Most of the remaining provisions of the Protection of Personal Information Act have come into operation on 1 July 2020.
That means that the start of the anticipated 12 month transition period is 1 July 2020 and that the effective date for enforcement (the date by which organisations must be compliant) will be 30 June 2021. Although there will be no sanctions for non-compliance until that time, organisations must work towards compliance as soon as possible - and there is a lot to do.
It is expected that there will be further communications covering practical implications such as the registering of Information Officers.
POPIA applies to all local and foreign organisations processing personal information in South Africa. The Act will impact on technology, policies, procedures and compliance frameworks across the business - including in ICT, HR and marketing.
What is POPIA?
POPIA is the South African version of the European Union's GDPR - it is a data privacy statute and it governs when and how personal information may and should be processed (collected, used, stored, handled and deleted). The main difference is that POPIA also regulates corporate personal information, whereas the GDPR does not.
The individual or organisation that specific personal information relates to, is referred to as the data subject and the person doing the actual processing (automated or non-automated) is an operator. POPIA protects personal information of data subjects by imposing minimum standards for its lawful processing. The Act also facilitates the right to privacy in relation to other rights, such as the right to access of information, and there are exceptions that apply in certain circumstances. In the case of a conflict / overlap with other legislation, the highest standard or privacy regulation will apply.
In simple terms, the purpose of the POPI Act is to ensure that all South African institutions, as well as individuals, conduct themselves in a responsible manner when collecting, processing, storing and sharing another person's or entity's personal information by holding them accountable should they abuse or compromise personal information in any way.
In technical terms, it is a general information protection statute designed to prevent the negligent disclosure of personal information. This means that an organisation or 'responsible party' must determine the purpose and means for the collection and processing of personal information in their possession - it must be done for a specific, explicitly defined and lawful purpose related to the function or activity of the responsible party. Then, it can also generally only capture, use and store personal information with express and informed consent - i.e. the details as to the purpose for which the personal information is sought and how the personal information of the data subject will be processed, must be set out when consent is sought.
In order to achieve these objectives, an Information Regulator has been established that is empowered to monitor and enforce compliance by public and private bodies with the Act.
What is personal information under POPIA?
Personal information has a wide meaning and includes information that identifies and relates to living individuals and affects their privacy; as well as organisations (e.g. company contact details and correspondence of a confidential nature).
So, what is personal information? Personal information includes, among other things, the following:
Information that has been shared publicly will not fall under the protection of POPIA; and some information may be processed if it has been sufficiently 'de-identified' or anonymised.
There are also categories of special personal information which are subject to even stricter processing obligations or specific approvals for cross-border transfer - e.g. information concerning race, union membership, health, biometrics, beliefs, ethnicity, and anything relating to minors (under 18). Exceptions exist, such as where processing is for historical, statistical or research purposes.
It will be important for organisations to establish a framework describing how information must be classified, treated and processed within the organisation - and the actual classification of any data should ideally be made by the relevant data subject. For example confidential, restricted, or public information.
What is POPI compliance?
Any and all processing of personal information must be done in accordance with 8 specific principles as outlined in the Act.
'Processing' means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information - including the collection, recording, organisation, storage, erasure, consultation, merging, modification, dissemination or transmission thereof. Any 'further processing' of such personal information must also be in accordance or compatible with the purpose for which the personal information was originally collected (with some exceptions); or by obtaining additional consent from the data subject.
The consent obtained by a data subject to process their personal information must be voluntary, informed and specific. It is therefore important to ensure from the outset that the responsible party provides a data subject with enough information regarding how and in what manner the provided personal information will be processed - and also to keep in mind the instances where further processing will occur. For example:
Whilst consent is the safest way to justify the processing of personal information, POPIA does provide additional circumstances that could justify this - such as where the processing is necessary to comply with a legal obligation, or where it protects a legitimate interest of the data subject, or where it is necessary for pursuing the legitimate interests of the responsible party or a third party to whom the information is supplied.
An organisation will need to establish measures that ensure that they only process personal information in permitted ways according to these principles and that it is appropriately protected from unauthorised access or loss. The measures that each organisation employs will be different, but in practice it will mean more policies and procedures and the need to establish a culture of data protection in the organisation.
📌 Online collection of personal information from clients or customers (e.g. via online profiles or registrations): Make sure that they expressly consent to the collection, sharing and storage of such personal information - such as through the business’ online terms and conditions.
📌 Service level agreements contain information about customers or third party service providers and need to have provisions in place to ensure that consent is provided to collect, store and disseminate this information. Similarly, when third parties are appointed to process personal information on the organisation's behalf, they should sign a written contract specifying their compliance with the required security measures.
📌 When employers gather personal information in relation to their own employees (or applicants for employment, consultants and contractors), they may not make free and unlimited use thereof but should ensure that their procedures comply with relevant data protection and surveillance laws:
The information so collected, should -
📌 As regards direct marketing, POPIA will have a profound impact - whether it’s direct marketing by post, telephone, email or SMS. Some points to keep in mind:
The Information Officer
An Information Officer (IO) must be appointed, authorised and given the responsibility for gathering the necessary information in order to define and plan what is necessary for the establishment of an internal security management system.
POPI provides that the Information Officer is responsible for, amongst other things:
The duties of an Information Officer are far-reaching and Regulations have already been published outlining these at the end of 2018. The Regulations require that, in addition to any other responsibilities, an Information Officer must:
The Information Officer must be registered with the Regulator (by default the head of the organisation will be the IO) and will be the liaison between the organisation and the Regulator. The IO is also responsible for compliance and for dealing with requests for information. There is provision for deputy IO's to be appointed / designated.
POPIA also prescribes mandatory notification protocols in the case of data breaches.
What are the benefits of POPIA?
POPIA provides organisations with the opportunity to analyse and have more control over the data handled within the organisation and to better understand its purposes. Better data management can increase the efficiency and effectiveness of any business.
Consumers will also benefit from POPIA’s requirements in that their personal information must be protected and that it can only be collected or handled where there is a lawful justification for doing so. POPIA gives consumers specific rights in respect of organisations handling their personal information and greater control over it. Consumers are informed about what personal information is collected, by whom and why, so that they are able to make informed decisions.
How is POPIA enforced and what are the consequences of non-compliance?
The Information Regulator has broad powers in terms of search and seizure, imposing administrative fines, litigating on behalf of data subjects, dealing with complaints, issuing notices, etc. The statutory fines and penalties vary depending on the offence, with imprisonment or up to a R10 million fine for criminal offences in terms of the Act.
An employer (as the 'responsible party') could also potentially be held vicariously liable for the actions of its employees in contravening the provisions of POPIA and might be sued for damages. Whilst there are some legitimate defences to such claims, ignorance of the law is not one of them. Also, employees could lodge complaints with the Information Regulator; or institute civil suits against their employer in respect of issues relating to the protection of their personal information.
Clients and customers may do the same in terms of possible breaches by a responsible party. Organisations that regularly process special personal information (schools, medical institutions, retirement homes, etc.) are particularly vulnerable in this regard.
The way forward
Information security is not something that can be purchased or outsourced. Certain functions relating to the processing of information may however be outsourced, such as the provision of IT and communications services, retention of backup media, or the storage and destruction of dead files.
The way forward is in developing a strategic plan which successfully defines the information system relevant to your business, combining staff training, technology capacity and information governance towards ensuring POPIA compliance.
In short, organisations will need to:
🔷 Appoint an information officer
🔷 Plan and allocate resources (including budgets) to lawfully collect, handle and dispose of data - including physical- and cyber-security measures
🔷 Conduct an audit / analysis in terms of the current information in your possession and how it should be classified
🔷 Analyse current practices in dealing with personal information and draft or review your existing data protection policy and other documents in line with the requirements set out in POPIA (this may include employment contracts, non-disclosure agreements, contracts with third parties or service providers, client forms, HR forms and policies, etc.). For the workplace, and depending on the size and resources of the employer, policy items or separate policies may include:
🔷 Proactively implement the requirements of POPI to be able to meet the compliance deadline of 30 June 2021 - i.e. specify deliverables and timelines
🔷 Awareness and training programmes for staff
🔷 Risk management reviews - possibly considering aspects such as cyber liability insurance, etc..
How we can help you
To sum up: Organisations are required to put appropriate and reasonable technical and organisational measures in place to secure the integrity and confidentiality of any personal information in their possession or control. This they must do by establishing and maintaining both technological and physical safeguards in respect of all electronic and physical personal data. They must identify reasonably foreseeable risks, and regularly verify that these safeguards are effective and that they are updated in response to control failures or new risks.
We have developed toolkits and processes to assist clients in this regard. Our aim is to offer a POPIA-related service with a 3-pronged approach:
Our approach is to take clients through the process step by step (and as your budget allows): introductory training via a virtual platform; assistance with the information audit / gap analysis; drafting and implementation of the necessary policies and contract clauses; and then also the provision of cybersecurity solutions from our IT partner, Convexum Solutions. Also be sure to follow our POPI-hashtags on social media: #POPIAtips and #POPIbytes.
Contact us to find out more. We'll tailor a solution to meet your needs and your budget.
© Judith Griessel