if one doesn’t care to protect oneself.
Who does the act apply to?
The act also applies to other than a natural person; it, therefore, includes companies or any other legally recognised organisation. All organisations are seen as data subjects and are afforded the same right of protection. The Act applies to anyone who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently. It therefore sets the minimum standards for the protection of personal information. It regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organising, retrieving, or using such information; or disseminating, distributing or making such personal information available. The Act will also relate to records which you already have in your possession.
POPI as a universal application
Most countries have a POPI Act and South Africa’s POPI Act is based on UK legislation. Ignorance of the law is no excuse and companies need to update IT systems and start training and educating staff, since early action is essential.
When will it come into force?
The Act came into effect 1 July 2020. Companies will have 12 months to comply with the conditions of the act. The act will become enforcable on the 1st July 2021.
What are your rights?
We all have the right to be told if someone is collecting our personal information, or if our personal information has been accessed by an unauthorised person. We have the right to access our personal information. We also have the right to require our personal information to be corrected or destroyed, or to object to our personal information being processed.
The Act does not apply to personal information processed in the course of a personal or household activity, or where the processing authority is a public body involved in national security, defence, public safety, anti-money laundering, or the Cabinet or Executive Council of the province or as part of a judicial function.
Personal information can only be processed: – (section 11)
with the consent of the “data subject”; or
if it is necessary for the conclusion or performance of a contract to which the “data subject” is a party; or
it is required by law; or
it protects a legitimate interest of the “data subject”; or
it is necessary to pursue your legitimate interests or the interest of a third party to whom the information is supplied.
We all have the right to object to having our personal information processed. We can withdraw our consent, or we can object if we can show legitimate grounds for our objection.
A Responsible Party has to collect personal information directly from the “data subject”, unless:
This information is contained in some public record or has been deliberately published by the data subject.
collecting the information from another source does not prejudice the subject;
it is necessary for some public purpose; or to protect your own interests;
obtaining the information directly from the subject would prejudice a lawful purpose or is not reasonably possible.
You can only collect personal information for a specific, explicitly defined and lawful purpose and the subject must be aware of the purpose for which the information is being collected. (section 13)
Once the personal information is no longer needed for the specific purpose, it must be disposed of (the subject must be “de-identified”), unless you need to keep it (or are allowed to keep it) by law, or you need to keep the record for your own lawful purpose or in accordance with the contract between yourself and the subject, or the subject has consented to you keeping the records. (section 14)
You are entitled to keep records of personal information for historical, statistical or research purposes if you have established safeguards to prevent the records being used for any other purposes.
Records must be destroyed in a way that prevents them from being reconstructed.
You can only use personal information that you have collected for the purpose which you collected it for. (section 15)
Documentation relating to personal information and how it has been processed must be maintained as referred to in section 14 or 51 of the Promotion of Access to Information Act.
When information is being collected, subjects must be made aware of: (section 18)
the information that is being collected and if the information is not being collected from the subject,
the subject must be made aware of the source from which the information is being collected;
the name and address of the person/organisation collecting the information;
the purpose of the collection of information; whether the supply of the information by the subject is voluntary or mandatory;
the consequences of failure to provide the information; whether the information is being collected in accordance with any law;
If it is intended for the information to leave the country and what level of protection will be afforded to the information after it has left South Africa.
who will be receiving the information;
that the subject has access to the information and the right to rectify any details;
that the subject has the right to object to the information being processed (if such right exists);
that the subject has the right to lodge a complaint to the Information Regulator. The contact details of the Information Regulator must also be supplied.
These requirements have to be met before the information is collected directly from the subject, or soon as reasonably practicable thereafter if the information is not collected directly from the subject, unless the subject is already aware of these rights. If you collect additional information from a subject for a different purpose, you have to go through this process again. S18(3)
I therefore envisage all clients of estate agents signing a form acknowledging that they are aware of their rights before you fill in any personal details on a mandate or an offer to purchase or a FICA form.
It is not necessary to meet these requirements if the subject has consented to non-compliance or if, by non-compliance, the rights of the subject would not be prejudiced, or if by compliance you would prejudice some public interest, or if the information is only going to be used for historical statistical research purposes, or if the subject is not going to be identified.
If we collect personal information how must we handle it?
Anybody who keeps personal information has to take steps to prevent the loss, damage, and unauthorised destruction of the personal information. They also have to prevent unlawful access to or unlawful processing of this personal information. (section 19)
We have to identify all risks and then establish and maintain safeguards against these identified risks. We have to regularly verify that the safeguards are being effectively implemented and update the safeguards in response to new risks or identified deficiencies in existing safeguards.
Anybody processing personal information on behalf of an employer must have the necessary authorisation from the employer to do so. They must also treat the personal information as confidential. (section 20)
Such a person must have a written contract with their employer in which they are specifically obliged to maintain the integrity and confidentiality of the personal information and to implement the established safeguards against identified risks.
This employee is also obliged to notify their employer if they believe that personal information has fallen into the wrong hands (section 21(2))
I can therefore see new employment contracts for administrative staff and data capturers, and for any employees who deal with personal information, to comply with these requirements.
If there has been a breach and personal information has been accessed or acquired by any unauthorised people you need to notify the Information Regulator, and the subject (if you still know who the subject was). The notification to the subject needs to provide sufficient information to allow the subject to protect themselves against the possible consequences of the personal information falling into the wrong hands.
We all have the right to enquire as to whether somebody has our personal information, all we have to do is provide proof of identity and this information must be provided free of charge. We can also find out what this information consists of and if this information has been disseminated to any third parties. For these last bits of information however we might have to pay a fee. Access to this information is also subject to the Promotion of Access to Information Act.
We all have the right to have our personal information corrected or deleted if it is inaccurate, irrelevant, excessive, dated or misleading, or if it has been obtained unlawfully, or if the responsible party is no longer authorised to retain the information.
The Act creates a special category of personal information called “special personal information”. This relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information. Also included in this category is information relating to the alleged commission of any offence or any proceedings in respect of any offence allegedly committed and the outcome of such proceedings. (section 26)
You are not allowed to process this special personal information unless it is done with consent; or is necessary in law; or is done for historical, statistical or research purposes; or the information has been deliberately made public by the subject.
I do not think that this will prevent processing of information concerning the conviction of a subject for a criminal offence, as such an offence will then no longer be “alleged”.
There are also limited exceptions to the prohibition against the processing of “special personal information”.
These relate to situations when this information is specifically relevant and constitutes the purpose for which the information is being collected, for example for the purposes of BEE or for insurance.
Special rules apply to the processing of personal information of children. (section 35)
The Information Regulator has the power to grant exemptions to allow people to process personal information without complying with the Act if the public interest outweighs the subject’s rights of privacy or where there is a clear benefit to the subject. Such exemptions may be granted upon conditions.
Exemptions may also be granted for the processing of personal information for the purposes of discharging a “relevant function”. A relevant function would include the processing of personal information with a view to protecting members of the public against:
financial loss due to dishonesty of persons in the banking or financial services industry;
and dishonesty by persons authorised to carry on any profession or other activity.
Direct Marketing
Section 69 of the Act outlaws direct marketing by means of any form of electronic communication unless the subject has given their consent. Such an electronic communication obviously includes emails and SMSs. Automatic calling machines are also included. A subject can only be approached once to obtain such a consent. Once such consent is refused, it is refused for ever.
Slightly different rules apply if the subject is a customer. Here the customer’s contact details must have been obtained in the context of the sale of a product or a service, the direct marketing by electronic communication can only relate to the suppliers own similar products or services, and the customer must have been given the right to opt out at the time that the information was collected and each time such a communication is sent.
Anybody sending out direct marketing electronic communications has to disclose the identity of the advertiser and provide an address to which the customer can send a request to opt out.
Any subject whose name is included in any type of directory must be advised of the purpose of the directory and about any future uses to which the directory might possibly be put, based on search functions embedded in electronic versions of the directory. Such a subject must be given the opportunity to object to such use of the personal information. This will however not apply to directories that were printed or which were created in off-line electronic form prior to the commencement of this section.
If your personal information is contained in a public subscriber directory which has been prepared in accordance with the safeguards set out in the Act, prior to the commencement of this portion of the Act, your personal information can remain in the directory provided that the subject has received notification about the purposes of the directory and the future uses to which the directory might be put. Once again the subject must be given the opportunity to opt out. (section 70)
The Act controls the transfer of personal information from South Africa to foreign countries and prohibits this unless: (section 71)
the person receiving the information is subject to similar laws;
the subject has agreed to the transfer of information;
such transfer is part of the performance of a contract which the subject is a party; or
transfer is for the benefit of the subject and it is not reasonably practicable to obtain their consent and that such consent would be likely to be given. (section 72)
Offences, penalties and administrative fees
Sections 100 – 106 deal with instances where parties would find themselves “guilty of an offense”. The most relevant of these are:
Any person who hinders, obstructs or unlawfully influences the Regulator;
A responsible party which fails to comply with an enforcement notice;
Offences by witnesses, for example, lying under oath or failing to attend hearings;
Unlawful Acts by responsible party in connection with account numbers;
Unlawful Acts by third parties in connection with account number.
Section 107 of the Act details which penalties apply to respective offenses. For the abovementioned offences the maximum penalties are a fine or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment. For the less serious offences, for example, hindering an official in the execution of a search and seizure warrant the maximum penalty would be a fine or imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.