The Protection of Personal Information (POPI) Act will soon be tabled in parliament. The POPI Act outlines how companies may collect, handle, store and discard the personal information of others. The new regulations come with heavy penalties for those that fail to comply. POPI can only commence once the Information Regulator is operational. Once the commencement date of the Act is announced, which could be later this year, organisations will have 12 months to comply with the Act.
Who is the Information Regulator?
The Information Regulator is a new regulator that was created by the POPI Act. POPI gives the Information Regulator the power to investigate and fine responsible parties. The Information Regulator will also be able to accept complaints and act on those complaints.
Does POPI apply to me or my business?
POPI applies to every South African based public and/or private body who, either alone, or in conjunction with others, determines the purpose of or means for processing personal information in South Africa.
There are cases where POPI does not apply. Exclusions include:
- Purely household or personal activities;
- Sufficiently de-identified information;
- Some state functions including criminal prosecutions, national security etc;
- Journalism under a code of ethics;
- Judiciary functions etc.
What is Personal Information?
Personal Information means any information relating to an identifiable, living natural person or juristic person (companies, CC’s etc.) and includes, but is not limited to:
- Contact details: email, telephone, address etc;
- Demographic information: age, sex, race, birth date, ethnicity etc;
- History: employment, financial, educational, criminal, medical history;
- Biometric information: blood type etc;
- Opinions of and about the person;
- Private correspondence etc.
How to comply with POPI
Non-compliance with the Act could expose you to a penalty of a fine and/or imprisonment of up to 12 months. In certain cases, the penalty for non-compliance could be a fine and/or imprisonment of up 10 years.
- Only collect information that you need for a specific purpose.
- Apply reasonable security measures to protect it.
- Ensure it is relevant and up to date.
- Only hold as much as you need, and only for as long as you need it.
- Allow the subject of the information to see it upon request.
While the purpose of the POPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another person’s personal information, one could argue that this should be seen as complementary to digital ethics’ practices companies should already have started putting in place. Either way, POPI is coming and companies should start gearing themselves up before being caught out.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Please feel free to contact Brian Kahn for further information or specific and detailed advice. Errors and omissions excepted (E&OE)