POPI - can you afford not to comply?
Punishable offences in terms of the Act
The following offences are, if committed, punishable with either a fine (not exceeding R10-million), or imprisonment (for a period not exceeding 10 years), or both:
- Obstruction of a Regulator - a person will be guilty of an offence if they hinder, obstruct or unlawfully influence the Regulator or any person acting on behalf of or under the direction of the Regulator;
- Failure to comply with enforcement or information notices - if a responsible party fails to comply with an enforcement notice, they will be guilty of an offence;
- Offences by witnesses - a person will be guilty of an offence where such a person is summoned to give or produce evidence before the Regulator and that person, after being sworn in, gives false evidence before the Regulator on any matter;
- Unlawful acts by a responsible party in connection with an account number - if a responsible party contravenes s8 of the Act, subject to certain exceptions, that responsible party will be guilty of an offence. The responsible party, in terms of s8 of the Act, must ensure conditions for lawful processing; and
- Unlawful acts by third parties in connection with an account number - a person who knowingly or recklessly obtains or discloses an account number of a data subject, or who procures the disclosure of an account number of a data subject to another person, is guilty of an offence. In addition, if that person sells or offers to sell an account number obtained illegally, they will be guilty of an offence.
The following offences are, if committed, punishable with either a fine (not exceeding R10 million), or imprisonment (for a period not exceeding 12 months), or both:
- Failure to notify the Regulator that processing is subject to prior authorisation - if a responsible party fails to notify the Regulator that processing, which is about to be embarked upon, is subject to prior authorisation from the Regulator, that person will be guilty of an offence;
- Breach of confidentiality - any person who breaches the provisions of s54 of the Act, which states that a person acting on behalf of or under the direction of the Regulator must treat all personal information they come across as confidential, will be guilty of an offence;
- Obstruction of the execution of a warrant - a person who obstructs or fails to give assistance to a person executing a warrant in terms of the Act will be guilty of an offence;
- Failure to comply with enforcement or information notices - if a responsible party in purported compliance with an information notice served on it, makes a false statement, it will be guilty of an offence; and
- Offences by witnesses - a person will be guilty of an offence where such a person is summoned to give or produce evidence before the Regulator and that person either (i) does not attend; (ii) fails to remain in attendance; (iii) refuses to be sworn in or to make an affirmation; (iv) does not answer fully and satisfactorily; or (v) does not produce any item that they have been summoned to produce.
Conclusion
Despite the fact that the Act is quite onerous on Employers, there is a one year grace period from the date on which the Act commences to allow for compliance. If a responsible party acquaints itself with the provisions of the Act timeously and puts in place the necessary measures, the penalties mentioned can easily be avoided.