On the 1st July 2020, the Protection of Personal Information Act (POPIA) 4 of 2013 ("the Act") became effective. The Act requires all businesses which process personal information of both natural persons and juristic persons to comply with the Act's eight conditions for lawful processing, by 1 July 2021. There are severe penalties for non-compliance by a responsible party, such as a fine of between R1 million and R10 million, or imprisonment of between one and ten years in jail. The Act also makes provision for the payment of compensation to data subjects who suffered damages in consequence of the responsible party's non-compliance. Thankfully, businesses have 12 months from the 1st July 2020 to comply with the Act, which is good news for the recent number of companies that have experienced data breaches.
It is important to remember that "personal information" and "processing" are very broadly defined in the Act and include the use, collection, communication, organisation, storage, deletion, transfer, dissemination, linking and copying of any information that is capable of identifying a person, including contact details, medical information, financial information, criminal information, employment information, educational information, biometric, opinions, preferences and geolocation.
Once an organisation has identified that they are processing personal information, they are required to consider how each item of personal information is to be processed, in line with the eight conditions of the Act:
- Accountability - identifying who the responsible party is (i.e. the business processing the information for a specific purpose) and distinguishing the business from operators (third parties who will process personal information on your behalf).
- Process limitation - the personal information must be lawfully collected, adequate, relevant and not excessive to the purpose of processing.
- Process specification - the processing of personal information must be for a specific purpose, and must preferably be obtained directly from the data subject who is aware of this purpose and has consented to the collection, retention and destruction of the information.
- Further processing limitation - businesses are prevented from taking personal information already collected and using it further, if the use is not compatible with the original purpose for which it was collected.
- Information quality - businesses must take reasonable steps to ensure the personal information is complete, accurate, up-to-date and not misleading.
- Openness - Data subjects should be kept apprised of personal information being processed and notified together with the Information Regulator should any personal information be compromised.
- Security safeguards - the business should take the necessary security measures to ensure the integrity and confidentiality of the personal information being processed by authorised persons. A relevant incident response plan must be prepared in the event that a data breach occurs.
- Participation - data subjects should be made aware of processing rights and be permitted to update their personal information, should any information be outdated and should the business be required to contact the data subject to continue processing the personal information, the data subject should have provided informed consent and explicitly consent to continued processing.
How does a business go about becoming compliant? It is recommended that businesses perform POPIA risk and readiness assessments taking into account various factors and answering the following questions in order to prepare a POPIA Policy:
- What special personal information are you collecting? (information pertaining to minors, criminal information, medical information, biometric information etc)
- How are you collecting personal information?
- Why are you collecting the personal information?
- What will the personal information be used for?
- Who will the personal information be shared with?
- What is your storage, retention and destruction protocols and procedures?
- What security measures do you have in place and what is the breach protocol procedure?
- Are you transferring the personal information across the South African border?
- Have you provided the data subject with a consent form informing them of their rights?
- Have you appointed an information officer, i.e the person who will be responsible in the business for ensuring compliance with the Act?
- Do you have a dispute and complaints forum?
Once a business has answered the above questions, they should be in a position to ascertain where their risks are for non-compliance and devise a project plan to become compliant before 1 July 2021.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.