The purpose of the POPI Act to is protect personal information, to strike a balance between
the right to privacy and the need for the free flow of, and access to information, and to
regulate how personal information is processed.
The basis of the POPI Act
The basis of the POPI Act is that organisations need to conduct themselves responsibly -
responsible corporate citizenship. Organisations should not only be responsible, but should
be seen to be responsible corporate citizens. Part of this responsibility is to protect the
information inside the organisation, to be responsible when it comes to the process of
storing and sharing personal information. Personal information is to be seen as precious
goods and that the act requires organisations to exercise control over these precious goods.
What constitutes as personal information under
the POPI act?
Identity or passport number
Date of birth and age
Phone numbers
Email address
Online messaging identities
Physical address
Gender, race and ethnic origin
1
� Photos, voice recordings, video footage
Marital relationship and family relations
Criminal record
Private correspondence
Religious or philosophical beliefs including personal and political opinions
Employment history and salary information
Financial information
Education information
Physical and mental health information including medical history
Membership of organisations
The impact of technology on protecting personal
information
Due to technology convergence, there is an increased opportunity for attacks. Everyone with
a smartphone, iPad and laptop are aiders and abettors to cyber criminals. Every device offers
a hacker an opportunity to get into personal information. Social media sites like Facebook
and LinkedIn also serve as a bank of personal information, which, in criminal hands, can
cause serious harm to both individuals and organisations. Every person has a duty to protect
him or herself, and the POPI Act cannot protect one if one doesn’t care to protect oneself.
Who does the act apply to?
The act also applies to other than a natural person; it, therefore, includes companies or any
other legally recognised organisation. All organisations are seen as data subjects and are
afforded the same right of protection. The Act applies to anyone who keeps any type of
records relating to the personal information of anyone, unless those records are subject to
other legislation which protects such information more stringently. It therefore sets the
minimum standards for the protection of personal information. It regulates the “processing”
of personal information. “Processing” includes collecting, receiving, recording, organising,
retrieving, or using such information; or disseminating, distributing or making such personal
information available. The Act will also relate to records which you already have in your
possession.
POPI as a universal application
Most countries have a POPI Act and South Africa’s POPI Act is based on UK legislation.
Ignorance of the law is no excuse and companies need to update IT systems and start
training and educating staff, since early action is essential.
When will it come into force?
The Act came into effect 1 July 2020. Companies will have 12 months to comply with the
conditions of the act. The act will become enforceable on the 1st July 2021.
2
�What are your rights?
We all have the right to be told if someone is collecting our personal information, or if our
personal information has been accessed by an unauthorised person. We have the right to
access our personal information. We also have the right to require our personal information
to be corrected or destroyed, or to object to our personal information being processed.
The Act does not apply to personal information processed in the course of a personal or
household activity, or where the processing authority is a public body involved in national
security, defence, public safety, anti-money laundering, or the Cabinet or Executive Council
of the province or as part of a judicial function.
Personal information can only be processed: – (section 11)
with the consent of the “data subject”; or
if it is necessary for the conclusion or performance of a contract to which the “data
subject” is a party; or
it is required by law; or
it protects a legitimate interest of the “data subject”; or
it is necessary to pursue your legitimate interests or the interest of a third party to
whom the information is supplied.
We all have the right to object to having our personal information processed. We can
withdraw our consent, or we can object if we can show legitimate grounds for our objection.
A Responsible Party has to collect personal information directly from the “data subject”,
unless:
This information is contained in some public record or has been deliberately
published by the data subject.
collecting the information from another source does not prejudice the subject;
it is necessary for some public purpose; or to protect your own interests;
obtaining the information directly from the subject would prejudice a lawful purpose
or is not reasonably possible.
You can only collect personal information for a specific, explicitly defined and lawful purpose
and the subject must be aware of the purpose for which the information is being collected.
(section 13)
Once the personal information is no longer needed for the specific purpose, it must be
disposed of (the subject must be “de-identified”), unless you need to keep it (or are allowed
to keep it) by law, or you need to keep the record for your own lawful purpose or in
accordance with the contract between yourself and the subject, or the subject has consented
to you keeping the records. (section 14)
You are entitled to keep records of personal information for historical, statistical or research
purposes if you have established safeguards to prevent the records being used for any other
purposes.
3
�Records must be destroyed in a way that prevents them from being reconstructed.
You can only use personal information that you have collected for the purpose which you
collected it for. (section 15)
Documentation relating to personal information and how it has been processed must be
maintained as referred to in section 14 or 51 of the Promotion of Access to Information Act.
When information is being collected, subjects must be made aware of: (section 18)
the information that is being collected and if the information is not being collected
from the subject,
the subject must be made aware of the source from which the information is being
collected;
the name and address of the person/organisation collecting the information;
the purpose of the collection of information; whether the supply of the information
by the subject is voluntary or mandatory;
the consequences of failure to provide the information; whether the information is
being collected in accordance with any law;
If it is intended for the information to leave the country and what level of protection
will be afforded to the information after it has left South Africa.
who will be receiving the information;
that the subject has access to the information and the right to rectify any details;
that the subject has the right to object to the information being processed (if such
right exists);
that the subject has the right to lodge a complaint to the Information Regulator. The
contact details of the Information Regulator must also be supplied.
These requirements have to be met before the information is collected directly from the
subject, or soon as reasonably practicable thereafter if the information is not collected
directly from the subject, unless the subject is already aware of these rights. If you collect
additional information from a subject for a different purpose, you have to go through this
process again. S18(3)
I therefore envisage all clients of estate agents signing a form acknowledging that they are
aware of their rights before you fill in any personal details on a mandate or an offer to
purchase or a FICA form.
It is not necessary to meet these requirements if the subject has consented to non-
compliance or if, by non-compliance, the rights of the subject would not be prejudiced, or if
by compliance you would prejudice some public interest, or if the information is only going
to be used for historical statistical research purposes, or if the subject is not going to be
identified.
4
�If we collect personal information how must we
handle it?
Anybody who keeps personal information has to take steps to prevent the loss, damage, and
unauthorised destruction of the personal information. They also have to prevent unlawful
access to or unlawful processing of this personal information. (section 19)
We have to identify all risks and then establish and maintain safeguards against these
identified risks. We have to regularly verify that the safeguards are being effectively
implemented and update the safeguards in response to new risks or identified deficiencies
in existing safeguards.
Anybody processing personal information on behalf of an employer must have the necessary
authorisation from the employer to do so. They must also treat the personal information as
confidential. (section 20)
Such a person must have a written contract with their employer in which they are specifically
obliged to maintain the integrity and confidentiality of the personal information and to
implement the established safeguards against identified risks.
This employee is also obliged to notify their employer if they believe that personal
information has fallen into the wrong hands (section 21(2))
I can therefore see new employment contracts for administrative staff and data capturers,
and for any employees who deal with personal information, to comply with these
requirements.
If there has been a breach and personal information has been accessed or acquired by any
unauthorised people you need to notify the Information Regulator, and the subject (if you
still know who the subject was). The notification to the subject needs to provide sufficient
information to allow the subject to protect themselves against the possible consequences of
the personal information falling into the wrong hands.
We all have the right to enquire as to whether somebody has our personal information, all
we have to do is provide proof of identity and this information must be provided free of
charge. We can also find out what this information consists of and if this information has
been disseminated to any third parties. For these last bits of information however we might
have to pay a fee. Access to this information is also subject to the Promotion of Access to
Information Act.
We all have the right to have our personal information corrected or deleted if it is inaccurate,
irrelevant, excessive, dated or misleading, or if it has been obtained unlawfully, or if the
responsible party is no longer authorised to retain the information.
The Act creates a special category of personal information called “special personal
information”. This relates to religious or philosophical beliefs, race or ethnic origin, trade
union membership, political persuasion, health or sex life or biometric information. Also
5
�included in this category is information relating to the alleged commission of any offence or
any proceedings in respect of any offence allegedly committed and the outcome of such
proceedings. (section 26)
You are not allowed to process this special personal information unless it is done with
consent; or is necessary in law; or is done for historical, statistical or research purposes; or
the information has been deliberately made public by the subject.
I do not think that this will prevent processing of information concerning the conviction of a
subject for a criminal offence, as such an offence will then no longer be “alleged”.
There are also limited exceptions to the prohibition against the processing of “special
personal information”.
These relate to situations when this information is specifically relevant and constitutes the
purpose for which the information is being collected, for example for the purposes of BEE or
for insurance.
Special rules apply to the processing of personal information of children. (section 35)
The Information Regulator has the power to grant exemptions to allow people to process
personal information without complying with the Act if the public interest outweighs the
subject’s rights of privacy or where there is a clear benefit to the subject. Such exemptions
may be granted upon conditions.
Exemptions may also be granted for the processing of personal information for the purposes
of discharging a “relevant function”. A relevant function would include the processing of
personal information with a view to protecting members of the public against:
financial loss due to dishonesty of persons in the banking or financial services
industry;
and dishonesty by persons authorised to carry on any profession or other activity.
Direct Marketing
Section 69 of the Act outlaws direct marketing by means of any form of electronic
communication unless the subject has given their consent. Such an electronic
communication obviously includes emails and SMSs. Automatic calling machines are also
included. A subject can only be approached once to obtain such a consent. Once such
consent is refused, it is refused for ever.
Slightly different rules apply if the subject is a customer. Here the customer’s contact details
must have been obtained in the context of the sale of a product or a service, the direct
marketing by electronic communication can only relate to the suppliers own similar products
or services, and the customer must have been given the right to opt out at the time that the
information was collected and each time such a communication is sent.
6
�Anybody sending out direct marketing electronic communications has to disclose the
identity of the advertiser and provide an address to which the customer can send a request
to opt out.
Any subject whose name is included in any type of directory must be advised of the purpose
of the directory and about any future uses to which the directory might possibly be put,
based on search functions embedded in electronic versions of the directory. Such a subject
must be given the opportunity to object to such use of the personal information. This will
however not apply to directories that were printed or which were created in off-line
electronic form prior to the commencement of this section.
If your personal information is contained in a public subscriber directory which has been
prepared in accordance with the safeguards set out in the Act, prior to the commencement
of this portion of the Act, your personal information can remain in the directory provided
that the subject has received notification about the purposes of the directory and the future
uses to which the directory might be put. Once again the subject must be given the
opportunity to opt out (section 70).
The Act controls the transfer of personal information from South Africa to foreign countries
and prohibits this unless: (section 71)
the person receiving the information is subject to similar laws;
the subject has agreed to the transfer of information;
such transfer is part of the performance of a contract which the subject is a party; or
transfer is for the benefit of the subject and it is not reasonably practicable to obtain
their consent and that such consent would be likely to be given. (section 72)
Offences, penalties and administrative fees
Sections 100 – 106 deal with instances where parties would find themselves “guilty of an
offense”. The most relevant of these are:
Any person who hinders, obstructs or unlawfully influences the Regulator;
A responsible party which fails to comply with an enforcement notice;
Offences by witnesses, for example, lying under oath or failing to attend hearings;
Unlawful Acts by responsible party in connection with account numbers;
Unlawful Acts by third parties in connection with account number.
Section 107 of the Act details which penalties apply to respective offenses. For the
abovementioned offences the maximum penalties are a fine or imprisonment for a period
not exceeding 10 years or to both a fine and such imprisonment. For the less serious
offences, for example, hindering an official in the execution of a search and seizure warrant
the maximum penalty would be a fine or imprisonment for a period not exceeding 12
months, or to both a fine and such imprisonment.
Source:https://www.mastershred.co.za/content/18-summary-of-the-protection-of-
information-act-popi-act
