The Protection of Personal Information Bill (POPI) has recently been passed by Parliament and will soon be signed into law by the President. POPI aims to support the right to privacy of personal information of South African citizens when personal information is collected and processed by organisations.
This Bill brings South Africa in line with international data protection laws and contains eight conditions which the responsible parties (i.e. organisations that process personal information) need to comply with.
POPI currently provides for a transitional period of one year within which public and private bodies must comply. Organisations are however strongly advised to commence compliance initiatives as early as possible as the transitional period itself may not be sufficient time within which to put in place all requisite compliance mechanisms.
The heart of POPI - the eight conditions
POPI encompasses the following eight conditions:
Condition 1: Accountability
Organisations must assign responsibility for overseeing and managing compliance with the Bill to a suitable person.
Condition 2: Processing limitation
Personal information may only be processed in a fair and lawful manner that is transparent to the individual, thereby requiring the individual’s explicit consent. The amount of personal information that is collected should not be excessive in relation to its purpose.
Condition 3: Purpose specification
An organisation must ensure that personal information is only processed for specific, explicitly defined and legitimate reasons relating to the functions or activities of the organisation and it must furthermore take steps to make the data subject (person whose personal information is being processed) aware of the purposes for which the personal information will be processed. Personal information may only be kept for as long as it is required to fulfil the purpose for which it was collected.
Condition 4: Further processing limitation
Once an organisation has identified and obtained consent for specific, legitimate and explicitly defined purposes, the personal information may only be processed if it is necessary for the fulfilment of those purposes. An organisation may therefore only use personal information for those reasons that were specified at the time that the individual consented to the processing of the information, unless further consent of the individual is obtained.
Condition 5: Information quality
Organisations must maintain the quality of the personal information and as such all personal information must be kept reliable, accurate, up-to-date and relevant to the purposes for which it was collected.
Condition 6: Openness
Organisations are obliged to process information in a fair and transparent manner and individuals must be aware of the specific personal information held about them.
Condition 7: Security safeguards
All personal information should be kept secure against the risk of loss, unauthorised access, interference, modification, destruction or disclosure.
Condition 8: Data subject participation
Individuals have the right to access and/or request the correction or deletion of any personal information held about them that may be inaccurate, misleading or outdated.
If an organisation collects a customer’s (styled a ‘data subject’) cellular phone number and birthdate, it must tell the customer why it requires this information. If, for example, it informs the customer that it wants to send him or her a birthday sms for the next five years, it may only use this information for sending such messages and not, say, for direct marketing. The organisation must keep the data subject’s information up to date and safe and may not give it to unauthorised parties. It could also only store this information for five years, unless the data subject agrees otherwise.
The responsibility for the monitoring and enforcement of compliance with POPI will rest with the Information Protection Regulator, an independent statutory body to be established once the Bill is passed into law.
As previously stated, responsible parties will only have one year from the commencement date of this new law to comply. Non-compliance with POPI may lead to a civil action for damages, regardless of whether intent or negligence can be proven on the part of the responsible party and to an enforcement notice being issued by the Regulator. Non-compliance with an enforcement notice is an offence and may lead to imprisonment not exceeding ten years. An administrative fine not exceeding ten million Rand may furthermore be imposed on a responsible party.