The Protection of Personal Information Act number 4 of 2013 (“POPI“) was signed into law in November 2013. The effective date of POPI (in its entirety) has yet to be determined by the President; but we expect it to come into full force during the first or second quarter of 2018, and you will have a 1 year form that date to comply with all its provisions. However, certain provisions have already come into force from 11 April 2014. These provisions of POPI serve as a skeleton and provide the shape and form within which POPI will operate; will help businesses understand the obligations imposed upon them by POPI; and the steps to put in place to ensure full compliance. The remaining provisions will be enacted once the Regulator’s office is completely set up and working,and the Regulations for POPI have been enacted. The Regulator commenced its duties on 1 December 2016.
The following positions in terms of POPI have been approved by the National Assembly:
What is “personal information”?
Personal information is information relating to an identifiable, living, natural person, and where applicable an identifiable, existing juristic person. So if you, in your personal capacity or in a capacity in a company or other organisation, have information (of specific types) about human beings and companies (or other entities), it will be considered personal information (Remember there are exceptions). Examples of this are: identity numbers, telephone numbers, email addresses, physical and postal addresses, even online identifiers etc. (for full details of what constitutes personal information, please send me an email at firstname.lastname@example.org).
What is the purpose behind POPI?
POPI gives effect (with other legislation) to the right to privacy enshrined in the Bill of Rights of the Constitution.
As referred to in the Preamble to the Act, it is stated that the purpose of POPI is to:
There are also provisions that deal with “special personal information”, such as race, ethnicity, health status of person (e.g. HIV status) etc. Additional levels of protection must be put in place to ensure enhanced standards of privacy in relation to this information.
Take-aways from this blogpost (I will be writing further on this in the future):
All of the above 5 points will be addressed in future blogposts.
This blogpost does not deal with each and every important topic, element or change in the law, and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to deal with the reader’s particular set of facts and circumstances.