POPI Compliance

We live in an unprecedented age of technological advancements which have created a market for the collection, use, and sharing of personal information. In an attempt to align South African data protection laws with international standards, and in order to balance an individual’s Constitutional right to privacy against the need for openness and economic progress within an information society, Parliament has enacted the Protection of Personal Information Act (“POPI”). This article highlights key aspects of which businesses seeking to collect and utilise personal information should be aware.    

POPI applies to the collection and use of “personal information” entered in a “record”. Personal information is broadly defined as information relating to an identifiable person. Various types of personal information are listed including demographic data, personal opinions and preferences, correspondence of a private nature and location information. A “record” is defined as any recorded information, regardless of its form or medium.

In order to comply with POPI businesses are required, inter alia, to:

1. collect and use personal information in a lawful manner which does not infringe an individual’s right to privacy;
2. collect and use only information relevant to the purpose for which processed;
3. in certain instances, obtain the individual’s consent. Consent need not be obtained in writing and may be inferred in instances where the consumer was afforded an opportunity to object to the use of personal information but failed to do so. This being said, an individual may at any time object to the use of personal information. If an individual so objects, then personal information may no longer be used. Consent need not be obtained where collection and processing is required by law or is necessary for the legitimate interests of the collecting party or of a third party to whom information is supplied;
4. collect information directly from an individual, unless collection from another source would not prejudice the legitimate interests of the individual;
5. collect and use personal information only for a defined and lawful purpose;
6. retain personal information for no longer than necessary in order to achieve the purpose for which collected and used;
7. ensure that the individual is aware that personal information is being collected and used; and
8. implement technical and organisational measures to ensure the safety, integrity and confidentiality of personal information. An example of such measures is to adopt a privacy policy detailing the information being collected, the purpose for which collected and the manner in which information can be updated and deleted.

POPI is still in its infancy and is currently untested law. It remains to be seen how our courts will interpret and enforce this new legislation. Despite having been signed into law, POPI has not yet taken effect but is imminent. Once POPI does take effect, businesses will have a one-year grace period within which to comply with its provisions. If you think compliance is expensive, try non-compliance! Penalties for failure to comply include a fine and imprisonment of up to ten years.

We recommend that businesses educate themselves on the requirements of POPI and start putting the necessary compliance mechanisms in place. Pagdens can assist your business in becoming POPI compliant.

This article is for general information should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact an attorney for specific and detailed advice. Errors and omissions excepted (E&OE)