The Protection of Personal Information Act number 4 of 2013 (“POPI“) was signed into law in November 2013. The effective date of POPI (in its entirety) has yet to be determined by the President; but we expect it to come into full force during the first or second quarter of 2018, and you will have a 1 year form that date to comply with all its provisions. However, certain provisions have already come into force from 11 April 2014. These provisions of POPI serve as a skeleton and provide the shape and form within which POPI will operate; will help businesses understand the obligations imposed upon them by POPI; and the steps to put in place to ensure full compliance. The remaining provisions will be enacted once the Regulator’s office is completely set up and working,and the Regulations for POPI have been enacted. The Regulator commenced its duties on 1 December 2016.
The following positions in terms of POPI have been approved by the National Assembly:
- Chairperson of the Regulator – Pansy Tlakula;
- Full-time members – Advocate Lebogang Stroom and Johannes Weapond; and
- Part-time members – Professor Tana Pistorius and Sizwe Snail.
What is “personal information”?
Personal information is information relating to an identifiable, living, natural person, and where applicable an identifiable, existing juristic person. So if you, in your personal capacity or in a capacity in a company or other organisation, have information (of specific types) about human beings and companies (or other entities), it will be considered personal information (Remember there are exceptions). Examples of this are: identity numbers, telephone numbers, email addresses, physical and postal addresses, even online identifiers etc. (for full details of what constitutes personal information, please send me an email at email@example.com).
What is the purpose behind POPI?
POPI gives effect (with other legislation) to the right to privacy enshrined in the Bill of Rights of the Constitution.
As referred to in the Preamble to the Act, it is stated that the purpose of POPI is to:
- Promote the protection of personal information processed by public and private bodies;
- Introduce certain conditions establishing minimum requirements for the processing of personal information;
- Provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of the Act and the Promotion of Access to Information Act, 2000;
- Provide for the issuing of codes of conduct specific to certain industries;
- Provide for rights of persons regarding unsolicited electronic communications and automated decision making (e.g. automated credit applications, where a robot will decide whether to give credit and not a human being);
- Regulate cross-border flow of personal information (to try and comply with international standards, EU laws may be of great instruction in this regard); and
- Provide for matters connected therewith.
There are also provisions that deal with “special personal information”, such as race, ethnicity, health status of person (e.g. HIV status) etc. Additional levels of protection must be put in place to ensure enhanced standards of privacy in relation to this information.
Take-aways from this blogpost (I will be writing further on this in the future):
- Assess what current information you have and whether it constitutes personal information, special personal information or not, and for what purpose you received or obtained such information.
- Put measures in place to protect the above information.
- Assess with whom you are sharing the above information with.
- Put measures in place to discard or de-identify the above information according to the Act.
- Start making plans for a so called “gap analysis” of exposed areas within your business where you collect and process personal and special personal information currently, and how you intend to deal with these in terms of the Act (I will be going into this further in a future blogpost).
All of the above 5 points will be addressed in future blogposts.
This blogpost does not deal with each and every important topic, element or change in the law, and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to deal with the reader’s particular set of facts and circumstances.