POPI Act

WHAT IS POPI?

THE PROTECTION OF PERSONAL INFORMATION ACT EXPLAINED

In simple terms, the purpose of the POPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way. The POPI legislation basically considers your personal information to be “precious goods” and therefore aims to bestow upon you, as the owner of your personal information, certain rights of protection and the ability to exercise control over:

  • when and how you choose to share your information (requires your consent)
  • the type and extent of information you choose to share (must be collected for valid reasons)
  • transparency and accountability on how your data will be used (limited to the purpose) and notification if/when the data is compromised
  • providing you with access to your own information as well as the right to have your data removed and/or destroyed should you so wish
  • who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorized people, even within the same company, from accessing your information
  • how and where your information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised)
  • the integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it)

It must however be noted that some personal information, on its own, does not necessarily allow a third party to confirm or infer someone’s identity to the extent that this information can be used/abused for other purposes. The combination of someone’s name and phone number and/or email address for example is a lot more significant than just a name or phone number on its own. As such the Act defines a “unique identifier” to be data that “uniquely identifies that data subject in relation to that responsible party”.

We have to accept that we now live in an information age and along with this progress comes the responsibility for each person to take care of and protect their own information. Do not accuse someone else of sharing or compromising your personal information when you publish the very same information on public services like Facebook, LinkedIn, Google+ or public directories. Modern technology makes it easy to access, collect and process high volumes of data at high speeds. This information can then be sold, used for further processing and/or applied towards other ends. In the wrong hands such an ability can cause irreparable harm to individuals and companies. To protect your right to privacy and abuse of your information, data protection legislation is necessary even if it means imposing some social limits on society to balance the technological progress. So remember: The POPI Act cannot protect you if you do not take care to protect yourself.

It is important to note though that this right to protection of “personal information” is not just applicable to a natural person (i.e. an individual) but any legal entity, including companies and also communities or other legally recognized organisations. All of these entities are considered to be “data subjects” and afforded the same right to protection of their information. So this means that while you as a consumer now have more rights and protection, you and your company/organisation are considered “responsible parties” and have the same obligation to protect other parties personal information. As a company this would include protecting information about your employees, suppliers, vendors, service providers, business partners, etc.

The POPI legislation is not a rare or unique phenomenon to South African law. Many countries have similar legislation in place to protect the personal information of their “data subjects”, including rules and regulations for international (cross-border) transfer and sharing of data. The general consensus seems to be that, apart from an unrealistic implementation period of one year and some practical implementation challenges, the POPI Act is well thought out and it borrows from the “best of” other similar international laws, learning from their mistakes and shortcomings.