POPI ACT: Protect personal information ACT

by POPI ACT: Protect personal information ACT on 02-06-2018 in News from advertisers

POPI ACT:   Protect personal information ACT

Protect personal information ACT 
-The identity saved could be your own- 

“I want my government to do something about my privacy - I don't want to just do it on my own” (quote by Evgeny Morozov). 
The Protection of Personal Information Act (“POPI”) is legislation placed with the goal to safeguard all organizations (“responsible party”) to handle personal information in an accountable way when gathering, dispensation, stowing and distributing another entity’s personal information by holding them answerable if they misuse or compromise individual’s personal information in any way by ensuring that they comply with POPI.  In this POPI regulates the processing of information from its commencement of gathering of information to its obliteration of that information gathered.  

In POPI’s implementation, companies and consumers are protected from the threats related with personal information tumbling into the erroneous hands as a consequence of data breaks, and industries who handle personal information to do so in accordance with POPI.  This piece of legislation will expressively affect insurers, insurance agents, and loss adjusters POPI applies to anybody who possesses any kind of chronicles involving to the personal information of anybody. 

All responsible parties will be faced with various issues, namely: 

a) That POPI will influence technology, procedures and the means in which personnel process personal information. 

b) Personal information may only be used for the reasons approved with clienteles and personnel.

c) Advertising by means of uninvited e-mails is banned.  Therefore, companies and employers need to implement opt-in and opt-out policies.

d) Personal information may only be reserved for as long as required.

e) Organisations should not gather more personal information than is required.

f) Processing of distinct personal information is banned. 

Importance of POPI places set of conditions to ensure individual’s (“data subject’s”) information is lawfully process which ensures protects data subject’s money from be being stolen, their identity being stolen, and to safeguard data subject’s essential right to privacy. These conditions are discussed as follows: 

a) Consent from the data subjects is required in order to ensure when and how the responsible party shares the data subject’s information.  This places processing limitations, so that when the responsible party gathers information from the data subject, he or she must ensure that such information is collected straight from the data subject with his/her consent and warrant that the information the responsible party collects is legitimate, passable and pertinent.

b) The nature and degree of information the responsible party choses to share must be valid. Precise purpose, when information is collected must have certain rationale for collection.

c) Transparency and accountability on how information is used limits the purpose and notifies the data subject if or when the information is compromised.  Such accountability, ensures that the responsible party takes accountability in safeguarding obedience to POPI.

d) Access to the data subject’s information must have passable procedures and panels in place to trail access and thwart unauthorised people from retrieving subject’s data. Furthermore, judicious requirements need to be in place to safeguard that data subjects are informed of any data that responsible party aims to share with any 3rd parties. Data subjects have a right to also have access to their own information if they request it from the responsible party. 

e) Data subjects have a right to request the details of parties who have access to their personal information and the right to request that the responsible party destroys their information, whereby the responsible party then has no authority to keep their information or dispense to 3rd parties. 

f) Accuracy and integrity of data subject’s information must be captured correctly and when collected, the responsible party is accountable to continue it.  This will sustain respectable business practice when dealing with data subjects.

g) Safeguard measures and controls need to be in place to protect data subject’s personal information from theft or being compromised. Safety instruments ought to be created and upheld to guard data subject’s personal information against dangers such as forfeiture, illegal access and obliteration.

h) Additional dispensation, must be well-matched with the originally gathered information or to guard the genuine interest of data subjects. 

To understand POPI I have highlighted certain points: 

All data subjects have the right to access their own personal information and to entail their personal information to be amended; destroyed or refuse such information from being administered.  

1. SECTION 11 OF POPI: Personal information can only be administered:  

a) with the permission of the “data subject”; or 
b) if it is essential for the decision or presentation of an agreement to which the “data subject” is a party to; or c) it is required by law; or d) it guards a authentic interest of the “data subject”; or e) it is essential to follow the data subject’s lawful benefits or the interest of a third party to whom the information is provided. 
2. SECTION 13 AND 14 OF POPI: A Responsible Party has to gather personal information straight from the “data subject”, except if: 

a) This information is confined in some free public chronicle or has intentionally been available by the data subject.

b) gathering the information from alternative foundation which does not bias the subject;

c) it is essential for some public purpose; or to guard the responsible party’s individual benefits;

d) procurement the information straight from the data subject would bias a legal determination or is not rationally possible. It should be noted that data subject’s personal information should be collected for a precise, clearly definite and legal reason and the data subject must be informed of the reason for the collection of the information.  Such information collected must be used only for the purpose it was required. Should the information no longer be required, it must be disposed of, unless the responsible party needs to retain it or consented to retain in. 
3. SECTION 18 OF POPI: Certain requirements need to be met when information is being collected.  The requirements are that the data subjects must be made aware of:  

a) the information that is being gathered from the responsible party and if the information is not being gathered from the responsible party, it is essential that the data subject be made alert of where the information was collected;

b) the designation and address of the individual or organisation gathering the information;

c) the reason for the gathering of information;

d) whether the source of the information by the data subject is with consent or compulsory;

e) the penalties of failure to deliver the information;

f) whether the information is being gathered is in accordance with any regulation;

g) If it is intended for the information to leave the country and what level of guard will be provided for the information after it has departed from South Africa.

h) who will be getting the information;

i) that the data subject has access to the information and the right to remedy any particulars;

j) that the data subject has the right to refuse the information from being administered;

k) that the subject has the right to lay a grievance to the Information Regulator.  The details of the Information Regulator must be essentially also be provided. 
a) Identity and/or passport number

b) Date of birth and age

c) Phone number/s (including mobile phone number)

d) Email address/es

e) Marital/Relationship status and Family relations

f) Online/Instant messaging identifiers

g) Physical address h) Gender, Race and Ethnic origin

i) Photos, voice recordings, video footage (also CCTV), biometric data

j) Criminal record

k) Private correspondence

l) Religious or philosophical beliefs including personal and political opinions

m) Employment history and salary information

n) Financial information

o) Education information

p) Physical and mental health information including medical history, blood type, details on your sex life

q) Membership to organisations/unions 

Privacy is one of the biggest problems in this new electronic age.  “The fantastic advances in the field of electronic communication constitute a greater danger to the privacy of the individual” (quote by Earl Warren). 

In terms of Section 69 of POPI, places significant limitations on the circumstances in which direct marketing is conducted by means of unwelcome communications except if the data subject has consented thereto.  An existing relationship between the responsible party and the data subject does not result in the consequence in a liberty to make frequent communications without consent from the data subject. 

Examples of such direct marketing by means of electronic communication includes emails; SMSs and programmed calling machineries.  A subject can only be approached once to obtain such a consent.  

If the data subject is a consumer, his or her details must have been obtained in the context of the sale of the product or service where the responsible party whom initially collected the information has similar services or products.  The consumer must have been informed and should consent each time electronic communication is sent. Any person sending out electronic communication must reveal the identity of the promoter and deliver an address to which the customer can direct a request to unsubscribe to receiving of such communication. 

In cases where the data subject is in any type of directory must be informed of the reason of the directory and about any forthcoming usages to which the directory might probably be. It is essential that such data subject have the chance to refuse to such use of the personal information.  

Due to electronic means of communication, it is easy to communicate and send personal information outside South Africa.  In terms of Section 71 and Section 72 of POPI, such personal information sent from South Africa to foreign countries is prohibited unless:  

a) the individual getting the information is subject to comparable regulations;

b) the data subject has consented to the forwarding of his or her information;

c) such forwarding of information is part of the performance of a contract which the data subject is a party; or

d) forwarding of personal information is for the benefit of the data subject and it is not judiciously feasible to find their permission and that such permission would be possible to be prearranged.  
Purchasing or buying directory with personal information 

With data bases being created over the years, many responsible parties have a directory listing their data subject’s personal information.  This is more commonly found with brokers and agents. It is possible to purchase and sell personal information, but this can only be done with consent of the data subjects. POPI ensures that the data subjects always maintain access, power and control over their personal information.  
Consent not required in certain instances when collecting information Personal information can be collected from various sources such as public directors, people who send an email, by registration on a website, subscribing to offers or alerts, downloading an app or entering into a competition.  
For such collection of information, no person is required to give a consent.  However, if you plan to send them electronic communications for the purposes of direct marketing, you need to get their consent to use it in that way. But you don’t need consent to collect it. Although no consent is required, it is essential that the collection of personal information is for a specific purpose related to where you obtained the information.  Should the person state upon receipt of your marketing to opt out of receiving such communication, then no further direct marketing is allowed. 
What to place on your direct marketing communications  POPI requires parties to identify themselves when attending to direct marketing communications.  In all communications for direct marketing, the direct marketer needs to provide their full company name; contact details for the recipient to opt-out; company registration number and if they are a registered credit provider, their number. 
National op-out register Op-out register is where people have registered stating that they do not want direct marketing.  Where individuals have registered on the op-out register, no direct marketing may be sent to those individuals.  It is important that prior to attending to any direct marketing, that the marketers check any register where people refused any direct marketing, including their own. 

“As we all become increasingly reliant on social networking websites and new technologies to stay connected, it's important to remain cognizant of how private personal information and data is handled” (quote by Michael Bennet). 

In terms of Section 19 of POPI, it is important that responsible party thwarts illegitimate access to or illegitimate processing of personal information as well as to take steps to prevent the loss, damage and unauthorised destructions of the personal information. One has to identify the risks   and establish mechanisms to avoid them.   

“The Internet is a worldwide platform for sharing information. It is a community of common interests. No country is immune to such global challenges as cybercrime, hacking, and invasion of privacy” (quote by Lu Wei). Due to the numerous ransomware dispersion and infected devices, offenders will keep reinventing ways to exploit weaknesses and find ways to attack, breach and steal.  Such risks therefore need to be continuously evaluated and mechanisms need to updated to defend against such risks. 

In terms of Section 20 of POPI, all personnel gathering personal information and having access thereto, on behalf of an employer, is required to enter into a written contract with their employer binding them to upholding the truthfulness and privacy of the personal information and to implement the precautions against recognized dangers. In terms of Section 21(2) of POPI, if the employee becomes aware that personal information of clients has been jeopardized, they are to inform the employer. 

It is advised that all companies or responsible parties collecting personal information should implement necessary steps or take various steps to comply with POPI.  Such steps could be for example: 

a) Appointing an Information Officer.

b) Personal information inventory

c) Drafting a Privacy Policy and ensuring organisation policy reviews.

d) Privacy training and awareness

e) Mechanisms to avoid risk in Data in transit; Data portability; Privacy by design; Explicit consent; and Breach notification.

f) Advance alertness among all personnel by implementing incident management plans 

g) Revise agreements with operatives.

h) Deployment of a governance and data privacy target operating model for sustainable data privacy compliance

i) Account data breaks to the supervisor and data subjects.

j) Ascertain that they can legally entitled to disperse personal information to other countries.

k) Only disclose personal information when they are legally able to

l) Data export restrictions m) All who handle the personal information needs to have the right to access personal information; 

Unfamiliarity cannot be used as a defence, therefore POPI should not be taken casually.  

“I cherish my privacy, and woe betide anyone who tries to interfere with that” (quote by Jeff Beck).  The only means of enforcing protection of personal information is to place penalties and fines which would hopefully discourage such disperse of unsolicited personal information. 

In terms of Sections 100 – 106 of POPI, instances where parties could be found “guilty of an offense are: 

a) Any person who hinders, obstructs or unlawfully influences the Regulator when complaints are lodged;

b) A responsible party which fails to obey with an enforcement notice;

c) Offences by witnesses;

d) Unlawful Acts by responsible party in connection with account numbers; e) Unlawful Acts by third parties in connection with account number. 
In terms of Section 107 of POPI, there are significant consequences for serious offences in non-compliance, including: a) Suffer reputational damage. b) Lose customers and employees and fail to attract new ones c) Pay out millions in damages, in civil action, to data subjects to compensate them for the damage they have suffered a civil class action. d) Be fined up to R10 million or face 10 years in jail for committing an offence. 
For the less serious offences: 
a) the maximum penalty would be a fine; or  
b) imprisonment for a period not exceeding 12 months or  
c) to both a fine and such imprisonment 


There are various other laws that also protect personal information. The key ones are: a) Consumer Protection Act (CPA) b) National Credit Act (NCA) c) Regulation of Interception of Communications Act (RICA) d) Promotion of Access to Information Act (PAIA) 

If there is a conflict between POPI and another law, POPI prevails. However, if another law provides superior defense to personal information, the other law will triumph.  
No matter how you look at it, POPI will come into play in all our lives.  Compliance will have a bearing on the procedures, technology and method in which personnel and organisations use and process personal information. It is peril for organisations that process personal information of personnel, clienteles or other juristic persons) to create privacy and safety ingenuities in order to be in line with POPI. 
In my opinion, POPI is moving towards the direction to protect our personal information.  As modern technology changes, so will access to our information.  Nonetheless, “I believe that any violation of privacy is nothing good” (quote by Lech Walesa). 
(NOTE: this article is for information purposes only. Each case depends on merits of matter and should be consulted with an attorney) 

Featured Listings