There were calls, by the information regulator, earlier this year for President Cyril Ramaphosa to sign the remaining provisions of Protection of Personal Information Act (PoPi) into full force by 1 April 2020, it is unlikely to happen this year given the Covid-19 crisis.
Compliance with PoPI will, however, be mandatory for most organisations in South Africa sooner rather than later. The Act applies to any person or organisation who keeps records relating to the personal information of anyone unless those records are subject to other legislation, which protects such information more stringently.
The aim of the PoPI is to ensure that personal information is collected, managed, kept and disposed of in the prescribed manner. Personal information is kept in the form of data in databases or systems as well as in the form of documents or records.
PoPI prescribes eight conditions for the lawful processing of personal information in Section 4:
- Accountability
The responsible party must ensure that the conditions and all other measures as set out in the Act that give effect to such conditions are complied with at the time of determining the purpose and form of the processing of personal information.- Processing limitation
Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.- Purpose specification
Personal information may only be processed for specific, explicitly defined and legitimate reasons.- Further processing limitation
Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.- Information quality
The responsible party must take reasonable steps to ensure the personal information collected is complete, accurate, not misleading and updated where necessary.- Openness
The data subject whose information you are collecting must be aware that you are collecting personal information and for what purpose the information will be used.- Security safeguards
Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction, and disclosure.- Data subject participation
Data subjects may request whether their personal information is being held by a particular business. They may also request the correction or amendment of their personal information or the deletion thereof from the business’ records.
Compliance in terms of these conditions is required and translates to the proper management, retention, and disposal of records. In order to achieve this compliance goal, a business should develop and adopt a plan or programme which is structured. This plan will have to be in the form of a manual which should be accessible to any person who wishes to see in what manner your business deals with personal information.
Remember; once PoPI comes into force, all public and private persons will have one year to comply with the provisions of PoPI, and there can be substantial penalties for non-compliance.
