Introduction

The Protection of Personal Information Act 4 of 2013, or POPIA, regulates the collection, storage, use and dissemination of personal information and promotes the protection of personal information processed by public and private bodies, also known as responsible parties under POPI. Therefore, if a business is involved in collecting, storing, using and disseminating personal information, then the business is subject to the provisions of POPIA. In a nutshell, POPIA will impact any business that collects, stores, processes or disseminates personal information.  

What Constitutes Personal Information? 

In the broadest sense, a person’s personal information includes the: 

  • information that relates to that person’s race, gender, sex, pregnancy, marital status, national, ethnic, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, belief, culture, language and birth information;
  • information relating to the education or the medical, financial, criminal or employment history;
  • the e-mail address, physical address and telephone number; 
  • biometric information; 
  • the personal opinions, views or preferences; and 
  • the name of a person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person. 

Personal information is constantly collected, stored and disseminated; every time an e-mail is sent, or notes are taken about an applicant in a job interview, the filling in of personal information when entering a building, all of these activities fall within the ambit of POPIA.

What Does This Mean for a  Business? 

POPIA’s reach is broad. For example, any business that processes personal information is considered a responsible party and must comply with the provisions of POPIA. 

To ensure compliance, a company should review all company policies and procedures to comply with POPIA’s requirements and the extent to which they are compliant.

When non-compliance is identified according to a review, appropriate steps should be taken with a specific focus on the following: 

  • ensuring the business has a POPIA policy; 
  • the business has a registered “information officer” responsible for ensuring compliance with POPIA; 
  • ensure all existing company policies and procedures are POPIA-compliant; and
  • check that employment agreements are POPIA-compliant. 

The Business’s Obligations

A business must ensure that consent is obtained for collecting, storing and disseminating personal information

POPIA prescribes specific minimum requirements regarding where, how, and why personal information is collected, stored, and transferred. The business will have to:

  • obtain consent from the person/s whose personal information is collected;
  • restrict collection, storage and dissemination to what is strictly necessary and the specific and lawful purpose of the collection; 
  • ensure the records of personal information are not retained beyond what is necessary for the purpose for which the information is collected;
  • to safeguard the person/s are aware of what information is stored, their obligations as well as their rights as regards such personal information; and 
  • to ensure that the integrity and confidentiality of the personal information are safeguarded.

Non-Compliance

Non-compliance with the provisions of POPIA can result in substantial punitive measures. In terms of Section 107 of the Act, any person who obstructs the Regulator fails to comply with an enforcement notice, gives false evidence before the Regulator, or fails to ensure lawful conditions for processing, is liable, on conviction, to a fine or imprisonment for a period not exceeding ten years or to both a fine and such imprisonment. In addition, any person who fails to notify the Regulator if the processing is subject to prior authorisation breaches the duty of confidentiality, obstructs the execution of a warrant, or fails to comply with an enforcement notice is liable, on conviction, to a fine or imprisonment for a period not exceeding 12 months or to both a fine and such imprisonment. The Act also provides certain administrative fines, which may not exceed R10 million. 

Conclusion 

The importance of being POPIA compliant cannot be emphasised enough. If your business is to survive the various legal requirements it is expected to meet, then POPIA compliance is non-negotiable.

Contact an attorney at SchoemanLaw Inc for your legal needs!

author avatar
Kiyaam Bekko