UNDERSTANDING POPIA AND ITS IMPLICATIONS
overview
The Protection of Personal Information Act (POPIA) establishes rights and duties that are intended to protect personal information. Its aim is to balance the legitimate needs of organisations to collect and use personal information for business and other purposes against individuals’ right to privacy when it comes to their personal information. All organisations – including retirement funds and their service providers – need to be fully compliant with POPIA. The Protection of Personal Information Act (POPIA), promulgated on 26 November 2013, promotes the right to privacy and aims to protect the personal information of consumers. POPIA has its origins within the Constitution of South Africa, given that the Bill of Rights states that “Every person has the right to privacy”. Each individual’s personal information forms part of this right to privacy, and POPIA is the legislation that aims to ensure that personal information is granted certain levels of protection when it comes into the hands of other private or public organisations. Before the introduction of POPIA, individuals were susceptible to unregulated gathering, retaining, distribution and/or processing of information, as well as the unregulated use thereof. Therefore, South Africa’s Parliament saw fit to introduce legislation to protect its citizens against the growing misuse of personal information. The stated purpose of POPIA is, inter alia: a. to promote the protection of personal information processed by public and private bodies; b. to introduce certain conditions so as to establish minimum requirements for the processing of personal information; and c. to regulate the flow of personal information across the borders of South Africa. In practical terms, POPIA sets conditions for the lawful processing of personal information in order to protect the public from harm, to stop money being stolen, to stop identity theft, and generally to protect the privacy of citizens. POPIA establishes the rights and duties that are designed to safeguard personal information. In terms of POPIA, the legitimate needs of organisations to collect and use personal information for business and other purposes are balanced against individuals’ right to privacy when it comes to their personal information. POPIA applies to a particular activity, i.e., the processing of personal data, rather than a particular person or organisation. Therefore, if you process personal data, then you must comply with POPIA. In particular, you must handle personal information in accordance with POPIA’s data protection principles. If you collect or hold information about an identifiable individual or if you use, disclose, retain or destroy that information, you are likely to be processing personal information. The scope of POPIA is very wide and it applies to almost everything you might do with an individual’s personal details, including details of your employees. This means that retirement funds, as well as their service providers – such as administrators’ benefit consultants – are required to fully
2
comply with POPIA. The enforceability of certain sections of POPIA came into effect on 1 July 2020. A grace period of 12 months from this date was given to comply with the Act. As such, all entities were expected to be fully compliant with the provisions of POPIA by 1 July 2021. POPIA legislation POPIA contains eight general protection principles: 1. Accountability: The responsible party is accountable for compliance under POPIA. 2. Processing limitation: The responsible party may only process personal information if, taking into account the purpose for which they are processing it, the processing is adequate, relevant and not excessive. 3. Purpose specification: The responsible party must collect personal information for a specific purpose, and the data subject must be aware of that purpose. 4. Further processing limitation: Responsible parties may only use personal information for another (“further”) purpose other than the original purpose if that further purpose is compatible with the original purpose. 5. Information quality: The responsible party must take reasonable steps to make sure the personal information is complete, accurate, not misleading and is updated. 6. Openness: The responsible party must take reasonable steps to notify the data subject of certain information, such as the information being collected; the purpose for which the information is collected; whether the supply of information is voluntary or mandatory; the consequences of failure to provide information; and any particular law that applies. In the event of unauthorised accessing, processing, erasure or deletion of a data subject's personal information, the responsible party must notify the data subject, as well as the Information Regulator of this. 7. Security safeguards: The responsible party must have measures in place to protect the personal information collected and processed from damage, loss and unauthorised destruction, processing and access. 8. Data subject participation: Data subjects can ask what personal information is held about them and can ask for access and changes to their personal information. These eight principles are explained in more depth on p.10-13. POPIA applies to the processing of personal information, instead of a particular person or organisation. Thus, any individual or organisation processing personal information must comply with POPIA and, particularly, must handle personal information in accordance with POPIA’s data protection principles.
