This is the first of three articles that deal with the Protection of Personal Information Bill (POPI). POPI is set to become law shortly and, when it does, it will have significant implications, both for the citizens of this country whose information is processed by any number of companies and public bodies, and for the companies and public bodies that are doing the processing.
POPI introduces data protection to South Africa. Data protection has been around for some time in the developed world, but it’s been a long time coming here. The purpose of POPI is very clear: to promote the protection of personal information that’s processed by the private and public sectors. The lawmaker has sought to balance the right of privacy that's recognised by the Constitution with various needs and interests, like the need for economic and social progress within the context of the information society, and the interest in a free flow of information, both domestically and internationally.
So what exactly does POPI do, and how does it do it? Let’s start with the what: POPI regulates the processing of personal information within South Africa. But what exactly does that mean? Well, POPI is concerned with the following:
- the processing,
- of personal information,
- that’s entered in a record,
- by a company or public body that’s domiciled in South Africa, or one that’s domiciled elsewhere but uses automated or non-automated means situated in South Africa.
Some of these terms are defined in POPI. The definition of ‘processing’ is very broad, and it seems to include every conceivable action - collecting information, receiving it, storing it, updating it, modifying it, disseminating it, even destroying it. The term ‘personal information’ is as broadly defined. It covers, for example, information relating to the race, sex, pregnancy, marital status, ethnicity, colour, sexual orientation, age, health, religion, language and education of a person. It covers medical, financial, criminal and employment histories. It covers ID numbers, addresses, telephone numbers and blood types. It covers personal opinions, the private correspondence of a person, and the views that other people have of a person. It even includes the mere name of a person, if the name appears together with other personal information. A ‘record’ is defined to include recorded information in any form that is in the possession or control of a company or public body, irrespective of whether or not it created it.
Pretty comprehensive then! But there are some exclusions. POPI does not affect the processing of personal information:
- in the course of a purely personal or household activity;
- that has been deleted to the extent that it can’t be resurrected;
- by or for the State, if it involves national security, defence, public safety, or the prevention of crime;
- for exclusively journalistic purposes, by media companies that are subject to a code of ethics that has safeguards for the protection of personal information;
- by Cabinet, Provincial Executive Councils and Municipal Councils;
- if it relates to the exercise of judicial functions;
- if it has been specifically exempted;
- in cases where other legislation regulates the processing of that information.
So, barring a few exceptions that have little application to the corporate world, POPI regulates the processing of all personal information that takes place in South Africa. But how does it do it? Well, the requirements are both long and complex, and they will impose significant compliance burdens on South African companies and public bodies. I’ll deal with these requirements in some detail in the second and third articles, but a short overview follows.
The most important measure created by POPI is the eight Information Protection Principles (the Principles) that apply to all those companies and public bodies that process personal information - in the slightly Orwellian language of POPI, the company or public body that’s responsible for processing the information is referred to as the ‘Responsible Party’, whereas the individual, or indeed company, whose information is being processed is the ‘Data Subject’. One of the Principles requires the Responsible Party to obtain the information directly from the Data Subject. Another says that the Responsible Party must get the Data Subject’s consent to the processing of information. Yet another obliges the Responsible Party to make sure that the information is accurate. The Principles are very detailed and some of them contain a number of exceptions. I’ll discuss the Principles in greater depth in the second article.
POPI provides that the information officer appointed by every company and public body in terms of the Promotion of Access to Information Act (PAIA) will be the ‘Information Protection Officer’ for the purposes of the new legislation, and that this person will ensure that the organisation complies with the Principles, and deals with requests made by outsiders.
POPI creates an ‘Information Protection Regulator’, a body that will consist of a chairperson and four others members. The Regulator, who will be independent and subject only to the Constitution, will be responsible for promoting and enforcing the Principles on a national level, and it will have the power to investigate complaints. The Regulator will also have the power to draft or approve category-specific or industry-specific codes of conduct. Once a code of conduct has been created, it will regulate the processing of information within that category or industry.
POPI does various other things too. It provides that the Regulator can give a Responsible Party the authority to process personal information even if that processing breaches one of the Principles, provided that certain benefits flow from the processing. POPI makes specific provision for the processing of personal information for the purposes of direct marketing. It makes specific provision for cross-border information flows. It creates mechanisms for enforcement, and it creates new offences. All to be discussed in the follow-up articles!