This article is published with the kind permission of Van der Spuy and Partners in Paarl and Cape Town.
The protection of privacy in South Africa has undergone intense investigation over the last decade. In late 2005 the South African Law Reform Commission found that there wasn’t adequate protection and that a new, separate piece of legislation was needed for the proper protection of one’s personal information. This paved the way for the long process which is now finally coming to an end with the Protection of Personal Information Act (“POPI”) recently passed by the National Assembly and now awaiting enactment.
POPI will have as its main aim the protection of personal information. It has been stated that POPI has been designed to protect personal information given the fact that in today’s digital age there are serious implications in how this type of information is handled. Should an organisation or “responsible party” as named by POPI, request your personal information, they can only capture and use it with your consent. Organisations will further have to ensure that it is kept up to date and that they have put in place, reasonable security measures which are in line with industry standards. This in itself can be quite a tall order for many organisations that handle personal information of their clients.
As soon as POPI is signed into law all public and private organisations that process personal information will have a transition period of one year to address their compliance. The onus rests on the organisation to comply and compliance failure cannot only bring about reputational damage but can also lead to fines of up to R10 million or imprisonment of up to 10 years.
POPI restricts how personal information can be collected and used and to this end sets out eight principles of compliance for organisations:
1. Accountability
All responsible parties which range from the man on the street to corporate giants must adhere to all of POPI’s principles.
2. Processing limitation
Lawfulness is key. The method of information collection must be lawful and not infringe on one’s right to privacy. Processing must be adequate, relevant, not excessive, relative to the purpose for which the processing was undertaken and only done with the consent of the individual (barring a few exceptions). Personal information must always be collected directly from the data subject, unless the POPI provides otherwise.
3. Purpose specification
Collection of personal information must be for a specific, explicitly defined and lawful purpose of which the individual must be aware. The purpose for which your information is going to be used must be explicitly stated and only kept until the desired result for which it was collected has been achieved.
4. Further processing limitation
Further processing of the information must be in accordance or compatible with the purpose for which it was originally collected.
5. Information quality
The organisation must take all reasonable steps to safeguard personal information while making sure it is accurate, complete, not misleading and updated whenever it so demands. When taking these steps, regard must be had as to the purpose for which the information was gathered or would be used for further processing.
6. Openness
The responsible party must at all times disclose to the individual all reasons behind the collection of their personal information. This includes for example the source, application and the individual’s rights in respect of such information and who will have access to the information.
7. Security safeguards
A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unlawful access to personal information.
8. Data subject participation
An individual can at any time, free of charge request from an organisation whether they hold any of their private information. Upon provision thereof, the individual may demand correction or deletion of information that is inaccurate, out of date, misleading or that was obtained illegally.
Organisations need to take note of these principles and assess to what extent these principles will apply to them. Proactively obtain help to assess the compliance of your business and start putting measures in place to ensure your compliance with POPI as compliance will not be an overnight exercise and will require planning and understanding on your part.
The proof of the pudding will lie in the eating. Judging by what is indicated above it seems that most of this is covered by the FAIS Act and the General Code of Conduct any way.