The Protection of Personal Information Act has significant implications for both the citizens and legal entities of South Africa whose Personal Information is processed by any private person, company and\/or public body, as well as for the private persons, companies and public bodies that process this Personal Information, (the \u201cResponsible Party<\/em>\u201d). POPIA is a dedicated law aimed at protecting personal data from abuse and misuse.<\/p>\n POPIA aims to regulate the collection and processing of Personal Information by natural persons, as well as both private and public bodies, including the State. POPIA seeks to protect and prevent the abuse and misuse of Personal Information, owned by individuals and companies in South Africa, whose information is collected, processed, and used by the Responsible Party. POPIA, however, must not be seen as a law that disrupts the operations of the Responsible Party\u2019s business. POPIA seeks to create a careful balance between a person\u2019s Constitutional right to privacy and the needs and interests of commerce, government, and business in the private and public sectors.<\/p>\n POPIA has adopted eight core international principles which apply to the processing of Personal Information. Once one understands these principles, the provisions of POPIA will make sense.<\/p>\n Principle 1: Processing Limitation<\/em><\/strong><\/p>\n Personal Information must be collected directly from the Data Subject and may only be processed with the consent of the Data Subject or, in the absence of consent, where it is necessary to comply with a legal obligation, public law duty, or a contractual obligation.<\/p>\n Principle 2: Specific Purpose<\/em><\/strong><\/p>\n Personal Information must be collected for a specific, explicitly defined and legitimate purpose. The Data Subject should be made aware of the purpose for which the Personal Information is collected, as well as who the likely recipients of the Personal Information will be.<\/p>\n Principle 3: Further Processing Limitation<\/em><\/strong><\/p>\n Personal Information may not be processed further in a way that is incompatible with the purpose for which the information was collected initially. Thus, if Personal Information was processed for the purpose for which it was collected, it may only be processed further if it can be shown that the purpose for the further processing is compatible with the original purpose. POPIA provides guidelines to assist with such an assessment.<\/p>\n Principle 4: Information Quality<\/em><\/strong><\/p>\n The person or institution in its capacity as the Responsible Party that processes Personal Information, should ensure that the Personal Information is complete, not misleading, up to date and accurate.<\/p>\n Principle 5: Openness<\/em><\/strong><\/p>\n Where Personal Information of a Data Subject is collected, the Responsible Party must ensure that the Data Subject is made aware of:<\/p>\n Principle 6: Security Safeguards<\/em><\/strong><\/p>\n POPIA requires the implementation of technical and organisational measures to secure the integrity of Personal Information, and to guard against the risk of loss, damage or destruction to or of such Personal Information. Any person holding Personal Information must protect that Personal Information against any unauthorised or unlawful access or processing.<\/p>\n Principle 7: Individual Participation<\/em><\/strong><\/p>\n A Data Subject is entitled to the details of his or her Personal Information held by any institution or person, as well as to the identity of any person that had access to his or her Personal Information. The Data Subject is also entitled to require the correction of any incorrect Personal Information held by another party.<\/p>\n <\/em>Principle 8: Accountability<\/em><\/strong><\/p>\n The Responsible Party must give effect to the principles\/conditions for the protection of Personal Information, as set out under POPIA. Despite the principles set out above, the Regulator may exempt the Responsible Party from compliance with some of the principles or conditions of processing and authorise the processing of the identified Personal Information where the processing will be in the public interest, or where there is a clear benefit for the people concerned.<\/p>\n The \u201cpublic interest\u201d includes:<\/p>\n It is interesting to note that POPIA not only regulates Personal Information held in South Africa. It also regulates the transfer of Personal Information to parties outside of South Africa.<\/p>\n The Responsible Party may therefore not transfer Personal Information cross-border, unless :<\/p>\n POPIA regulates the processing of Personal Information within South Africa, including the processing of Personal Information, that is entered in a record, by the Responsible Party, where it is domiciled in South Africa, or where it uses a Responsible Party, Operator or other entity, which is domiciled elsewhere, by using an automated or non-automated manner of collection situated in South Africa. POPIA, therefore, must be complied with by every employee of the Responsible Party, where they collect and process another\u2019s Personal Information.<\/p>\n POPIA does not affect the processing of Personal Information:<\/p>\n The processing of Personal Information by the Responsible Party must strictly comply with the eight core processing principles set out in POPIA.<\/p>\n Of these eight core principles, the following five provisions should always be complied with by the Responsible Party:<\/p>\n In line with a person\u2019s right to privacy, POPIA strictly controls how one can engage in direct marketing activities. POPIA provides that the Responsible Party cannot process Personal Information for the purposes of using it in direct marketing, unless:<\/p>\n All such communications sent to the Data Subject must include the Responsible Party\u2019s identity, contact details and an opportunity to \u201copt out.\u201d<\/p>\n The Responsible Party should appoint an Information Officer to oversee compliance with POPIA.<\/p>\n An information officer must ensure that:<\/p>\n The Information Officer, or a person designated by him or her, can upon request of any person, provide copies of the manual to that person upon payment of a fee determined by the Responsible Party, which may not be more than R 3.50 per page.<\/p>\n Once legislated, there will be a 12-month phase-in period during which Responsible Parties will be required to develop systems and align their business processes and practices to comply with POPIA. The Responsible Party and its employees should take note of the various provisions and related obligations included in POPIA, and initiate the implementation of said provisions, where applicable, into its business processes, sooner rather than later. The Responsible Party and its employees should also take note of the consequences of any non-compliance with POPIA.<\/p>\n Any person who is affected by non-compliance of any of the provisions of POPIA, is referred to as the complainant.<\/p>\n The complainant may submit a complaint to the Regulator in writing, detailing the acts of non-compliance in respect of the information processing principles. If the Regulator finds the complaint to be valid, an investigation will be conducted.<\/p>\n There are certain instances in which the Regulator may decide not to take action. Some of these instances are listed below:<\/p>\n The Regulator may attempt to reach a settlement between the parties, or it can conduct a hearing, at which it can summon witnesses and receive evidence. The Regulator can also request a judge or magistrate for a warrant to enter and search premises. If the Regulator grants an order in favour of the complainant, it may serve a Responsible Party with an enforcement notice, requiring it to take certain steps.<\/p>\n A Data Subject, or the Regulator at the request of a Data Subject, may institute a civil action for damages against a Responsible Party for a breach of any provision of POPIA, relating to interference with the protection of Personal Information of a Data Subject. It does not matter whether there was intent or negligence on the part of the Responsible Party, or not.<\/p>\n POPIA regulates how anyone who processes Personal Information must handle, keep and secure that information. If an individual or a Responsible Party processes Personal Information relating to a person, that individual or Responsible Party must comply with POPIA. Failure to comply with POPIA may lead to the imposition of certain penalties under POPIA.<\/p>\n The following offences are, if committed, punishable with either a fine (not exceeding R10 million), or imprisonment (for a period not exceeding 10 years), or both:<\/p>\n To ensure compliance with the provisions of POPIA, the Responsible Party and its employees should ensure that the following controls are implemented within the Responsible Party environment:<\/p>\n POPIA creates an \u201cInformation Regulator\u201d which is a supervisory body, that consists of a chairperson and four other members. The Regulator, who is independent and subject only to the Constitution, is responsible for, amongst other things, promoting, monitoring and enforcing compliance with the provisions of POPIA on a national level.<\/p>\n The Regulator also has the power to investigate complaints, and to draft or approve category-specific or industry-specific codes of conduct.<\/p>\n Once a code of conduct has been created, it will regulate the Processing of Information within that category or industry. Failure to comply with a code will be considered a breach of the conditions for the lawful processing of Personal Information.<\/p>\n The POPIA draft Regulations were published for comment during September 2017. The draft Regulations contain various prescribed forms that should be used. These include forms which may be used by the Data Subject to lodge an objection to processing of his\/her\/its Personal Information to the Responsible Party, who kept the Personal Information, to correct or delete such Personal Information and to submit a complaint to the applicable Regulator.<\/p>\n There is also a prescribed form setting out an application for the consent of a Data Subject for the Processing of Personal Information for direct marketing.<\/p>\n The Regulations also stipulate the obligations of the Information Officer, which include inter alia the following:<\/p>\n A private or public body which represents a class of bodies, industry, profession or occupation, may apply to the Regulator for codes of conduct to be issued, which stipulate a standard for POPIA compliance within that specific class, industry or profession.<\/p>\n The Regulations also set out the powers of the Regulator when conducting a pre-investigation and handling an investigation, in relation to allegations of interference with the protection of the Personal Information of a Data Subject.<\/p>\n The publication of the Regulations may be a sign that commencement of the remaining provisions of POPIA is imminent. There will be a 12-month grace period, to enable all affected parties, to align their business practices to POPIA, as from the effective date of the Act. It is expected that this will be during 2019.<\/p>\n Celagenix\u00ae can, upon request, host in-depth training sessions on everything that you need to comply, and remain compliant, with POPIA. Our Complete POPIA Compliance Solution<\/a> covers POPIA and other coinciding aspects extensively. Our POPIA consultants are also Celagenix\u00ae accredited business advisors, which means that they can provide advice and analysis-driven insight into other, non-POPIA related affairs of your business.<\/p>\nPurpose of POPIA<\/u><\/h4>\n
Information Protection Principles<\/u><\/h4>\n
\n
\n
Cross-border Information Flows<\/u><\/h4>\n
\n
Application of POPIA<\/u><\/h4>\n
Exclusions<\/u><\/h4>\n
\n
The Responsible Party\u2019s obligations when it processes Personal Information of its Employees and Third Parties<\/u><\/h4>\n
\n
Direct Marketing<\/u><\/h4>\n
\n
Information Officer<\/u><\/strong><\/h4>\n
\n
Effective Date of POPIA<\/u><\/strong><\/h4>\n
Investigation and Compliance Order<\/u><\/strong><\/h4>\n
\n
Damages in the Civil Courts<\/u><\/strong><\/h4>\n
POPIA Offences and Penalties<\/u><\/strong><\/h4>\n
Punishable Offences in terms of POPIA<\/u><\/strong><\/h4>\n
\n
Compliance with POPIA<\/u><\/h4>\n
\n
Information Regulator<\/u><\/strong><\/h4>\n
POPIA Regulations<\/u><\/strong><\/h4>\n
\n
Conclusion<\/u><\/strong><\/h4>\n