The Protection of Personal Information (POPI) Act is a landmark piece of legislation that brings South Africa in line with Europe in terms of personal information and online privacy. In essence, the POPI Act was introduced to provide a form of security to prohibit the reckless misuse of people’s personal information by others without their consent.
It is intended to safeguard personal data, mitigate the potential risks that come with private data breaches, and hold South African institutions accountable for the responsible collection, processing, storage, and sharing of another entity’s personal information
Defining personal information
Personal information is any information that may identify a person such as :
- Contact details – Name, home and work address, email address and social media account details.
- Biometrics – Blood group, photographs, voice recordings, fingerprints, weight and height.
- Demographic information – Date of birth, gender, age, race or ethnic origin, marital status, citizenship and sexual orientation.
- Beliefs and opinions – Religious beliefs, trade union membership and political persuasion.
- Financial status – Bank account details, credit records and credit score.
- Personal history – Medical history, criminal records, education, employment history and personal correspondence.
Understanding the POPI Act
At the heart of the POPI Act are eight key principles that govern the lawful processing of personal information:
1. Accountability
The first principle, Accountability, mandates that the organization must appoint an Information Officer who will be responsible for ensuring that the information protection principles within the POPI Act and the controls that are in place to enforce them are complied with.
2. Processing Limitation
The second principle, Processing Limitation, deals with the lawfulness of processing, minimality of information collected, consent, justification and objection, and the collection of personal information directly from the data subject.
3. Purpose Specification
The third principle, Purpose Specification, provides that personal information must be collected for a specific purpose and the data subject from whom the personal information is collected must be made aware of the purpose for which the personal information was collected.
4. Further Processing Limitation
The fourth principle, Further Processing Limitation, regulates the further processing of personal information. If a responsible party further processes personal information, such processing must be compatible with the purpose for which the information was collected.
5. Information Quality
The fifth principle, Information Quality, provides that the responsible party must take reasonable steps to ensure that the personal information that has been collected is complete, accurate, not misleading and up to date.
6. Openness
The sixth principle, Openness, provides that the responsible party must be open about the collection of personal information by notifying the Regulator if it is going to process personal information.
7. Security Safeguards
The seventh principle, Security Safeguards, provides that the responsible party must ensure that the integrity of the personal information in its control is secured through technical and organisational measures.
8. Data Subject Participation
The eighth principle, Data Subject Participation, provides that data subjects have the right to request that a responsible party confirm (free of charge) whether it holds personal information about the data subject.
Exercising Your Rights
Under the POPI Act, you have the right to be notified when your personal information is being collected, the source of the information, the name of the person collecting it, and the purpose for which it is being collected. You also have the right to access and correct your personal information.
Remedies and Penalties under the POPI Act
The Protection of Personal Information (POPI) Act is a comprehensive piece of legislation enacted in South Africa to safeguard personal data. It provides for remedies and penalties in case of non-compliance.
- Remedies under the POPI Act
The POPI Act provides for remedies in case of violation of privacy rights. The Information Regulator can be approached by Data Subjects for relief if the right to privacy is violated. The Act also provides for civil actions for damages.
- Penalties under the POPI Act
The POPI Act provides for both administrative fines and criminal penalties for non-compliance.
Administrative Fines
The Information Regulator has the power to impose administrative fines in lieu of criminal charges for up to R10 million.
Criminal Penalties
The Act provides for criminal penalties for more serious offences. The maximum penalties for these offences are a R10 million fine or imprisonment for a period not exceeding 10 years, or both.
For less serious offences, such as hindering an official in the execution of a search and seizure warrant, the maximum penalty would be a fine or imprisonment for a period not exceeding 12 months, or both.
Some of the offences under the Act include:
- Hindering, obstructing or unlawfully influencing the Regulator.
- A responsible party failing to comply with an enforcement notice.
- Offences by witnesses, for example, lying under oath or failing to attend hearings.
- Unlawful acts by a responsible party in connection with account numbers.
- Unlawful acts by third parties in connection with account numbers.
Preventative Measure to protect your Privacy
- Ensuring Consent
The POPI Act emphasizes the importance of consent in the processing of personal information. Before your personal information can be processed, you must be made aware of it and give your consent. If you’re asked to provide personal information online, make sure you understand why it’s needed and how it will be used before giving your consent.
- Implementing Security Measures
The POPI Act requires that appropriate security measures be taken to protect personal information. This includes both technical and organizational measures. When using online services, check what security measures they have in place. Use strong, unique passwords, enable two-factor authentication where possible, and be wary of suspicious emails or messages that could be phishing attempts.
- Limiting Data Sharing
The POPI Act encourages the minimization of data sharing. Only share personal information online when necessary and with trusted entities. Be cautious about who you share your information with and for what purpose. Regularly review your privacy settings on social media platforms and other online services to ensure you’re only sharing information with people and organizations you trust.
The POPI Act is a crucial piece of legislation that aims to protect personal information and uphold the right to privacy. It imposes stringent requirements on organisations that process personal information and holds them accountable for any misuse of such information. Non-compliance with the Act can lead to severe penalties, including hefty fines and imprisonment. Therefore, it is essential for all organisations to understand the Act and ensure full compliance.
The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available in this article are for general informational purposes only. Readers of this article should contact us or any other attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this article should act or refrain from acting on the basis of information on this article without first seeking legal advice. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. All liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. The content on this posting is provided “as is;” no representations are made that the content is error-free.