Is your business ready for the Personal Information Act? Here is the POPI Act explained.
The purpose of the POPI Act, is to enforce the consequences, if a South African institution doesn’t behave in a responsible way when they collect, process, store and share someone else’s personal information.
The POPI Act will hold them accountable if they misuse or compromise your personal information. The POPI legislation labels your personal information “precious goods” and gives you the rights of protection and the capacity to still have control over your information.
Related: Protection of Personal Information Act – Everything you need to know about POPI
What rights do you have over your information?
- How and when you want to share your information. They need your consent to share your information.
- The type of information and to what extent you want to share your information. Your information needs to be collected for a valid reason.
- The level of transparency and accountability on how your information will be used, this is limited to the reason for collection, as well as a notification if or when your information is compromised.
- Access to your own information along with the right to have your information removed and/or destroyed if you want to.
- Who will have access to your information. There will need to be appropriate measures and controls in order to track access to your information and prevent unauthorised people, including people from within the same company, from having access to your information.
- How and where your information will be stored. There will need to by appropriate measures and controls to keep your information safe, to protect it from being compromised or stolen.
- The reliability and accuracy of your information. Your information will need to be captured correctly and the company will be responsible for maintaining its accuracy.
What are examples of personal information?
- Identity or passport number
- Date of birth and age
- Phone numbers – including cell phone number
- Email address
- Online or instant messaging identifiers
- Physical address
- Gender, race and ethnic origin
- Photos, video footage – this includes CCTV footage, voice recordings and biometric data
- Marital relationship status and family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs – this includes personal and political opinions
- Employment history and salary
- Financial information
- Education information
- Physical and mental health information – this includes medical history and blood type
- Memberships to organisations or unions.
Along with the information age and the continuous progress comes the responsibility for each individual to take care of and protect their information. You can’t accuse someone of sharing or compromising your personal information when you’ve published it on social media or public directories.
Technology has evolved to the point that it’s easy to access, collect and process large volumes of information quickly. People can then sell this information, used it for more processing or use it for something else entirely. Private information in the wrong hands can cause you or a company irreparable damage.
Data protection legislation is necessary to protect your rights to privacy and abuse of your information. Even if this means imposing some social limits on society in order to balance the progress of technology. The POPI Act can’t protect you if you’re not taking care to protect yourself.
Related: The prospects of POPI
What are the benefits of POPI?
1. The business processes that need to be applied or improved will result in a better quality of organisational data. This will help your business gain a competitive advantage out of big data and will put you in a position to ethically and legally, collect and utilise this information. If you have a smaller business, having quality information is a necessity when making informed decisions.
2. The POPI requirements of putting in place measures to process and secure information can benefit your business. You can use the requirements to develop your current business processes and include processing efficiencies.
3. Developing the contractual arrangements concerning the information being processed by operators along with meeting satisfactory security measures should allow you to identify opportunities. This can put you in a position to create more efficient border control environment with third part relationships.
4. Your customers will have more trust and confidence in you because they will know that their information and all their interactions with you are secure and protected. When you accomplish and maintain POPI compliance, you will be able to confidently reassure customers that their information is safe and secure.
When will POPI affect you?
The Act was signed into law in November 2013. Certain limited sections of the POPI Act have already come into effect but the majority of the POPI Act will only come into effect at a later date, which will be decided by the President.
Which sections have already come into effect?
- The definitions in section 1
- The Information Regulator (Part A of Chapter 5)
- This deals with the establishment, staffing, powers and meetings of the Information Regulator
- This means that it has been established but no one has been appointed yet
- Regulations (Section 112)
- The Minister and the Information Regulator can now make regulations
- Procedure for making regulations (Section 113)
- There are no regulations yet, but the process is now in place to make regulations
- The earliest expected draft regulation won’t be before June 2016
Does POPI really apply to you?
Accountability will rest with the “responsible party”, which is a public or private body, alone or with others who determine the purpose of processing personal information. The “responsible party” needs to be a South African resident or occur within South Africa. These are the cases which don’t apply with the POPI Act:
- Specifically household or personal activity
- Appropriately de-identified information
- Various state functions, specifically criminal prosecutions and national security
- Journalism which is under a code of ethics
- Judiciary functions.
Why you should comply with POPI
POPI encourages transparency with the collected information and how it should be processed. This is meant to create openness and increase customer confidence in the organisation. In order to comply with POPI you just need to:
- Capture the minimum amount of required information, ensure its accurate and remove information that isn’t required. This should improve the general reliability of the organisations databases.
- Identify the personal information and take appropriate measures to keep the information safe, which will reduce the risk of your system being breached and any of the related public relations or legal consequences for your organisation.
Related: 3 Things you should know about POPI
Frequently asked questions about the POPI Act
Who specifically is affected by this legislation?
Everyone is affected. Every single business will need to become compliant with this Act or face serious consequences. Every person and company is protected by this Act.
How long will it take to comply with the Act?
Depending on your businesses current policies and practises, experts estimate it can take anything from 6 months to 5 years.
Who will be held accountable if they don’t comply with the Act?
The owner of the business will be held accountable according to the Act
I run a small business with only a few employees and clients. Why must I adhere to this Act?
The Act applies to small, medium and large businesses and everyone will be measured by the same standard.
How does my business benefit when I comply with this Act?
The benefits come from operating lawfully. Studies have shown that 90% of consumer would rather do business with businesses that are transparent and comply with legislation compared with any other business.
Will there be a transition period?
Yes. The transition period will be for 12 months from the commencement date. This means that from the date of commencement all business in South Africa will need to be compliant with the POPI Act.
How can I prove POPI compliance to a client or customer?
POPI needs openness, security safeguards and date subject participation along with other conditions. When you comply with these conditions it’s quite apparent to your customers.
As an example, when you comply with the Openness condition, you will explain to your customers exactly what information you’ll be collecting, why you are collecting it, the name and address of the “responsible party” as well as your customers’ right to object or participate.
This behaviour of openness will show your customers that you respect their information and consider it important.
Related: POPI in the retail environment
Are any other countries implementing an Act similar to POPI?
Many countries have similar legislation which safeguards the personal information of customers along with rules and regulations for international information transfers and shares.
Many experts have said that the POPI Act is well thought out and borrows the best sections of similar international laws as well as having learnt from their predecessors’ mistakes and shortcomings.
What is the penalty for non-compliance to the POPI Act?
If you decide not to be compliant with the POPI Act you will be subjected to a fine and/or be imprisoned for up to 12 months. In specific cases the penalty can be a fine and/or imprisoned for up to 10 years.
When should I start setting up to be compliant with the POPI Act?
POPI is going to be implemented, the regulations are not going to change and if you start working towards compliance you will not have to worry about having to redo sections.
There will most likely not be any new regulation requirements added. You should start raising awareness of POPI within your business as well as planning your protection of personal information strategy.
It’s recommended that you start implementing the changes you need to make, as quickly as possible so that you’re compliant before the end of the grace period. This will leave you with enough time to review your changes and make certain you actually are complying with the Act.
With the POPI Act explained this should help you in understand the process of implementing POPI compliance within your company. Controlling information is the central component to creating a business, which POPI processes and procedures can be effectively executed and its ethics upheld.