The Protection of Personal Information Act (“POPIA”) governs how personal information is collected, used, stored, retained, destroyed, and otherwise processed from the time it is collected until it is destroyed, keeping data subjects’ right to privacy of their own personal information at the forefront of how organisations use, share, and handle their data.
POPIA was signed into law in November 2013, and its substantive provisions took effect on July 1, 2020. Businesses now have until July 1, 2021, to ensure that they are fully compliant with the Act before it becomes fully enforceable.
POPIA distinguishes three major parties:
- The data subject: a person to whom or about whom the personal information pertains. A data subject can be a natural person or a juristic person under POPIA. So safeguards must be in place to protect the personal information of both individuals and legal entities.
- The responsible party is a public or private body or any other individual who, alone or in collaboration with others, determines the purpose and means of processing personal information.
- The operator: a party who, under a contract or mandate, processes personal information on behalf of the responsible party.
POPIA establishes eight conditions that businesses must follow when processing data subjects’ personal information. These eight conditions are the POPIA foundational principles that, when met, ensure that a data subject’s personal information is processed lawfully.
Accountability is the first condition.
The responsible party is accountable for the personal information it processes and remains accountable. If the information is passed on to a third party.
The entity that requires the personal information for a specific purpose and determines how that personal information must be processed to achieve the purpose is the responsible party. It is the responsible party’s responsibility to ensure that the eight conditions for lawful processing of personal information are met when determining this “why” and “how.”
Condition 2: Processing Restrictions
Personal information must be processed lawfully and in a way that does not violate the privacy of the data subject. Personal information processing activities must be adequate, relevant, and not excessive when considering the purpose for which the information is being collected and processed.
Businesses should not collect or process more personal information than is necessary to accomplish the purpose for which it is being collected.
POPIA establishes a general obligation to obtain consent from data subjects before processing their personal information. As well as specific justifications or instances where consent is not required.
Condition 3: Specification of Purpose
Personal information must be collected for a specific, clearly defined, and legally permissible purpose.
The responsible party must first determine the reason for processing the personal information and then ensure that the data subject is made aware of that reason.
The purpose specification condition also governs document retention and restriction. Generally requires that personal information be kept no longer than is necessary to achieve the purpose for which it was collected.
Condition 4: Additional Processing Restriction
Personal information must only be processed for the purpose for which it was collected, and for no other reason.
Further processing of personal information must be compatible with the original purpose for which the personal information was collected. Otherwise, the responsible party must obtain new consent from the data subject for the additional or new processing activity.
Condition 5: Information Accuracy
The responsible party must take reasonable steps to ensure that personal information records are complete, accurate. And that they are updated as needed.
6th condition: openness
This condition necessitates that businesses be forthright about why they require the data subject’s personal information. Also how they intend to use and process it.
Data subjects must be made aware of who is collecting their Personal Information. As well as other prescribed information that data subjects must be advised of when collecting the information, as set out in section 18 of POPIA, such as the purpose for collecting the information, whether the information being requested is sensitive, and whether the information being requested is sensitive.
This information is commonly documented in a company’s privacy policy and/or POPIA consent document.
Condition 7: Security Measures
POPIA requires the responsible party to take appropriate, reasonable, technical, and organisational measures to protect the integrity and confidentiality of the personal information it processes, as well as to prevent:
- personal information loss, damage, or unauthorised destruction; and
- unauthorised access to or processing of personal information
Security safeguards must be implemented throughout the organisation, not just in IT systems and infrastructure. Physical and technical security safeguards, as well as organisational measures such as security processes and procedures. It must be considered and implemented. Personal information must be kept secure in both electronic and hard copy form. As a result, it is critical not to overlook the security of hard copy records of personal information processed, stored, and retained by a company.
Security measures must be reasonable in light of generally accepted information security practises and procedures that apply to businesses in general and are required by specific industry or professional rules.
Condition 8: Participation of Data Subjects
A data subject has the right under POPIA to inquire whether the responsible party has any personal information about him/her. As well as to request information about what personal information is held. A copy of his/her personal information record, and information about all third parties who have access to that information.
A data subject may also request that his or her personal information record be corrected or deleted. If it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading. It obtained illegally, or that the personal information or record be destroyed or deleted. If the responsible party is no longer authorised to retain it.
POPIA also includes provisions that govern electronic direct marketing and give data subjects certain rights in this regard.