The Protection of Personal Information Act (Popi) was signed into law by President Zuma on 19 November 2013. Popi currently provides for a transitional period of one year within which public and private bodies must comply.
Processing Conditions
Popi aims to support the right to privacy of personal information of South African citizens when it is collected and processed by organisations. It brings South Africa in line with international data protection laws and contains eight conditions that responsible parties (ie organisations that process personal information) need to comply with.
Popi encompasses the following eight conditions:
Condition 1: Accountability
Organisations must assign responsibility to an information officer for overseeing and managing compliance with Popi.
Condition 2: Processing limitation
Personal information may only be processed in a fair and lawful manner.
Condition 3: Purpose specification
An organisation must ensure that personal information is only processed for specific, explicitly defined and legitimate reasons relating to the functions or activities of the organisation.
Condition 4: Further processing limitation
Once an organisation has identified and obtained consent for specific, legitimate and explicitly defined purposes, the personal information may only be processed if it is necessary for the fulfilment of those purposes.
Condition 5: Information quality
Organisations must maintain the quality of the personal information in terms of ensuring that it is reliable, accurate, up-to-date and relevant to the purposes for which it was collected.
Condition 6: Openness
Organisations are obliged to process information in a fair and transparent manner. Individuals must also be aware of the specific personal information held about them.
Condition 7: Security safeguards
All personal information should be kept secure against the risk of loss, unauthorised access, interference, modification, destruction or disclosure.
Condition 8: Data subject participation
Individuals have the right to access and/or request the correction or deletion of any personal information held about them that may be inaccurate, misleading or outdated.
Enforcement
The responsibility for monitoring and enforcing compliance with Popi will rest with the Information Regulator, an independent statutory body to be established under this Act.
Those whose rights under Popi are violated may institute a civil action for damages, regardless of whether intent or negligence can be proven on the part of the responsible party.
Furthermore, non-compliance with an enforcement notice is an offence and may lead to imprisonment of up to 10 years. An administrative fine not exceeding R10 million may furthermore be imposed on any responsible party.
Details: ENSafrica 011 555 0980.
