POPI Act or Protection of Personal Information Act
POPI with thorns
Did you know that the Protection of Personal Information Act, also referred to as the POPI Act will officially come into effect on 1 July 2021? Once the Act comes into force, we will have 12 months to ensure that our business practices comply with the Act, failing which, we could be facing 10 years of jail time or substantial fines and damages. The purpose of Act to is protect personal information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed. The Act is rather confusing and is it difficult to read and understand. The compliance requirements contain much red tape and as such it is recommended that sound legal advice be taken to assist in setting up and enforcing compliance procedures.
The POPI Act applies to your business
That is to say the Act applies to businesses that keep any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently. It therefore sets the minimum standards for the protection of personal information. It regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organising, retrieving, or using such information; or disseminating, distributing or making such personal information available. Importantly, the Act will apply retrospectively relate to records which we already have in our possession.
Key definitions that will apply to the POPI Act
“data subject” – you or me, being a person to whom personal information relates. “direct marketing” – sending a data subject an electronic communication about goods and services that you are promoting or offering to supply in the ordinary course of business or requesting a donation of any kind for any reason. “processing” – any operation or activity concerning personal information. “record” – any recorded information, regardless of when it came into existence. “responsible party” – a public or private body or any other person which determines the purpose of and means for processing personal information. We all have the right to be told if someone is collecting our personal information, or if our personal information has been accessed by an unauthorised person. We have the right to access our personal information. We also have the right to require our personal information be corrected or destroyed, or to object to our personal information being processed. The Act does not apply to personal information processed in the course of a personal or household activity, or where the processing authority is a public body involved in national security, defence, public safety, anti-money laundering, or the Cabinet or Executive Council of the province or as part of a judicial function. Personal information can only be processed:
- with the consent of the “data subject”; or
- if it is necessary for the conclusion or performance of a contract to which the “data subject” is a party; or
- it is required by law; or
- it protects a legitimate interest of the “data subject”; or
- it is necessary to pursue your legitimate interests or the interest of a third party to whom the information is supplied.
We all have the right to object to having our personal information processed. We can withdraw our consent, or we can object if we can show legitimate grounds for our objection.The Act provides that a Responsible Party has to collect personal information directly from the “data subject”, unless:
- This information is contained in some public record or has been deliberately published by the data subject.
- collecting the information from another source does not prejudice the subject;
- it is necessary for some public purpose; or to protect your own interests;
- obtaining the information directly from the subject would prejudice a lawful purpose or is not reasonably possible.
Thus, personal information can only be collected for a specific, explicitly defined and lawful purpose and the subject must be aware of the purpose for which the information is being collected. It is important to note that once the personal information is no longer needed for the specific purpose, it must be disposed of (the subject must be “de-identified”), unless you need to keep it (or are allowed to keep it) by law, or you need to keep the record for your own lawful purpose or in accordance with the contract between yourself and the subject, or the subject has consented to you keeping the records.You are entitled to keep records of personal information for historical, statistical or research purposes if you have established safeguards to prevent the records being used for any other purposes. Records must be destroyed in a way that prevents them from being reconstructed.When information is being collected, parties must be made aware of:
- the information that is being collected and if the information is not being collected from them, they must be made aware of the source from which the information is being collected;
- the name and address of the person/organisation collecting the information;
- the purpose of the collection of information;
- whether the supply of the information by a party is voluntary or mandatory;
- the consequences of failure to provide the information;
- whether the information is being collected in accordance with any law;
- If it is intended for the information to leave the country and what level of protection will be afforded to the information after it has left South Africa.
- who will be receiving the information;
- that the party has access to the information and the right to rectify any details;
- that the party has the right to object to the information being processed (if such right exists);
- that the party has the right to lodge a complaint to the Information Regulator. The contact details of the Information Regulator must also be supplied.
These requirements have to be met before the information is collected directly from a party, or soon as reasonably practicable thereafter if the information is not collected directly from the party, unless the party is already aware of these rights. If you collect additional information from a party for a different purpose, you have to go through this process again.
Applicable to Estate Agents, Attorneys, Doctors, Dentists, Banks and Insurance Companies
We envisage all clients of estate agents, attorneys, doctors, dentists, banks, insurance companies etc. signing a form acknowledging that they are aware of their rights before they fill in any personal details on a mandate or an offer to purchase or a FICA form or any other mandate form.
How should we manage personal information once collected?
The POPI Act provides that anybody who keeps personal information has to take steps to prevent the loss, damage, and unauthorised destruction of the personal information. They also have to prevent unlawful access to or unlawful processing of this personal information.Thus, we have to identify all risks and then establish and maintain safeguards against these identified risks. We have to regularly verify that the safeguards are being effectively implemented and update the safeguards in response to new risks or identified deficiencies in existing safeguards.
New employment contracts for admin and data capturers will be required
Anybody processing personal information on behalf of an employer must have the necessary authorisation from the employer to do so. They must also treat the personal information as confidential. Such a person must have a written contract with their employer in which they are specifically obliged to maintain the integrity and confidentiality of the personal information and to implement the established safeguards against identified risks. Thus, an employee is also obliged to notify their employer if they believe that personal information has fallen into the wrong hands. New employment contracts for administrative staff and data capturers, and for any employees who deal with personal information, must comply with these requirements.
What to do in the case of a data breach
If there has been a breach and personal information has been accessed or acquired by any unauthorised people you need to notify the Information Regulator, and the relevant party (if known). The notification to the party must provide sufficient information to allow the party to protect themselves against the possible consequences of the personal information falling into the wrong hands. We all have the right to enquire as to whether somebody has our personal information, all we have to do is provide proof of identity and this information must be provided free of charge. We can also find out what this information consists of and if this information has been disseminated to any third parties.We also have the right to have our personal information corrected or deleted if it is inaccurate, irrelevant, excessive, dated or misleading, or if it has been obtained unlawfully, or if the responsible party is no longer authorised to retain the information.
Special Personal Information according to the POPI Act
The Act creates a special category of personal information called “special personal information”. This relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information. Also included in this category is information relating to the alleged commission of any offence or any proceedings in respect of any offence allegedly committed and the outcome of such proceedings. We are not allowed to process this special personal information unless it is done with consent; or is necessary in law; or is done for historical, statistical or research purposes; or the information has been deliberately made public by the subject. There are also limited exceptions to the prohibition against the processing of “special personal information” and these relate to situations when this information is specifically relevant and constitutes the purpose for which the information is being collected, for example for the purposes of BEE or for insurance.
Special rules apply to the processing of personal information of children, according to the POPI Act.
The Information Regulator has the power to grant exemptions to allow people to process personal information without complying with the Act if the public interest outweighs the subject’s rights of privacy or where there is a clear benefit to the subject. Such exemptions may be granted upon conditions. Exemptions may also be granted for the processing of personal information for the purposes of discharging a “relevant function”. A relevant function would include the processing of personal information with a view to protecting members of the public against:
- financial loss due to dishonesty of persons in the banking or financial services industry; and
- dishonesty by persons authorised to carry on any profession or other activity.
What is the Information Regulator?
The POPI Act comes along with a whole bureaucratic entity known as the Information Regulator. The people who will comprise the management of this body are appointed by the President on the recommendation of the National Assembly. They are answerable to the National Assembly. There will be a large body of staff working under this senior management.
Duties of the Information Regulator relating to the POPI Act
Their duties will include the following:
- Educate the public regarding the POPI Act and to advise government or private bodies with regards to their obligations under the Act.
- to monitor and enforce compliance of the Act and to keep up to date with the latest developments in information processing and computer technology to ensure that this does not impact negatively on the protection of personal information.
- to monitor proposed legislation to make sure that this is in line with the Act;
- to report to Parliament on its own accord on any policy matters;
- to submit an annual report to Parliament;
- to conduct assessments as to whether any specific public or private body is complying with the Act;
- by maintaining registers that are prescribed in the Act;
- by consulting with interested parties on matters relating to personal information and mediating disputes;
- by handling complaints about violations of rights;
- by enforcing the provisions of the Act;
- by conducting research;
- by drafting codes of conduct and guidelines;
- by facilitating cross-border cooperation to enforce privacy laws; and
- by doing anything further which they think is necessary to further the aims of the Act.
The Information Regulator will also have an Enforcement Committee and the Information Regulator will be funded by the National Fiscus. If a person wishes to process personal information for a purpose other than for which the information was collected with the intention of linking the information to information processed by others, such a person will need to get prior authorisation from the Regulator. Such prior authorisation will also be needed for processing information on criminal, unlawful or objectionable conduct or credit reporting. Failure to obtain such prior authorisation would be a criminal offence.The Regulator is entitled to issue codes of conduct regarding the processing of personal information which codes of conduct may be of general or specific application. Prior to issuing such a code of conduct the Regulator has to advertise their intention and call for written submissions. These codes of conduct must be published in the Government Gazette and the Regulator must keep a register of approved codes of conduct. These codes of conduct can be reviewed and revoked from time to time.
How the POPI Act applies to Direct Marketing
This is a notoriously irritant in our daily lives! Section 69 of the Act outlaws direct marketing by means of any form of electronic communication unless a party has given their consent. Such an electronic communication obviously includes emails and SMSs. Automatic calling machines are also included.A party can only be approached once to obtain such consent.If such consent is refused, it is refused forever. Slightly different rules apply if a party is a customer. Here the customer’s contact details must have been obtained in the context of the sale of a product or a service, the direct marketing by electronic communication can only relate to the suppliers own similar products or services, and the customer must have been given the right to opt out at the time that the information was collected and each time such a communication is sent. Anybody sending out direct marketing electronic communications has to disclose the identity of the advertiser and provide an address to which the customer can send a request to opt out.Any party whose name is included in any type of directory must be advised of the purpose of the directory and about any future uses to which the directory might possibly be put, based on search functions embedded in electronic versions of the directory. Such a party must be given the opportunity to object to such use of the personal information. This will however not apply to directories that were printed or which were created in off-line electronic form prior to the commencement of this section. If your personal information is contained in a public subscriber directory which has been prepared in accordance with the safeguards set out in the Act, prior to the commencement of this portion of the Act, your personal information can remain in the directory provided that the subject has received notification about the purposes of the directory and the future uses to which the directory might be put. Once again, the party must be given the opportunity to opt out. (section 70) The Act controls the transfer of personal information from South Africa to foreign countries and prohibits this unless:
- the person receiving the information is subject to similar laws;
- the person has agreed to the transfer of information;
- such transfer is part of the performance of a contract which the person is a party; or
- transfer is for the benefit of the person and it is not reasonably practicable to obtain their consent and that such consent would be likely to be given.
Disputes and breaches relating to the POPI Act
The procedures set down in this section of the Act seem a bit illogical and impractical.If someone is alleged to be in breach of the Act, any person may submit a complaint to the Information Regulator. This complaint will be dealt with by an adjudicator. From the Act it would appear that anybody can submit this type of complaint. It does not have to be one of the parties whose rights have been breached. If a person is not happy with the determination of the adjudicator, they can still approach the Information Regulator for another ruling. This seems to be a type of in-house appeal process and is quite confusing.When a complaint is referred to the Regulator, the Regulator has certain options. He can
- conduct pre-investigation;
- act as a conciliator;
- if after investigating the complaint the Regulator believes there is no case either because of the passing of time, the trivial subject matter of the complaint, the fact that the complaint is frivolous or vexatious or not made in good faith, or if the complainant does not have a sufficient personal interest in the matter, or where there is another internal remedy which has not yet been exhausted, or where further Action would be unnecessary or inappropriate, decide to take no action;
- conduct a full investigation;
- refer the complaint to the Enforcement Committee.
The Regulator also has the right to commence an investigation of their own initiative. The Information Regulator can also refer any complaint to another body if the Regulator believes that the complaint falls more properly within the jurisdiction of this other body.The Information Regulator has the right to summon people to appear before it and to give evidence. This evidence does not have to be evidence that would be admissible in a court of law. This now seems to be a trend as, in their dispute resolution function, the Community Schemes Ombud also has the right to receive evidence which would not be admissible in an ordinary court of law.The Information Regulator can also enter and search any premises, conduct private interviews at any place or carry out other enquiries that the Regulator sees fit.The Information Regulator is entitled to approach the judge of the High Court or a magistrate to issue a search warrant which would empower the Regulator to search, inspect, examine, operate and test any equipment used for the purposes of processing personal information on the premises.The Information Regulator also has the powers of seizure in respect of evidence or prospective evidence.It would appear that anybody is entitled to ask the Information Regulator to make an assessment as to whether an instance of processing of personal information complies with the Act. The Regulator can also do this on its own initiative. The results of the assessment must be communicated to the person who has made the request. If the Regulator deems it appropriate and in the public interest, the results of the assessment can be published. After completing an investigation, the Regulator may refer the complaint or other matter to the Enforcement Committee for consideration, for a finding and for a recommendation in respect of proposed remedial Action. The Regulator may prescribe the procedure to be followed by the Enforcement Committee.The Enforcement Committee will make recommendations to the Regulator necessary or incidental to any Action that should be taken against the responsible party.The Information Regulator will make the final “judgement” on the complaint. The guilty party will be advised of their appeal rights. The enforcement notice may not require the responsible party to take any remedial action until the period for an appeal has passed, and if such appeal is lodged, until it has been determined. The Information Regulator does however have the power to enforce immediate compliance if the matter is viewed as urgent.A guilty party has a right of appeal of to the High Court and such a party has 180 days to appeal. A party who has suffered damages as a result of the responsible party failing to comply with this Act can institute a civil action to recover these damages whether or not there has been any intention or negligence on the part of the responsible party. This creates a strict liability on the part of the responsible party. The Act sets out a fixed number of defences that can be raised against an action for damages. These are:
- superior force;
- consent of the plaintiff;
- fault on the part of the plaintiff (contributory negligence, I presume);
- that compliance was not reasonably practicable in the circumstances; or
- that the regulator had granted an exemption in respect of compliance.
If the responsible party is found to be guilty the court has the jurisdiction to award damages as compensation for patrimonial and non-patrimonial loss suffered by the subject and for aggravated damages, in a sum determined in the discretion of the court. This latter category would appear to be a type of punitive damages which is a new concept in our law. The court can also order the payment of interest on damages and costs of suit on a scale as to be determined by the court.Any amount awarded to the subject by the court must be paid to the Information Regulator and used first to defray expenses incurred by the Information Regulator in the case. Any available balance will then be paid to the subject. It would appear that the Information Regulator will therefore be able to fund some of its operation with the damages awarded by the court to a subject.Any court issuing an order of this nature must publish such an order in the Government Gazette or by such other appropriate public media announcement as the court might consider appropriate.
Offences, penalties and administrative fines relating to the POPI Act
Sections 100 – 106 deal with instances where parties would find themselves “guilty of an offense”. The most relevant of these are:
- Any person who hinders, obstructs or unlawfully influences the Regulator;
- A responsible party which fails to comply with an enforcement notice;
- Offences by witnesses, for example, lying under oath or failing to attend hearings;
- Unlawful Acts by responsible party in connection with account numbers;
- Unlawful Acts by third parties in connection with account number.
Section 107 of the POPI Act details which penalties apply to respective offenses. For the above mentioned offences the maximum penalties are a fine or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment.For the less serious offences, for example, hindering an official in the execution of a search and seizure warrant the maximum penalty would be a fine or imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.In conclusion, please ensure that you conduct a thorough audit of your business to ensure that you comply with the Act and the Regulations to the POPI Act and that you take prior legal advice when or if you are unsure.Our Commercial law department at Witz Inc. is ready and available to assist you.Please contact us today.