The Protection of Personal Information Act 4 of 2013 (POPIA) introduces an overarching regulatory framework for the processing of personal information and was ratified on 19 November 2013. The POPI Act intends to promote the protection of personal information processed by public and private bodies and introduces minimum requirements for the processing of personal information. To date, only certain sections of the POPI act have come into effect, with the remaining sections coming into effect upon proclamation of a commencement date by the President.
The enactment of the POPI Act was intended to stem the tide of free-flowing personal information and offer protection to South Africans seeking to uphold their constitutional rights to privacy and dignity, as well as bringing South Africa on par with those countries which have existing data protection legislation, such as the EU with the impending GDPR.
In simple terms, the purpose of the POPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way.
It is important for organisations not to become complacent and start getting their data protection practices in order now – determining the risks to be managed, understanding what data needs to be protected and starting to secure it now, and putting resources and policies in place. The best place to start is with data classification – the first step to a truly data-centric approach to protecting personal information.
- Maximum fines for non-compliance can be up to R10million and could result in a prison term for those deemed responsible
- The Information Regulator has power to issue an Enforcement Notice requiring the organisation to stop processing personal information
- POPI provides for the appointment of an Information Regulator (IR), who is responsible for investigating the breach and monitoring and enforcing compliance with POPI as well as the Promotion of Access to Information Act
- Disclosure of a breach must be given to the Information Regulator, as well as affected individuals
- All organisations, regardless of size or location, must comply with the POPI Act if they hold any personal data on South African citizens
- Examples of “personal information” for an individual could include identity and/or passport number, private correspondence, employment history, health information and membership of unions