THE Protection of Personal Information Act commonly referred to as Popi was signed into law by the president on November 19, 2013, yet people have little or no understanding of what this legislation entails.

The purpose of this act is to protect your personal information by ensuring that all South African businesses conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information.

The act aims to hold any transgressor accountable should they abuse or compromise a third party’s personal information in any way.

The Protection of Personal Information (Popi) legislation considers your personal information to be private and valuable. You, as the owner of your personal information, have certain rights of protection and the ability to exercise control over the following:

l When and how you choose to share your information (requires your consent). You would have noticed that when you fill in any forms, there is a question about sharing your details. This is a request of your consent so always read carefully.

  • The type and extent of information you choose to share (information must be collected for valid reasons);
  • Transparency and accountability on how your data will be used (limited to the purpose for which it was collected);
  • Providing you access to your own information as well as the right to have your data removed and/or destroyed should you wish;
  • Who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same company, from accessing your information;
  • How and where your information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft or being compromised);
  • The integrity and continued accuracy of your information, i.e.
    your information must be captured correctly and, once collected, the institution is responsible to maintain it.
  • Examples of personal information of an individual include: identity and/or passport number; date of birth and age; phone number/s (including mobile phone number);
  • email address; physical address;
  • gender; race and ethnic origin;
  • criminal record; religious or philosophical beliefs, including personal and political opinions;
  • employment information; financial information; educational information; physical and mental health information, including medical history; blood type; details on your personal life; and membership to organisations and/or unions.

It must be noted, however, that some personal information on its own does not necessarily allow a third party to confirm or infer someone’s identity to the extent that this information can be used/abused for other purposes.

The combination of someone’s name and phone number and/or email address, for example, is a lot more significant than just a name or phone number on its own. As such, the act defines a ‘unique identifier’ to be data that uniquely identifies an individual or subject.

It is important to note that the right to protection of personal information is not only applicable to a natural person (i.e. an individual) but any legal entity, including companies and communities or other legally recognised organisations. All these entities are considered to be ‘data subjects’ and afforded the same right to protection of their information. Ignorance of the law is no excuse not to adhere to Protection of Personal Information (Popi) legislation, and a business will therefore not be able to bypass compliance solely on the basis that they were not aware of the act.

We have to accept that we now live in an information age and along with this progress comes the responsibility for each person to take care of and protect their own information.

Do not accuse someone else of sharing or compromising your personal information when you publish the very same information on public services like Facebook, LinkedIn, Google+ or public directories.

Modern technology makes it easy to access, collect and process high volumes of data at high speeds. This information can then be sold, used for further processing and/or applied towards other ends. In the wrong hands, such an ability can cause irreparable harm to individuals and companies.

To protect your right to privacy and abuse of your information, data protection legislation is necessary, even if it means imposing some social limits on society to balance the technological progress. Remember: the Protection of Personal Information (Popi) Act cannot protect you if you do not take care to protect yourself.

Please note that the above is for information purposes only and does not constitute financial or tax advice. As each individual’s personal circumstances vary, we recommend they seek advice on the matter. Please note that while every effort is made to ensure accuracy, Nexia SAB&T does not accept responsibility for any inaccuracies or errors contained herein. If you are in doubt about any information in this article or require any advice on the topical matter, please do not hesitate to contact any Nexia SAB&T office nationally.

Article prepared by: Aysha Osman

For any queries, please contact:

  • Hassen Kajie (Entrepreneurial Business Services Director)
    M: (+27) 82 333 3389 | E:
  • Yousuf Hassen (Entrepreneurial Business Services Director)
    M: (+27) 82 333 3376 | E: