Understanding POPIA – 8 conditions to consider

THE Protection of Personal Information Act (POPIA) governs the law of data protection and privacy in South Africa.

Last week, we spoke to senior lecturer at University of KwaZulu-Natal’s School of Law, Dr Dusty-Lee Donnelly, who outlined the main purpose of the POPI Act. This week, Nelson Mandela University professor and attorney, Sizwe Snail ka Mtuze, outlines the eight conditions of the Act.

Snail ka Mtuze, who is a specialist in Information Communication Technology Law or Cyber Law, was a member of the inaugural Information Regulator from 2016 until 2021.

Set in motion in 2013, the law came into effect in 2020 with a one-year grace period until July 2021.

What is POPIA?

Snail ka Mtuze defined POPIA as a data protection law that gives effect to the rights to privacy as contained in constitution.

“It is the right to privacy, the right to live a private life without government intrusion or intrusion by third parties,” he said.

What is personal information?

Personal information is any information of a living or existing juristic person that makes one identifiable.

“Your ID number makes you identifiable, as does your licence plate and phone number, social media handle and geographic location. Section 1 of POPIA lists the various forms of unique identifiers in detail,” said Snail ka Mtuze.

Personal information cannot be accessed without the consent of the data subject.

“Consent is valid if it is specific, informed and voluntary. Consent can be given in written form or in the electronic space, such as on a website when one consents to cookies,” explained Snail ka Mtuze

Eight conditions of POPIA

There are eight principles or conditions for the lawful processing of POPIA. Snail ka Mtuze explained that these conditions apply to the data subject (the person who owns the information/data); a responsible party (who processes this data) and a third party, the operator (who processes the data on behalf of the responsible party).

1. Accountability
Simply put, responsible parties are accountable for the data they collect. “If I take your data, I am accountable to you,” explained Snail ka Mtuze.

2. Processing limitation
In order for data processing to be lawful, responsible parties should state: Why personal information is being processed, the type of personal information involved, and for whom it is being collected. “This condition refers to lawful data processing – processing with consent. Data must be obtained from the data subject, who owns the data directly,” said Snail ka Mtuze.

He added that the responsible party should only collect the data that is required in line with the minimality principle. “If you go to a conference, for example, and have to fill in your name and ID number on the register, other people can take a photo of your data. One’s ID number is not necessary for a register confirming the attendance of people at an event. Their name and email are sufficient,” said Snail ka Mtuze.

3. Specific purpose
According to Snail ka Mtuze, this condition prescribes that personal information must be collected for a purpose that is specific, explicitly defined and lawful. “If I take your data for the purpose of a conference registration, I can’t share your data with my cousin who works in the insurance industry and is looking for leads,” explained Snail ka Mtuze. Once obtained, there are limits on how long data can be retained – this is covered in the second subset of this condition.
“This condition provides that records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed,” explained Snail ka Mtuze.

Also read: World Oral Health Day – 3 TikTok trends debunked

4. Further processing limitation
It is unlawful to further process personal information unless this fits in with the original purpose behind the data collection. “You may only further process data if the initial processes and the further processing are compatible,” explained Snail ka Mtuze.

5. Information quality
Under condition five, Snail ka Mtuze explained that responsible parties must take practicable steps to make sure personal information is complete, accurate, not misleading and updated where necessary. “Essentially, the responsible party has a positive duty to maintain information quality that is similar to that of FICA records,” he said.

6. Openness
The responsible party has to tell the data subject when their personal information is being collected, why it is being collected and whether or not it is mandatory/necessary to provide the information. “The data subject must be made aware of the responsible party’s intention to process data,” said Snail ka Mtuze. An example of this is a ‘do you accept cookies’ notice that pops up when one is browsing a website. “That notice is in line with Condition 6 of POPIA – it tells you the website will process some of your information. For example, a newspaper website might process your data to gain stats about their readership,” explained Snail ka Mtuze.

7. Security safeguards
The responsible parties must take steps to prevent the loss of data, damage to data or unauthorised destruction of personal information. “A bank, for example, must have adequate technical and organisational measures to protect the confidentiality of data. The operator must have a written agreement with the responsible party to protect data in the same fashion. In case of a data breach, the responsible party has a positive duty to self-report to the information regulator, as well as notify the affected data subject,” said Snail ka Mtuze.

8. Subject participation
Snail ka Mtuze explained that this condition ensures that responsible parties maintain correct information and provide guidance on how data subjects can access this information.
“This is the right to ask for information to be amended or deleted and the right to know what is being done with your data,” explained Snail ka Mtuze.
He added that data subjects are also entitled to call for responsible parties to produce proof of consent.

Any party who breaches any of the conditions exposes themselves to an an enforce notice or administrative fine.

For more from Berea Mail, follow us on Facebook, Twitter and Instagram. You can also check out our videos on our YouTube channel or follow us on TikTok.