The Protection of Personal Information Act 4 of 2013(POPI) requires all businesses which process personal information of both natural persons and juristic persons to comply with its provisions by the 1st of July 2021. There are severe for non-compliance, such as a fine of between R1 million and R10 million or imprisonment of one to ten years. POPI also makes provision for the payment of compensation to consumers who suffered damages in consequence of a party’s non-compliance with POPI.
The scope of POPI is very wide, and it covers the use, collection, communication, organisation, storage, deletion, transfer, dissemination, linking and copying etc. of any information that is capable of identifying a person, including contact details, medical information, financial information, criminal information, employment information, educational information, biometric, opinions, preferences and geo location.
Once an organisation has determined that it is processing personal information, it is required to ensure that such personal information is dealt with in line with POPI’s eight conditions, namely:
- Accountability – by identifying who the responsible party is (i.e the business processing the information for a specific purpose) and distinguishing the business from operators (third parties who will process personal information on your behalf).
- Process limitation – by ensuring that the personal information is lawfully collected, and that the processing is adequate, relevant and not excessive to the purpose of processing.
- Process specification – by only processing personal information for a specific purpose, and, where possible, collecting such personal information directly from the person to whom the personal information relates, who is aware of this purpose and has consented to the collection, retention and destruction of the information.
- Further processing limitation – by ensuring that personal information is not used for a further purpose, if the use is not compatible with the original purpose for which it was collected.
- Information quality – by taking reasonable steps to ensure that the personal information is complete, accurate, up-to-date and not misleading.
- Openness – by keeping the person to whom the personal information relates apprised of personal information being processed and notifying such personas well as the Information Regulator should the privacy of any personal information be compromised.
- Security safeguards – by taking the necessary security measures to ensure the integrity and confidentiality of the personal information being processed. A relevant incident response plan must be prepared in the event that a data breach occurs.
- Participation –by making the person to whom the personal information relates is aware of processing rights and permitting them to update their personal information from time to time.
As a start towards becoming compliant it is recommended that a business performs a POPI risk and readiness assessment taking into account various factors and answering the following questions:
- What special personal information are you collecting? (i.e., information pertaining to minors, criminal information, medical information, biometric information etc)
- How are you collecting personal information?
- Why are you collecting the personal information?
- What will the personal information be used for?
- Who will the personal information be shared with?
- What is your storage, retention and destruction protocols and procedures?
- What security measures do you have in place and what is the breach protocol procedure?
- Are you transferring the personal information across the South African border?
- Have you provided the data subject with a consent form informing them of their rights?
- Have you appointed an information officer, i.e., the person who will be responsible in the business for ensuring compliance with the Act?
- Do you have a dispute and complaints forum?
Once the above questions have been answered, a POPI Policy can be prepared, and the various measures and interventions which have been identified during the risk and readiness assessment can be implemented.
On 12th March between 9h30 and 1oh15
Free for all FASA members and their franchisees and staff
R50 for non-members