The Protection of Personal Information Act (Popia) – Compliance
The right to privacy is constitutionally entrenched in the South African Bill of Rights. In this regard, section 14 of the Constitution of the Republic of South Africa Act, No. 108 of 1996 provides as follows:
“Everyone has the right to privacy, which includes the right not to have:
- their property searched;
- their possessions searched;
- the privacy of their communications infringed.”
The Protection of Personal Information Act (POPIA) aims to give effect to this constitutional right to privacy, whilst seeking to balance this right against competing rights such as the right of access to information.
When does the POPIA become effective?
It has been 10 years since discussions around the POPIA started. With an effective date of 1 July 2021, this means we have until 30 June 2021 to become compliant.
Who must comply with the POPIA?
The Act applies to any person or organisation who processes or retains any types of records relating to the personal information of individuals or juristic persons. This means that private and public sector organisations need to process personal information in a safe and lawful manner, thereby ensuring individuals are protected from data breaches and information theft.
What is regarded as personal information?
Personal information includes a broad range of information, or an opinion, that could identify an individual. For example, personal information may include: an individual’s name, signature, address, phone number or date of birth.
How can an organisation comply?
- Appoint your team: Determine if it will be necessary to appoint a dedicated POPIA compliance officer or a full team depending on the size, scope and function of your organisation.
- Assign responsibilities: Determine who will be responsible for the processing, storing, managing and destruction of personal information that the organisation holds.
- Upskill personnel: Familiarise yourself with what information is governed by the POPIA and what exemptions exist. Ensure that identified personnel are properly trained and that your IT service provider is compliant.
Who is exempt from POPIA?
POPIA provides a few exemptions. If the following applies to an organisation, it does not need to comply with POPIA:
- Processing of personal information that is not entered into a record
- Processing of personal information in the course of purely household activities
- Information processed is de-identified so that it can no longer be defined as Personal Information
- It is a public body that protects national security; or an entity that prosecutes offenders
- It is a cabinet (and its committees) or the executive council of a province
- It is a court referred to in section 166 of the Constitution which processes personal information only as part of its judicial functions
- Information is processed for purely journalistic, artistic or literary purposes