Unpacking Protection of Personal Information Bill (POPI)

POPI has already been tabled in parliament and the parliamentary portfolio committee is working on it. Some changes are being made to the current version. The discussion below is based on that version and it must be kept in mind that the final version of POPI will probably differ from this short overview.

The Bill's aim is to regulate the manner in which personal information is processed and to provide for remedies in cases where personal information is not handled accordingly. It will also establish an Information Protection Regulator that will oversee its administration.

Its application is extremely wide. It applies, subject to various exclusions and exemptions, to all processing of personal information. "Personal information" is information relating to an identifiable, living, natural person. In certain instances, it can also be information of a juristic person (e.g. a company).

Personal information includes details of a person (such as race, gender and age), a person's education or employment history, contact details and blood type. It even includes a person's opinions, view and preferences, as well as the views or opinions of another individual about that person.

Noteworthy provisions

Currently, the Bill contains eight principles of protection of personal information, some of which are divided into several sub-principles. Some of the noteworthy provisions are mentioned below:

• In order to process personal information, the responsible party must comply with the requirements set out in POPI.

• Steps must be taken to ensure that the person to whom the personal information relates (the "data subject) is aware of the purpose for which the information is collected.
  
• Security measures must be put in place to protect personal information against loss, damage and unlawful access. If a third party processes information on behalf of another party, the parties must conclude a written contract, which requires the third party to establish and maintain confidentiality and security measures.
  
• Information may only be retained for the period allowed in terms of POPI.
  
• Steps must be taken to ensure that processed information is complete, accurate, not misleading and updated.
  
• If a party that processes personal information has reasonable grounds to believe that there has been unlawful access to the information, it must notify the Information Protection Regulator and data subject.
  
• Data subjects have the right to obtain details regarding their personal information from parties holding such information. They may also request the correction of the information.
  
• POPI prohibits the transfer of personal information to a third party who is in a foreign country, unless this takes place in certain specific instances.

It is important for businesses operating in South Africa to take note of POPI and consider the manner in which it will affect them. In particular, they will need to review their recording keeping, employment and information technology policies and procedures in order to ensure compliance with POPI once it is passed into law.