By Lize de la Harpe, 29 June 2020
For the last seven years the media has been regularly updating the public on POPIA and what exactly it aims to achieve. In essence, POPIA gives effect to section 14 of the Constitution which provides that everyone has the right to privacy. It provides the regulatory framework within which responsible parties may process personal information of data subjects (both natural persons as well as juristic persons).
POPIA accordingly regulates, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy, subject to justifiable limitations that are aimed at protecting other rights and important interests.
Before going any further, it’s important to note a few material definitions as set out in this act:
As one can see from the above, the definition of
“processing” covers basically everything a responsible party can do with personal information.
POPIA requires the responsible party to process personal information lawfully and in a manner that does not infringe on the privacy of data subjects. In order for such processing to be “lawful” it must comply with the minimum requirements as set out in Chapter 3 of POPIA (referred to as “conditions”). These conditions can be summarised as follows:
The responsible party must ensure that the conditions for processing are complied with at all times.
The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
Processing must be lawful, done in a reasonable manner that does not infringe on the privacy of the data subject and must not be excessive. Processing may only take place with the consent of the data subject, subject to certain exceptions (such as is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party, it complies with an obligation placed on the responsible party by law or it protects a legitimate interest of the data subject). Personal information must be collected directly from the data subject to certain exceptions.
A responsible party must maintain documentation of all processing operations. When personal information is collected, the responsible party must (subject to exceptions) take reasonably practicable steps to ensure that the data subject is aware of, inter alia, the information being collected, the source, the purpose of the collection and the rights of the data subject.
Collection must be for a specific purpose and records may not be kept for any longer than is necessary for achieving the purpose for which it was collected or subsequently processed, subject to certain exceptions (for example it is required or authorised by law or the data subject has consented).
Reasonable measures must be taken to identify all foreseeable internal and external risks, establish and maintain appropriate safeguards against these risks, regularly verify that the safeguards are effectively implemented and ensure they are continually updated. The responsible party must notify the Information Regulator and the data subject when the personal information of a data subject has been accessed or acquired by any unauthorised person.
Further processing must be compatible with the purpose of collection, taking into account, amongst others, the nature of the information, the consequences for the data subject and the manner in which the information was collected.
The data subject has a right to request a responsible party to confirm whether or not it holds personal information about the data subject (free of charge), to request the record or a description of the personal information held, as well as the identity of third parties who have access to the information. The data subject also has the right to request the correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
POPIA also provides for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of both this act as well as the Promotion of Access to Information Act, 2000. The Information Regulator is, amongst others, empowered to monitor and enforce compliance by public and private bodies with the provisions of POPIA.
POPIA was signed into law on 19 November 2013 and certain sections thereof came into force the following year. These sections included:
The President has now proclaimed the commencement date of POPIA to be 1 July 2020. This means that the remaining sections (with two technical exceptions) will come into effect on 1 July 2020. These sections are the critical parts of the act, such as the conditions for the lawful processing of personal information (summarised above), the regulation of the processing of special personal information, the issuing of codes of conduct by the Information Regulator as well as the procedures for dealing with complaints.
Most important to note, from a business perspective, is the commencement of section 114(1) which provides that
“all processing of personal information must within one year after the commencement of the section be made to conform to this Act”. This means that all responsible parties will have until 1 July 2021 to ensure that it complies with the provisions of the act.
As discussed above, POPIA will come into effect on 1 July 2020 and companies will have one year within which to ensure compliance. Having said that, it is advisable for companies to caution against waiting until the last minute to effect the necessary changes to systems/processes to ensure compliance before 1 July 2021. Non-compliance will most certainly have dire consequences – section 107 details these penalties, which include (for serious offences) a fine or imprisonment for a period not exceeding 10 years (or both).