Unpacking POPI: A look at the principles
The Protection of Personal Information Act, No 4 of 2013, promotes the Protection of Personal Information (PPI) by public and private bodies. The Act was signed into law by the President on 19 November 2013 and was published in the Government Gazette Notice 37067 on 26 November 2013.
POPI’s key objectives
The key objective of POPI is to provide knowledge of how the processing of personal information, to provide a framework for organisations handling information, as well as to protect against the misuse of personal information. POPI covers the processing of personal information entered into a record by a responsible party.
What does POPI cover?
POPI deals with the processing of information that is entered into a record by and/or for a responsible party. It can be by automated means, or non-automated means, as long as a filing system is in place.
POPI will not apply for the following:
- Personal or household activities
- De-identified personal information
- By public bodies (national security, prevention of unlawful activities, subject to safeguards)
- Journalistic, literary or artistic purposes
Processing of information
The processing of information under the POPI Act can be defined as the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use. It includes dissemination by means of transmission, distribution or making available in any other form, as well as the linking, merging, restriction, degradation, erasure, or destruction of personal information.
Principles of POPI
The following conditions apply to organisations in terms of POPI:
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Security safeguards
- Data subject participation
Organisations need to act responsibly, and be seen doing so, with regards to the personal information of data subjects. This means that organisations need to comply with the conditions laid out in the POPI Act when determining the purpose and means of processing, as well as when processing data.
When processing information, it has to be done in a lawful and responsible manner and for an adequate and relevant purpose.
Information may only be processed under the following conditions:
- The data subject consented
- Processing is necessary to carry out actions for conclusion or performance of a contract
- It is an obligation imposed by law
- Processing is in the legitimate interest of the data subject
- Processing is necessary for the performance of public duty by a public body
- Processing is necessary for pursuing legitimate interests of responsible party or third party to whom the information is supplied
Personal information must be collected for a specific, explicitly defined, and lawful purpose related to a function or activity of the responsible party, the data subject must also be aware of the collection of personal information. The information may not be retained for longer than necessary and must be destroyed or de-identified once no longer authorised.
Further processing limitation
Any further processing of the information must be compatible with the original purpose.
An organisation must take reasonable, realistic steps to ensure that the personal information is accurate, complete, not misleading, and updated.
An organisation must maintain all documentation of processing operations and should notify the data subject of the following:
- Details of responsible party
- Consequences of failure to provide
- Applicable law
- Whether PI will be transferred across the border and protection in that country
- Rights to access, object and to lodge compliant with Regulator
An organisation must ensure the confidentiality and integrity of personal information and take steps to prevent the loss, damage, and unlawful access of the information. Risks need to be identified, after which safeguards need to be put in place. Safeguards need to be verified as being operational and should be kept updated, generally accepted practices should also be observed and practised by the organisation.
In case of security compromises, the data subject and Regulator must be notified within 48 hours of becoming aware of the breach. This notification must contain sufficient information about the breach.
Persons operating and processing the data need to ensure that the personal information is kept confidential and make sure that the responsible party is aware of processing. The responsible party and operator must conclude a contract regarding security measures and the operator must notify the responsible party of any unauthorized access.
Data subject participation
The data subject must be informed of their rights and allowed access to their personal information. The data subject must also be allowed to correct their personal information.