Protection of Personal Information Act (South Africa)

Summary and Requirements of POPIA

The Protection of Personal Information Act (POPIA) is South Africa's privacy law that regulates how personal information is collected, stored, processed, and shared. Its primary goal is to protect the privacy of individuals and ensure responsible handling of personal information by organisations. POPIA is similar to the EU’s General Data Protection Regulation (GDPR) and came into full effect on 1 July 2021. The Information Regulator is the regulatory body responsible for monitoring compliance with POPIA.

Key Principles of POPIA

• Accountability. Organisations must take responsibility for data protection. This means they should implement measures to ensure compliance with POPIA and be able to demonstrate these measures when required.

• Processing limitation. Data must be collected for specific, lawful purposes. Organisations should avoid collecting excessive data and ensure that data processing is relevant and necessary for the intended purpose. Collect data from the data subject, where applicable.

• Purpose specification. Personal information must only be used for the purpose it was collected. Organisations should clearly define the purpose of data collection and inform individuals about it.

• Information quality.  Data must be accurate, complete, and up to date. Organisations should regularly review and update data to maintain its accuracy.

• Openness. Individuals must be informed about how their data is used. Organisations should provide clear and accessible information about their data processing activities.

• Security Safeguards. Organisations must protect data from unauthorised access. This includes implementing technical and organisational measures to secure data.

Rights of Individuals (Data Subjects)

• Right to access. Individuals can request access to their personal information. For example, an individual can ask a company to provide a copy of the data it holds about them.

• Right to correction/deletion. Individuals can request that inaccurate or outdated data be fixed or removed. For instance, if a person finds that their address is incorrect in a company's records, they can request that it be corrected.

• Right to object. Individuals can object to certain uses of their data, such as direct marketing. This means they can ask a company to stop sending them marketing materials.

• Right to data portability. Data can be transferred to another service provider. For example, an individual can request their data to be transferred from one healthcare provider to another.

Conditions for Lawful Data Processing

• Consent. Explicit consent from individuals is required for processing sensitive data. Organisations should obtain clear and informed consent from individuals before processing their data. The individual must give consent freely, without coercion or undue pressure.

• Contractual necessity. Data may be processed for contract performance (eg employment). For instance, an employer may process an employee's data to fulfil employment contract obligations.

• Legal obligation. Data can be processed if required by law. Organisations must comply with legal requirements that necessitate data processing.

• Legitimate interests. Processing is allowed if justified by legitimate business needs. Organisations should balance their interests with the rights and freedoms of individuals.

Key Requirements for Organisations

• Appoint an Information Officer. Responsible for ensuring compliance with POPIA. This person oversees data protection activities and serves as a point of contact for data subjects. The Information Officer must be registered and receive a certificate of registration from the Information Regulator.

• Implement data protection measures. Safeguard personal information through security measures. Organisations should adopt appropriate technical and organisational measures to protect data.

• Obtain consent. Ensure explicit consent for processing sensitive data. Organisations should clearly explain the purpose of data processing and obtain consent from individuals.

• Create a Privacy Policy. Inform individuals about how their data is used. A privacy policy should be easily accessible (eg on websites or from organisations’ registered offices) and provide detailed information about data processing activities.

• Data breach notification. Notify the Information Regulator and affected individuals in case of a breach. Organisations should have procedures in place to detect, report, and investigate data breaches.

• Cross-border data transfers. Ensure data transferred outside South Africa is protected by adequate safeguards. Organisations should implement measures to protect data when transferring it internationally.

  
  

Personal Information and Special Personal Information

Under POPIA, personal information and special personal information are categorised differently based on their sensitivity and the level of protection required. Here are some examples of each.

Personal Information 

Refers to any information that can identify an individual. Examples include:

• Name. Full name of an individual.

• Contact information. Email addresses, phone numbers, and physical addresses.

• Identification numbers. National ID numbers, passport numbers, and company registration numbers.

• Financial information. Bank account details, credit card numbers, and financial statements.

• Employment information. Job titles, employment history, and salary details.

• Online identifiers. IP addresses, social media profiles, and cookies.

Special Personal Information 

Requires a higher level of protection (and disclosure to individuals) due to its nature. Examples include:

• Racial or ethnic origin. Information about an individual's race or ethnicity.

• Health information. Medical records, health conditions, and genetic data.

• Biometric data. Fingerprints, facial recognition data, and retinal scans.

• Religious or philosophical beliefs. Information about an individual's religious or philosophical beliefs.

• Political opinions. Data related to an individual's political views or affiliations.

• Sexual orientation. Information about an individual's sexual orientation or sex life.

• Criminal records. Details of criminal convictions and offences.

These categories help ensure that personal and special personal information are handled appropriately, with special personal information receiving additional safeguards to protect individuals' privacy and rights.

Protection of Legal Entities Under POPIA

Unlike the EU’s GDPR, which primarily focuses on the protection of personal information of individuals, POPIA extends its protection to legal entities as well. This means that POPIA safeguards not only the personal information of individuals but also the data of companies, organisations, and other legal entities.

Key Points

• Scope of protection. POPIA covers the processing of personal information of both natural persons (individuals) and juristic persons (legal entities). This includes data related to companies, trusts, and other organisations.

• Rights of legal entities. Legal entities have the right to access, correct, and request the deletion of their data, similar to the rights granted to individuals. They can also object to the processing of their data and request data portability.

• Compliance requirements: Organisations must ensure that they handle the data of legal entities with the same level of care and compliance as they do for individuals. This includes obtaining consent, ensuring data accuracy, and implementing security safeguards.

By extending data protection rights to legal entities, POPIA provides a comprehensive framework that promotes responsible data handling practices across all sectors, fostering trust and accountability in the digital economy. However, it is an open question as to what exactly a legal entity can claim as ‘personal information’.

Penalties for Non-compliance

• Fines up to R10m or 10 years imprisonment for serious violations. Organisations that fail to comply with POPIA may face significant fines or imprisonment.

• Individuals can seek compensation if their data rights are violated. This means that individuals can take legal action against organisations that breach their data protection rights.

Conclusion

POPIA is essential for protecting individuals' personal information and ensuring responsible data handling by organisations. Compliance with POPIA not only avoids penalties but also builds trust with customers by safeguarding their privacy rights.

The information provided is for information purposes and does not constitute legal advice. Contact a lawyer should you require assistance. Legal Dynamix is not a law firm and does not provide legal advice on the subject matter contained herein.