Protection of Personal Information Act (POPI): how will it affect you?
We live in an ever-increasing digital world – of that there can be no doubt. Many of us will not go one single day without checking e-mail, Facebook, Instagram, Twitter or some form of digital material. We are all leaving a digital footprint; and our personal information is often freely accessible with the click of a mouse and a few taps on a keyboard.
Mindful of the fact that personal information is often exploited for commercial gain (it is a vital business asset for purposes of marketing and advertising), or used by those with dubious intentions to commit fraud or send a plethora of unsolicited spam e-mail; the South African Government has recently signed the Protection of Personal Information Act (POPI) into law.
POPI essentially seeks to set out conditions and reasonable standards for the collection, use, storage and dissemination of any form of personal information. An independent regulator will be established in the next few months and enforcement will be strictly monitored – the maximum penalty for misuse is 10 years in prison, or an administrative fine of up to 10 million Rand.
Although POPI was signed into law on 19 November 2013 (following a painfully slow process through parliament), it is not yet fully effective – only a small part of the legislation is currently in operation and the full Act will only be effective when President Jacob Zuma gives notice of this in the Government Gazette – most anticipate this start-date to be towards the end of 2015, and by no later than 2016. Moreover, companies and individuals will have a further period of one-year to become fully compliant – so although panic is not required just yet, it is now time to consider what steps to take in order to be fully compliant.
First, the critical element to understand about POPI is the definition of personal information. What is it? Simply, any information that has the ability to identify a living natural person, or to identify a juristic person (a company, for example).
It is quite a broad definition and can include, for example, any form of contact details (e-mail addresses, telephone numbers, physical or postal address information); demographic or personal information (race, age, sex, identity number, blood type); history of an individual (medical, financial, education, criminal, employment, memberships of associations or organisations), and the definition is wide enough to include personal opinions about a product or service or any form of personal correspondence. The point is: it is very wide and extremely broad.
With the above in mind, POPI sets out eight conditions that a company or individual must comply with if they collect, use, link, store or share any type of personal information. Briefly, the conditions oblige a person or entity to only collect information with a specific purpose, store it safely, ensure the information is relevant and accurate, only collect what is required and allow the “subject” to inspect it – further, and importantly, personal information can only be collected if the individual has “opted-in”. In other words, the person must specifically agree to the information being collected (subject to an exception dealing with existing clients).
All of the above must be documented in a written policy, and all employees of a business that collects personal information must be aware of POPI, the company policy and how to go about the collection, storage and sharing of the information.
So, what can you do? First, you must be familiar with POPI if you collect, process, store or share personal information. You must have a policy and ensure your employees are trained. You must further ensure your IT systems are adequate for purposes of the storage and retention of the data. And you must ensure your collection of data, above-all, is compliant with POPI – failure to do so will result in hefty fines and even jail time. This has meant a change in status quo for many corporate entities – banks, insurers, financial service providers etc. – however, many small to medium businesses are operating in blissful ignorance and continue to do what they have always done – if you are someone who is affected by POPI (most businesses will be), now is the time to think about compliance…
About the author: Lee Swales (LLB, LLM) is a law lecturer at the University of KwaZulu-Natal and a consultant to Swales Inc. He can be contacted on firstname.lastname@example.org