A Quick Guide to the POPI Act.
The purpose of the POPI Act is to protect you as consumer against, inter alia, theft of money and identity by preventing your personal information from landing in the wrong hands. In short, what it amounts to is that a responsible party must protect the integrity and confidentiality of personal information in his/her possession or under his/her control by introducing applicable, fairly technical and organizational measures.
The POPI Act applies to everybody who processes any type of records that contain personal information of people.
It therefore lays down the minimum standards for the protection of personal information.
Processing comprises the collection, receipt, recording, organising, retrieval or use of such information. It also includes the distribution and release of such information (free of charge or against payment).
The purpose of the POPI Act is to enforce the consequences should a South African institution not behave in a responsible way when they collect, process, store and share someone else's personal information. The POPI Act will hold them accountable if they misuse or compromise your personal information. The POPI legislation labels your personal information "precious goods" and gives you the rights of protection and the capacity to still have control over your information.
SOME KEY DEFINITIONS
- "data subject" - you or me, being a person to whom personal information relates.
- "direct marketing" - sending a data subject an electronic communication about goods and services that you are promoting or offering to supply in the ordinary course of business, or requesting a donation of any kind for any reason.
- "processing" - any operation or activity concerning personal information."record" - any recorded information, regardless of when it came into existence.
- "responsible party" - a public or private body or any other person which determines the purpose of and means for processing personal information.
WHAT RIGHTS DO YOU HAVE OVER YOUR INFORMATION AND THE INFORMATION OF OTHERS?
1. How and when you want to share your information:
Consent will be required to share any personal information. The person must ensure that their contract and mandates include special clauses and/or consents (when dealing with the Offer to Purchaser).
Further, all individuals have the right to enquire as to whether somebody has our personal information. All we have to do is provide proof of identity and this information must be provided free of charge. So, record keeping will have to be ensured and if you do not have the consent to have the information, then that information must be deleted. Access to this information is also subject to the Promotion of Access to Information Act.
2. The type of information and to what extent you want to share your information:
Your information needs to be collected for a valid reason. As an example, you can only collect data of a personal nature if negotiating an offer to purchase.
3. Who will have access to your information:
There will need to be appropriate measures and controls in order to track access to your information and prevent unauthorised people - including people from within the same company - from having access to your information.
4. How and where your information will be stored:
There will need to have appropriate measures and controls to keep your information safe so as to protect it from being compromised or stolen.
5. The reliability and accuracy of your information:
Your information will need to be captured correctly and the company will be responsible for maintaining its accuracy. You will need to ensure that the correct data is supplied; correctly applying the principles from FICA will assist in your POPI requirements.
6. The Information must be deleted if requested:
An individual has a right to have their personal information corrected or deleted if it is inaccurate, irrelevant, excessive, dated or misleading, or if it has been obtained unlawfully, or if the responsible party is no longer authorized to retain the information. So, if a transaction has been completed, anyone may need then to delete the information of the parties as it is no longer needed. Further, it may be necessary to build into offers to purchase and/or mandates that all personal information will be deleted upon finalisation of the matter or its subsequent cancellation.
WHAT ARE EXAMPLES OF PERSONAL INFORMATION?
- Identity or passport number
- Date of birth and age
- Phone numbers - including cell phone number
- Email address
- Online or instant messaging identifiers
- Physical address
- Gender, race and ethnic origin
- Photos, video footage - this includes CCTV footage, voice recordings and biometric data
- Marital relationship status and family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs - this includes personal and political opinions
- Employment history and salary
- Financial information
- Education information
- Physical and mental health information - this includes medical history and blood type
- Memberships to organizations or unions.
WHO AND WHAT IS AN OPERATOR?
An operator is a member of staff or third party whose sole function is to process all personal data collected for and on behalf of the company. Their functions are as follows:
- Do so only according to their instructions, but without coming under their direct authority.
- In terms of a written contract.
- Would dispose of the data after the arrangement ends.
- Are merely a service provider.
- Do not use the data for any of their own purposes.
HOW TO HANDLE PERSONAL INFORMATION ONCE COLLECTED
Section 19 states that anybody who keeps personal information must have procedures in place to prevent the loss, damage, and unauthorised destruction of said information. These procedures must also include the unlawful access to or unlawful processing of this personal information.
An person must,
1. Identify all risks surrounding the collecting, processing, and storing of data;
2. Establish and maintain safeguards against these identified risks;
3. Regularly monitor and ensure that all procedures are being applied correctly; and,
4. Continuously update and amend all safeguards in light of any new risks that may be identified.
Section 20 states that he or she who processes (or collects) personal information on behalf of an employer or agency must be correctly authorised and empowered. Otherwise, this can be seen as a serious breach of the Act. Further, this information, once collected, must be treated as confidential. If this person is employed directly by the company, then the employment contract must specifically state that the individual is obliged to ensure the strictest safeguards when dealing with the information, meaning that the employment contract for any particular individual or individuals employed for POPI compliance will need to be specific and tailored for the parties.
Section 21(2) further states that the aforementioned employee must, if a data breach occurs, notify the employer of the breach and whether the personal data has been used by an unauthorised individual. Any breach must then be communicated to the Information Regulator and also (if you know whose information it was) to the individual whose information was compromised. The notification is to supply adequate information for the party to protect themselves.
Section 26 - Special Personal Information. Subjects such as:
1. Religious or philosophical beliefs;
2. race or ethnic origin;
3. trade union membership;
4. political persuasion;
5. Criminal and disciplinary proceedings that the individual may be involved in;
6. health or sex life; and /or
7. biometric information.
Processing of the above special information is only permitted in the following circumstances (all must be read together):
1. With consent of the individuals concerned;
2. When necessary in law;
3. Collected and conducted for historical, statistical or research purposes; or finally,
4. The information has been deliberately made public by the subject.
Special rules apply to the processing of personal information of children. (section 35) so be careful if one of the parties is a minor. Consent of the parents will be required.
The Information Regulator has the power to grant exemptions to allow people to process personal information without complying with the Act if the public interest outweighs the subject's rights of privacy or where there is a clear benefit to the subject.
Exemptions may also be granted for the processing of personal information for the purposes of discharging a "relevant function".
An example of a relevant function would be the collecting and processing of private information in order to protect members of the public against:
1. financial loss due to fraud in the banking or financial services industry and property sector; and
2. dishonesty by persons authorized to carry on any profession or other activity such as an lawyer..
WHAT ARE THE BENEFITS OF POPI?
1. Companies that collect large volumes of data will have a better means of sifting through the data and locating what is relevant, destroying the unnecessary data or not collecting it.
2. The requirements of POPI tie in with FICA and allow greater security. Once a transaction has been concluded, all personal data that is not necessary, such as email addresses, income tax numbers, cell and landline numbers must be redacted or destroyed.
3. Ensuring that your contracts are designed in such a way as to ensure that you can manage the effective collection of data.
4. Customers and potential customers will be or should be happy to part with information as you will be able to prove that your company is compliant and that you can assure the client and or potential client that none of their data will be used for anything else beyond its specified purpose and that you will not sell or send their data to third parties without their consent.
DOES POPI REALLY APPLY TO YOU?
Accountability will rest with the "responsible party", which is a public or private body, alone or with others who determine the purpose of processing personal information.
The "responsible party" needs to be a South African resident or reside within South Africa. These are the cases which don't apply with the POPI Act:
- Specifically household or personal activity
- Appropriately de-identified information
- Various state functions, specifically criminal prosecutions and national security
- Journalism, which is under a code of ethics
- Judiciary functions.
WHY YOU SHOULD COMPLY WITH POPI
POPI is meant to create openness and increase customer confidence in the organisation. In order to comply with POPI, you just need to:
- Capture the minimum amount of required information, ensure it's accurate and remove information that isn't required.
- Identify the personal information and take appropriate measures to keep the information safe.
WHO SPECIFICALLY IS AFFECTED BY THIS LEGISLATION?
- Everyone is affected. Every single business will need to become compliant with this Act or face serious consequences. Every person and company is protected by this Act.
WHO WILL BE HELD ACCOUNTABLE IF THEY DON'T COMPLY WITH THE ACT?
- The owner of the business will be held accountable according to the Act
I RUN A SMALL BUSINESS WITH ONLY A FEW EMPLOYEES AND CLIENTS. WHY MUST I ADHERE TO THIS ACT?
- The Act applies to small, medium and large businesses and everyone will be measured by the same standard.
HOW DOES MY BUSINESS BENEFIT WHEN I COMPLY WITH THIS ACT?
- By showing you are compliant and not sharing the client's data with third parties (unless consent is given), clients and potential clients will be more willing to work with you.
HOW CAN I PROVE POPI COMPLIANCE TO A CLIENT OR CUSTOMER?
- Your contacts must show how you comply with the Act and you must also ensure that you keep the clients informed as to why you are collecting their data.
- Explain to your customers exactly what information you'll be collecting, why you are collecting it, the name and address of the "responsible party" as well as your customers' right to object or participate.
WHAT IS THE PENALTY FOR NON-COMPLIANCE TO THE POPI ACT?
- If you decide not to be compliant with the POPI Act, you will be subjected to a fine and/or be imprisoned for up to 12 months.
- In specific cases, the penalty can be a fine and/or imprisonment for up to 10 years.
WHEN SHOULD I START SETTING UP TO BE COMPLIANT WITH THE POPI ACT?
- Start preparing immediately. Start reviewing your procedures and ensuring your contracts have the necessary consents and waivers built in. This will leave you with enough time to review your changes and make certain you actually are complying with the Act.
- Controlling information is the central component, so ensure that you have a staff member or members whose job it is to ensure that FICA is collected and that the data is processed in terms of POPI.
FINALLY, DIRECT MARKETING
Section 69 of POPI outlaws direct marketing by means of any form of electronic communication - unless the subject has given their consent - be it by telephone, email, sms etc. Consent must be obtained and only then can the subject be approached; if it is not obtained, then that consent is refused forever.
But what if it's a Purchaser or a Seller? Their contact details must have been obtained in the context of the sale of a property and would be stored and possibly shared with third parties such as companies that attend to the issuing of compliance certificates, mortgage originators and Banks. Direct marketing by electronic communication can only relate to the supplier's own products or services, and the customer must have been given the right to opt out at the time that the information was collected. It should be noted that each time such a communication is sent, an option to opt out must be supplied and recorded so that the individual is not contacted again.
If you send out direct marketing, then you must disclose your identity, affiliation with the company and also the address of the company. Following this, you must also include a means for the client or individual to opt out as well.
If you have an electronic directory of clients, then, when collecting the data of a new client, you must inform them of this and they must be given the right to have an opt out from the directory. It must be maintained and the client, if he or she opts out, must not be contacted. This will however not apply to directories that were printed or which were created in off-line electronic form prior to the commencement of this section.
Personal information that was part of a public subscriber directory and which directory is POPI compliant can then retain the information unless the client requests to opt out as per section 70 of POPI. The client must be notified that their information is part of such directory and that they have a right to opt out.
The Act controls the transfer of personal information from South Africa to foreign countries and prohibits this unless: (section 71)
- the person receiving the information is subject to similar laws;
- the subject has agreed to the transfer of information;
- such transfer is part of the performance of a contract which the subject is a party to; or
- transfer is for the benefit of the subject and it is not reasonably practicable to obtain their consent and that such consent would be likely to be given. (section 72)
It doesn't matter how big or small your business is, you must have a policy document in your company and way to destroy digital and physical documents to protect the personal information of your customers.
its advised you should have a document shredder to quickly dispose of sensitive information. speak to our team, who can help you with choosing the shredder to suit you and your business. 0227131111 email: firstname.lastname@example.org