POPI was signed into law by the President on 19 November 2013. Only certain parts of the Act have since come into operation, mostly the parts dealing with the establishment of the Information Regulator which, when the Act comes fully into operation, will be the governing body that will deal with any or all complaints in connection with personal information. The Act is expected to come into full operation within 12 months, being middle to end of 2017.
So, your question should be, what, how and why should I comply with POPI?
The “What”?
Simply put, it is the entire Act. It goes even further by incorporating PAIA (another acronym), the Promotion and Access to Information Act, No 2. of 2000. The Act is applicable to any person. Therefore, it includes any natural or juristic person.
The personal information that falls within the ambit of the Act is defined in section 1 of the Act and basically includes any information of any person you can think of. There are certain exclusions of some personal information in section 6 of the Act. Such information which may fall within the definition of personal information is excluded when, for instance, it is necessary to disclose the information for national security purposes or if any other act requires a person to lawfully disclose certain information. Some acts that come to mind are the Tax Administration Act, Financial Intelligence Centre Act (FICA) and Regulation of Interception of Communications Act (RICA).
Certain information which is processed for personal or household activities has been outlined in the exclusions. However, the legislature does not specifically define “personal or household activities” in the Act. Some commentators believe that it may even relate to, for example, a person’s contacts or birthday lists on his/her cellphone. The term “personal or household activities” is debatable, which will be clarified through the court’s interpretations or rulings, passed by the regulator. That said, it may imply that you can share these lists, numbers and addresses with family members, but not with third parties. We shall wait to see how these interpretations play out.
The How?
The Act has eight main principles setting out the minimum requirements for the lawful processing of personal information, namely: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation. All eight of these principles are properly defined in the Act and have to be complied with at all times.
Furthermore, the Act requires each entity to appoint an Information Officer. If not appointed, the default position is that the CEO of the entity will be deemed to be the responsible person. The Information officer will be the point of contact for information inquiries whether by a data subject or anyone else. Full due diligences need to be done and will include POPI audits on all new and old data and also on the entities’ cyber security. Reviews will also need to be conducted on company privacy policies, direct marketing activities and contracts with third parties.
The Why?
The Act provides authority for the Information regulator to investigate complaints made by data subjects alleging a breach or an infringement of any sections or regulations of the Act. Offenses are, subject to the Act, punishable by way of a fine or imprisonment not exceeding ten years if serious, or a fine or imprisonment of not more than 12 months if less serious.