Estimated reading time: 3 minutes
By now, most organisations are aware that the Protection of Personal Information Act (POPIA) 4 of 2013 (“the Act”) is effective and requires all businesses which process personal information of persons to comply with the Act’s eight conditions for lawful processing, by 1 July 2021.
Rob Russell of Labour Advice & Dispute Resolution explains, “Personal information and processing is widely defined in the Act. Personal Information refers to any information that is capable of identifying a living person or existing juristic person, including contact details, biographic details, medical information, financial information, criminal information, employment information, educational information, biometric, opinions, preferences and geolocation.”
Suppose an organisation processes any information pertaining to minors or a person’s religious, criminal behaviour, political beliefs, biometric information, race, health or trade union membership. In that case, Russell points out that they are processing special personal information and compliance with each condition becomes more onerous.
The first port of call for any organisation is to consider the information officer’s role, who must be registered with the Information Regulator www.justice.gov.za/inforeg/portal. “For a private company, the information officer will be the CEO, or a person duly authorised by the CEO for that purpose. Published on 14 December 2018, the POPIA regulations extend the information officer’s duties, and impose certain mandatory responsibilities. The role of information officer is therefore a critical role, and not something that can be dealt with lightly.”
Russell elaborates that there are eight conditions for the lawful processing of personal information according to POPIA, and your business should now have ensured that it can meet all of these eight conditions.
Accountability – your business is responsible for ensuring the conditions for lawful processing are met.
Processing limitation – your business must process personal information lawfully, minimally, in accordance with the consent, justification and objection provisions, and with the data subject’s consent, unless certain exceptions apply.
Purpose specification – your business must process personal information for a specific purpose and adhere to the retention and restriction of records provisions in POPIA.
Further processing limitation – further processing of information must be compatible with the purpose of collection.
Information quality – your business must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated.
Openness – your business must maintain the documentation of all processing operations under its responsibility and take reasonably practicable steps to ensure that the data subject is aware of certain information.
Security safeguards – your business must: (i) secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures; (ii) in terms of a written contract, ensure that the operator, which processes personal information for the business establishes and maintains security measures; and (iii) as soon as reasonably possible after the discovery of a compromise, notify the Information Regulator and the data subject.
Data subject participation – your business must allow a data subject to access and correct its personal information. Your business may also be required to correct, delete or destroy personal information.
A manual in terms of section 51 of PAIA is also required. The manual must be lodged with the Information Regulator and it must be made available on the company’s website.
Non-compliance can lead to 10 years imprisonment or a fine of R10 million, or both.
What are your thoughts on the Act? Share your views in the comment section below.