The Protection of Personal Information Act (POPIA)

All public and private bodies will have to be POPIA compliant by 01 July 2021.

The purpose of The Protection of Personal Information Act, 2013 (Act 4 of 2013) is to –

(a) give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at –

(i) balancing the right to privacy against other rights, particularly the right of access to information (The Promotion of Access to Information Act, 2000 (Act 2 of 2000) The Promotion of Access to Information Amendment Act, 2002 (Act 54 of 2002)); and

(ii) protecting important interests, including the free flow of information within the Republic and across international borders;

(b) regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;

(c) provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and

(d) establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfill the rights protected by this Act.

Information Regulator

The Information Regulator (South Africa) is an independent body established in terms of Section 39 of the Protection of Personal Information Act 4 of 2013. it is subject only to the law and the constitution and it is accountable to the National Assembly.

The Protection of Personal Information Act, 2013 (POPIA Act) aims to promote the protection of personal information processed by public and private bodies by, among others, introducing certain conditions for the lawful processing of personal information so as to establish minimum requirements for the processing of such information.

The Information Regulator (South Africa) is, among others, empowered to monitor and enforce compliance by public and private bodies with the provisions of the POPIA Act.

10 Definitions as per the Protection of Personal Information Act No 4 of 2013:

Consent – means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information;

Data subject – means the person to whom the personal information relates;

Information matching program – means the comparison, whether manually or by means of any electronic or other devices, of any document that contains personal information about ten or more data subjects with one or more documents that contain personal information of ten or more data subjects, for the purpose of producing or verifying information that may be used for the purpose of taking any action in regard to an identifiable data subject;

Information officer – of, or in relation to, a –

(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or

(b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;

Application forms, and Guidance Notes, for Information Officers, are available at JusticeGov Registration opens 01 May 2021.

Personal information – means information relating to an identifiable, living, natural person, and where it is applicable and identifiable, existing juristic person, including, but not limited to –

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, color, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and the birth of the person;

(b) information relating to the education or the medical, financial, criminal, or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignments to the person;

(d) the biometric information of the person;

(e) the personal opinions, views, or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

Processing – means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –

(a) the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;

(b) dissemination by means of transmission, distribution or making available in any other form; or

(c) merging, linking, as well as restriction, degradation, erasure, or destruction of information;

Promotion of Access to Information Act – means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)

Public Record – means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body;

Record – means any recorded information –

(a) regardless of form or medium, including any of the following:

(i) Writing on any material;

(ii) information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other devices, and any material subsequently derived from information so produced, recorded or stored;

(iii) label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;

(iv) book, map, plan, graph, or drawing;

(v) photograph, film, negative, tape, or other devices in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;

(b) in the possession or under the control of a responsible party;

(c) whether or not it was created by a responsible party;

(d) regardless of when it came into existence;

Regulator – means the Information Regulator established in terms of section 39;

8 Conditions of lawful processing of personal information:

1. Accountability: where the responsible party must ensure compliance with the conditions for lawful processing
2. Processing limitation: Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of a data subject. Consent, justification, and objection; collection directly from a data subject
3. Purpose specification: Personal information must be collected for a specific explicitly defined and lawful purpose related to a function or activity of the responsible party
4. Further processing limitation: Further processing must be compatible with the purpose of collection, failing which consent must be obtained.
5. Information Quality: Personal information must be complete, accurate, not misleading, and updated.
6. Openness: The responsible party must maintain records and notify data subjects when collecting personal information
7. Security Safeguards: A responsible party must secure the integrity and confidentiality of personal information
8. Subject Participation: Data subjects must have access to personal information. Correction or deletion of personal information may take place if incorrect, irrelevant, outdated, excessive, incomplete, misleading or unlawfully obtained.

All Documents and updates are available here.

Sources:
Justice
Facebook

---

To view more Articles, please visit our Leads 2 Business Blog.
If you are interested in becoming one of our subscribers, please visit Leads 2 Business.
To view notes with screenshots on how to use our website, please visit Leads 2 Business Wiki.