POPI - time to act is now

Aside from suffering reputational damage, losing customers and failing to attract new ones, and paying out millions in damages to a civil class action, not complying with the the Protection of Personal Information Act (POPI) once it comes into effect could cost you up to ten million rand or 10 years in prison, says Gavin Dunlop, CEO of Actnet.

POPI sets conditions for what every private and public body can do with information about their customers. The intention of POPI is to bring South Africa in line with international standards of protection of personal information, and this being said, it is set to radically change the way in which both government and business deal with individuals' private information.

The POPI Bill was passed by the National Assembly on 11 September 2012, with amendments approved on 20 August 2013. It was signed by President Jacob Zuma in November 2013 and is now law in South Africa; however, it will only commence on a date to be proclaimed by the President. Once the commencement period begins, there will be a one-year grace period for compliance - so there is no time like the present to ensure you are compliant.

What is POPI exactly?

POPI is an all-inclusive piece of legislation that safeguards the integrity and sensitivity of private information. It means that entities operating in sectors that require them to handle personal particulars - ranging from financial services to telecommunications - will have to manage the data capture and storage process very carefully. Companies will also have to get permission to keep data, and disclose the reason that they need it.

The Act will apply to any information regarding clients or suppliers, including contact details and correspondence. Human resources and payroll data, curricula vitae, applications for employment, CCTV records, performance reviews and internal e-mail records, will also be subject to POPI's requirements.

The crux of POPI is to protect personal information and prevent it from getting into the wrong hands, thereby protecting individuals and juristic entities from any damage, including financial fraud, identity theft, misuse and the abuse of personal information.

POPI also outlines stringent cross-border data transfer requirements as information may not be relocated to countries with inadequate information protection frameworks.

How POPI will affect the data you collect

POPI protects personal information by restricting how it can be collected and used by a company, organisation or person, and sets out eight principles:

1. Accountability: The Act defines the "responsible party" as "a person or body which determines the purpose of and means for processing personal information". Basically, those who process the personal information must ensure that all of the Act's principles and the measures are complied with. This includes relationships with suppliers that use your customer data to execute their services and contractual obligations. As the responsible party, you have to make sure that your suppliers are also compliant, as the liability with regards to protected information rests with the responsible party.

2. Processing limitation: Processing of information must be done lawfully and in a manner that does not infringe the privacy of the individual. Personal information can only be dealt with if the processing is adequate, relevant and not excessive, given the purpose for which it is to be used.

3. Purpose specification: Personal information must only be collected for a specific purpose and the individuals must be aware of this. Records must not be kept for longer than necessary to achieve the purpose for which it was collected.

4. Further processing limitation: Further processing of the information must be compatible with the purpose of collection.

5. Information quality: The holder of the data must take reasonable steps to ensure that personal information is complete, accurate, not misleading and updated when necessary. All the while, taking into account the purpose for which the information was initially collected.

6. Openness: Steps are required to ensure that the data subject is aware of the personal information being collected and the purpose of collection.

7. Security safeguards: The responsible party must secure the personal information under their possession/control. Should a security breach occur, the responsible party must notify the subject whose information is compromised.

8. Data subject participation: The data subject can request whether an organisation holds their private information, and what information is held. They may also request the correction or deletion of information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

How will POPI affect my electronic document delivery?

The Act provides for the concept of an "operator", which is a third party permitted to process data information on behalf of another party. The requirements for data protection in the service provider relationship are made clear in the Act and all electronic document delivery providers, like Actnet, will need to comply. Fortunately, Actnet is already compliant with all regulatory legislation pertaining to electronic document delivery.

Conclusion

POPI translates into the need for a greater understanding of the manner in which personal information is stored and processed, including the systems, processes and how logical and physical access is maintained and managed for the systems and areas housing personal information. Simply put, if your business processes personal information, then you must comply with POPI.

The POPI Act is going to place tremendous pressure on IT departments from a compliancy perspective. Granted, there have been many false starts with this legislation, but companies will only have one year to comply and the financial consequences and reputational risk could be dire. The time to act is now.