Subscribe to industry newsletters

Advertise on Bizcommunity

Manufacturing Indaba 2018

Unpacking Protection of Personal Information Bill (POPI)

Up to now, South Africa has not had comprehensive legislation that governs the protection of personal information and similar data. However, this situation will change when the Protection of Personal Information Bill (POPI) comes into force.
POPI has already been tabled in parliament and the parliamentary portfolio committee is working on it. Some changes are being made to the current version. The discussion below is based on that version and it must be kept in mind that the final version of POPI will probably differ from this short overview.

The Bill's aim is to regulate the manner in which personal information is processed and to provide for remedies in cases where personal information is not handled accordingly. It will also establish an Information Protection Regulator that will oversee its administration.

Its application is extremely wide. It applies, subject to various exclusions and exemptions, to all processing of personal information. "Personal information" is information relating to an identifiable, living, natural person. In certain instances, it can also be information of a juristic person (e.g. a company).

Personal information includes details of a person (such as race, gender and age), a person's education or employment history, contact details and blood type. It even includes a person's opinions, view and preferences, as well as the views or opinions of another individual about that person.

Noteworthy provisions

Currently, the Bill contains eight principles of protection of personal information, some of which are divided into several sub-principles. Some of the noteworthy provisions are mentioned below:
  • In order to process personal information, the responsible party must comply with the requirements set out in POPI.
  • Steps must be taken to ensure that the person to whom the personal information relates (the "data subject) is aware of the purpose for which the information is collected.
  • Security measures must be put in place to protect personal information against loss, damage and unlawful access. If a third party processes information on behalf of another party, the parties must conclude a written contract, which requires the third party to establish and maintain confidentiality and security measures.
  • Information may only be retained for the period allowed in terms of POPI.
  • Steps must be taken to ensure that processed information is complete, accurate, not misleading and updated.
  • If a party that processes personal information has reasonable grounds to believe that there has been unlawful access to the information, it must notify the Information Protection Regulator and data subject.
  • Data subjects have the right to obtain details regarding their personal information from parties holding such information. They may also request the correction of the information.
  • POPI prohibits the transfer of personal information to a third party who is in a foreign country, unless this takes place in certain specific instances.
It is important for businesses operating in South Africa to take note of POPI and consider the manner in which it will affect them. In particular, they will need to review their recording keeping, employment and information technology policies and procedures in order to ensure compliance with POPI once it is passed into law.
aubrey du toit
Hi a quick it permissible to transfer personal information to a third party who is not in a foreign country? Where you have a group of companies with a mother company and subsidiaries, may you transfer personal information in between those entities?
Posted on 13 Sep 2012 11:32
Danie Strachan
POPI does not provide an exemption for transfers between companies in a group. This means that an entity that transfers information will have to comply with all of POPI's conditions as if the receiving party is an independent third party.
Posted on 20 Sep 2012 10:38
Peter Burk
Will a direct marketer be able to send an unsolicited email to a new prospect in order for the prospect to access a website where he can double opt in if he wants to ?
Posted on 11 Oct 2012 16:14