On 1 July 2021, the Protection Of Personal Information Act 4 of 2013 (POPI Act) comes into full force and effect. While the Act was signed into law on 19 November 2013, the majority of its sections were only implemented on 1 July 2020, with a one-year grace period. Now, with the remaining sections coming into effect on 30 June 2021, the Act becomes enforceable by the Regulator.
It is anticipated, however, that South African legislation governing the protection of personal information will be amended down the line to comply with the European Data Protection Act (GDPR) which was signed into law on 25 May 2018 and provides for a more stringent system then the POPI Act.
In the meantime, the POPI Act must be implemented and strictly adhered to by all parties responsible for doing so.
What is the purpose of the POPI Act?
“The Protection of Personal Information Act 4 of 2013 aims:
Source: www.gov.za
What do you need to know ahead of 1 July 2021?
The following facts, while by no means exhaustive, provide some interesting insights into – and hopefully a practical guideline to – the requirements of the POPI Act.
One
POPI exists to protect and enforce the right to privacy. The Information Regulator can be approached by Data Subjects (these include natural persons and juristic entities, but exclude deceased persons) for relief if the right to privacy is violated.
Two
Essentially, the following must be implemented in order to comply with the POPI Act:
Three
If a Data Subject is not identifiable, the POPI Act does not apply – a name or photo only, for example, is not enough to identify someone. A Responsible Party will need consent to use the special personal information of a Data Subject (this includes photos). You do not, however, need consent if the information has been made deliberately public by the Data Subject.
Four
It is important to destroy ALL personal information (PI) you do not need – old CD backups, for example – before the POPI Act kicks in or you will be required to comply with the provisions of the Act. You may not hold onto PI that serves no purpose. You may only hold PI as long as you have a “legitimate purpose” subject to legislation – for example, the Legal Practice Act requires that all files be held for seven years before being destroyed.
Five
The processing of PI refers to the entire life cycle thereof, therefore “destroy” (forever irretrievable) must be distinguished from “delete” (can be retrieved). Parties must also distinguish between automated (computer) and non-automated (file) information. Seemingly, the less paper being processed, the better the purpose of PI protection is served.
Six
A Responsible Party can be defined as the data controller, while an Operator can be defined as someone employed by a Responsible Party. As Operators have almost no responsibility – this includes third party Operators such as HR companies and cloud saving – there must be contractual clauses between the Responsible Party and such Operators (sections 19 and 21 of the Act) to safeguard the PI as well as the Responsible Party.
A typical clause may look like this: “I am aware of my responsibility as set out in the Act. I undertake to always treat all personal information with extreme care and strictly adhere to the privacy policies of [the responsible party]. I undertake to only deal with personal information under my control for the purpose of executing my duties. I undertake to process all personal information entrusted to me as is necessary and to complete the instruction at hand. I am fully aware that personal information, be it special or ordinary, may in no way or form be used for any means other than its “legitimate purpose”. I have attended staff training and awareness to the above effect and I fully understand the implications of non-adherence to the Act and specifically that it will constitute a dismissible offence.”
Seven
No intent or negligence must be proved by a Data Subject and such Data Subject must only show the Information Regulator that the action caused harm.
Eight
Statistical information is defined as “de-identified” PI i.e. it is no longer PI. Once information has been de-identified it can never be identified again.
Nine
An information officer must be appointed and a POPI compliance register kept. The “CEO” (the default information officer) of a Responsible Party can appoint an information officer by way of a data protection appointment letter.
Ten
Section 11 of the Act requires justification for the collection of PI, of which consent by the Data Subject is the most important – a consent form must be drafted that Data Subjects (clients/customers) must sign. The POPI Act only applies if the process of PI is entered into a “system” and can be accessed again.
Eleven
Section 18 of the Act provides for notice requirements. PI can only be used for the purposes described in the notice or for a compatible purpose. It is suggested that such notices be incorporated into and dealt with in the consent.
Twelve
PI must always be up-to-date and accurate. The Data Subject must warrant that they will inform a Responsible Party of any change in PI. It is suggested that a Data Subject indemnify a Responsible Party (this can also be incorporated in the consent) against any claim resulting in a failure to do so. This implies, for example, that any emails which bounce back must be dealt with by a Responsible Party.
Thirteen
A Data Subject may ask the Responsible Party to reveal what information they hold – this must be provided free of charge. A Data Subject access policy and form must be drafted to govern any such requests for information, which will be dealt with by the information officer.
Fourteen
IT and automated system security is of the utmost importance. The POPI Act has a “reasonable” test in this regard which implies that data/laptops must be (triple) encrypted with the required password protection.
Fifteen
A Data Subject may request that their information be corrected or deleted – this can be addressed in the data access policy. Data Subjects must provide reasons should they want their information to be deleted and there must be a form or written consent to this effect.
Sixteen
Section 69 of the Act, which deals with direct marketing (DM), is arguably the most contentious section of all. While the definition of telemarketing excludes marketing by electronic means, it includes marketing by any other means. It also includes selling of products, services, asking for donations, and electronic newsletters. With regards to telemarketing, the Act stipulates that there must always be an “opt out” and that how and where the PI was obtained must be disclosed. The current position is that clients may be contacted until they say no – “opt out”.
DM by electronic mail is prohibited unless:
Section 69 prohibits cross-selling in a group of companies. Each entity in the group becomes a separate Responsible Party, making it important to ring-fence a clean database. The Information Regulator has declared that a contravention will only be penalised if the contravening party in question receives a warning letter and fails to stop their activity. If the letter is complied with, no action will be taken. If an enforcement notice is received, the party may appeal or comply.
Seventeen
The Act demands that there is a contract between the Data Subject and Responsible Party wherein they agree to comply with legislation that governs PI in a foreign country. If the foreign country does not have PI protection legislation, there must be a contract to the effect that the Data Subject and Responsible Party agree to be bound by the principles of PI protection. In such instances, the GDPR of the EU will be the benchmark. Clouds are typically hosted in countries with adequate data protection laws. This is an issue that must be clarified by Responsible Parties.
Eighteen
While the POPI Act does not prohibit outsourcing of PI regulation and compliance, the Regulator has indicated that they do not approve of this practice.
Nineteen
Section 60 of the Act requires that codes of conduct be industry specific. The Regulator undertook to have these available by December 2020, but has since confirmed that they will no longer be issued. Instead, guidelines were to be provided before the end of February 2021.
Twenty
The manual required in terms of the Promotion of Access to Information Act (PAIA) is now also a requirement of the POPI Act. Any references in the PAIA manual to the Human Rights Commission must now become references to the Information Regulator, which now assumes all functions previously performed by the Human Rights Commission. Sections of the Act dealing with this incorporation become effective on 1 July 2021, meaning that a POPI section must now be included in the PAIA manual.
Twenty-one
The Information Regulator has indicated that they will proactively engage companies. It is clear from the above that all systems must keep data privacy in mind. It is also important to note that staff POPI training and awareness is compulsory.
Written by Wessel de Kock