NOTES ON THE POPI (PROTECTION OF PERSONAL INFORMATION) ACT
1. Aims of the Act
To promote the protection of personal information processed by public and private bodies;
To introduce certain conditions so as to establish minimum requirements for the processing of personal information;
To provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions of this Act and the Promotion of Access to Information Act, 2000;
To provide for the issuing of codes of conduct;
To provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
To regulate the flow of personal information across the borders of the Republic; and
To provide for matters connected therewith.
2. Date of commencement of the Act
The commencement date for the bulk of the provisions of the Act was 1 July 2020 with a transition period ending on 30 June 2021, meaning that all persons subject to the provisions of the Act must comply with its provisions as from 1 July 2021.
3. Who is subject to the Act’s provisions?
The Act applies to anyone who collects and keeps records of personal information of any natural person or legal entity.
4. Important definitions contained in the Act
“data subject” means the person to whom personal information relates.
“direct marketing” means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –
(a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
(b) requesting the data subject to make a donation of any kind for any reason.
“electronic communication” means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
“personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to –
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views of preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
“processing” means any operation or activity or any set of operations, whether or not automatic means, concerning personal information, including –
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; and
(c) merging, linking, as well as restriction, degrading, erasure or destruction of information.
“record” means any recorded information –
(a) regardless of form or medium, including any of the following:
i. Writing on any material;
ii. Information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware of software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
iii. Label, marketing or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;
iv. Book, map, plan, graph or drawing;
v. Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.
(b) in the possession or under the control of a responsible party;
(c) whether or not in was created y a responsible party; and
(d) regardless of when it came into existence.
“responsible party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
5. The Act’s Provisions on the collection of data
Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
(1) Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2).
(2) It is not necessary to comply with subsection (1) if –
a. the information is contained in or derived from a public record or has deliberately been made public by the data subject;
b. the data subject or competent person where the data subject is a child has consented to the collection of the information from another source;
c. collection of the information from another source would not prejudice a legitimate interest of the data subject;
d. collection of the information from another source is necessary –
i. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
ii. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
iii. for the conduct of proceedings in any court or tribunal that have commenced or are reasonable contemplated;
iv. in the interest of national security; or
v. to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied.
e. Compliance would prejudice a lawful purpose of the collection; or
f. Compliance is not reasonably practicable in the circumstances of the particular case.
(1) If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of –
a. the information being collected and where the information is not collected from the data subject, the source from which it is collected;
b. the name and address of the responsible party;
c. the purpose for which the information is being collected;
d. whether or not the supply of the information by the data subject is voluntary or mandatory;
e. the consequences of failure to provide the information;
f. any particular law authorising or requiring the collection of the information;
g. the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
h. any further information such as the –
i. recipients or category of recipients of the information;
ii. nature or category of the information;
iii. existence of the right to access to and the right to rectify the information collected;
iv. existence of the right to object to the processing of personal information as referred to in section 11(3); and
v. right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which
vi. the information is or is not to be processed, to enable processing in respect od the data subject to be reasonable.
(2) The steps referred to in subsection (1) must be taken –
a. if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware if the information referred to in that subsection; or
b. in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
(3) A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from data subject of the same information or information of the same kind of purpose of collection of the information remains the same.
6. Provisions on the processing of data
(1) Personal information may only be processed if –
a. the data subject or a competent person where the data subject is a child consents to the processing;
b. processing is necessary to carry out actions for the conclusion or performance of the contract to which the data subject is a party;
c. processing complies with an obligation imposed by law on the responsible party;
d. processing protects a legitimate interest of the data subject;
e. processing is necessary for the proper performance of a public law duty by a public body; or
f. processing is necessary for pursuing the legitimate interest of the responsible party or of a third party to whom the information is supplied.
(2) a. The responsible party bear the burden of proof for the data subject’s or competent person’s consent as referred to in subsection (1)(a).
b. The data subject or competent person may withdraw his, her or its consent, as referred to in subsection (1)(a), at any time: Provided that the lawfulness of the processing of personal information before such withdrawal or processing of personal information in terms of subsection (1)(b) to (f) will not be affected.
(1) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, responsible technical and organisational measures to prevent –
a. loss of, damage to or unauthorised destruction of personal information; and
b. unlawful access to or processing of personal information;
(2) In order to give effect to subsection (1), the responsible party must take reasonable measuring to -
a. identify all reasonably foreseeable internal and external risk to personal information in its possession or under its control;
b. establish and maintain appropriate safeguard against the risk identified;
c. regularly verify that the safeguards are effectively implemented; and
d. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
(3) The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
(1) A responsible party may, subject to section 27, not process personal information concerning –
a. The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
b. The criminal behavior of a data subject to the extent that such information relates to –
i. the alleged commission a data subject of any offence; or
ii. any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
7. Provisions on retention of records
(1) Subject to subsection (2) and (3), records of personal information must not be retained any longer than necessary for achieving the purpose for which the information was collected or subsequently processed, unless –
a. retention of the record is required or authorised by law;
b. the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
c. retention of the record is required by a contract between the parties thereto; or
d. the data subject or competent person where data subject us a child has consented to the retention of the record.
(2) Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
(3) A responsible party that has used a record of personal information of a data subject to make a decision about the data subject, must –
a. retain the record for such period as may be required or prescribed by law or a code of conduct; or
b. if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.
(4) A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in terms of subsection (1) or (2).
8. Provisions on direct marketing
(1) The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject-
a. has given his, her consent to the processing; or
b. is, subject to subsection (3), a customer of the responsible party.
(2) a. A responsible party may approach a data subject-
i. whose consent is required in terms of subsection (1)(a); and
ii. who has not previously withheld such consent, once in order to request the consent of that data subject.
b. The data subject’s consent must be requested in the prescribed manner and form.
(3) A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b) –
a. if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
b. for the purpose of direct marketing of the responsible party’s own similar products or services; and
c. if the data subject has been given reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details –
i. at the time when the information was collected; and
ii. on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
(4) Any communication for the purpose of direct marketing must contain –
a. details of the identity of the sender or the person on whose behalf the communication has been sent; and
b. an address or other contact details to which the recipient may send a request that such communications cease.
9. Provisions on the transfer of information outside South Africa
(1) A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless –
a. the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that –
i. effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
ii. includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country.
b. the data subject consents to the transfer;
c. the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
d. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
e. the transfer is for the benefit of the data subject, and –
i. it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
ii. if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
10. The Information Regulator as enforcer and enforcement procedures
Sections 39-41 deals with the establishment of the Information Regulator’s office, which will be responsible for the enforcement of the Act, whilst sections 73-99 deal with the enforcement procedures.
The Information Regulators office is accountable to the National Assembly.
As the purpose of these notes are to inform our clients of their responsibilities in terms of the Act on not to deal with the procedures to be followed by the Information Regulator, we will not elaborate any further at this point in time on the aforementioned sections of the Act.
Sections 100- 106 specify in which cases persons will be guilty of offences (in other words they will be deemed to have committed a crime).
The more serious of these offences are:
- When a person hinders, obstructs or unlawfully influences the Information Regulator;
- When a responsible person fails to comply with enforcement orders issued by the Information Regulator;
- Lying under oath by witnesses during proceedings of the Information Regulator’s office;
- Unlawful acts by responsible parties or third parties in connection with account numbers of data subjects.
It is important to note that in general the contravention of the provisions of the act does not make a person guilty of an offence. It merely opens up the offender to the possibility of being in the receiving end of certain sanctions from the Information Regulator’s office. Only in the specific cases as mentioned in sections 100-106 could a person be found guilty of an offence.
Section 107 of the Act deals with the penalties that can be imposed when a person has been found guilty of an offence.
For serious offences the penalty is quite severe and a fine and/or imprisonment for a maximum period of 10 years can be imposed.
For less serious offences a fine and/or imprisonment for a maximum period of a year can be imposed.
13. Regulations issued under the Act
The Information Regulator published the final POPI regulations on 14 December 2018 and most of the regulations will commence on 1 July 2021.
The regulations are sparse in content and the most relevant aspects contained therein are basically the prescribed forms attached to the regulations.
14. In conclusion:
We expect that more regulations will be published that will be more industry specific.
Although it is important to take note of and implement the provisions of the Act, we would not recommend that our clients spend large amounts of money at this point on POPI procedure manuals that are already being offered by various companies.
If the person who collects and processes the information makes sure that there is a valid reason for the collection and processing of the relative information, or if he/she obtains the data subject’s permission to collect and process the information, and thereafter takes practical steps to protect the information by ensuring that computer records are encrypted and paper records are locked away safely, there would be little chance of him/her running foul of the provisions of the Act or the Information Regulator.
Furthermore, when engaging in direct marketing as envisaged in section 69 of the Act, the marketer must take heed of the clear provisions as contained in the said section.
Notes prepared by Johann Nortje, director of J NORTJE ATTORNEYS INC (T: 012 365 3414; M:083 600 4425; firstname.lastname@example.org)