·
The Protection of Personal Information Act ("POPI") was signed
into law by the President on 19 November 2013. POPI seeks to regulate the
Processing of Personal Information.
·
POPI will have a far-reaching impact on your organisation with severe
consequences for non-compliance.
·
POPI will regulate almost everything that companies do with information
relating to customers, employees, suppliers, and others, including information already
in your possession or under your control.
Personal Information broadly means any information relating to an
identifiable, living natural person or juristic person (companies, CC’s etc.)
and includes, but is not limited to:
- contact details: email, telephone, address, etc.
- demographic information: age, sex, race,
birth date, ethnicity, etc.
- history: employment, financial, educational, criminal, medical history
- biometric information: blood type, etc.
- opinions of and about the person
- private correspondence, etc.
Processing means broadly anything done with the Personal
Information, including collection, usage, storage, dissemination, modification
or destruction (whether such processing is automated or not).
Some of the obligations under POPI
are to:
- only collect information that you need for a specific purpose
- apply reasonable security measures to protect it
- ensure it is relevant and up to date
- only hold as much as you need, and only for as long as you need it
- allow the subject of the information to see it upon request
Does POPI really apply to
me?
Accountability for compliance rests with a Responsible
Party, meaning a public or private body or any other person which, alone or in conjunction with others, determines the
purpose of and means for processing personal information. Generally the
Responsible party must be resident in South Africa or the processing should
occur within South Africa (subject to certain exclusions).
There are cases where POPI does not apply.
Exclusions include:
- purely household or personal activity
- sufficiently de-identified information
- some state functions including criminal prosecutions, national
security, etc.
- journalism under a code of ethics
- judiciary functions, etc.
Why should I comply with
POPI?
POPI promotes transparency with regard to what
information is collected and how it is to be processed. This openness is likely
to increase customer confidence in the organisation.
POPI compliance involves capturing the minimum
required data, ensuring accuracy, and removing data that is no longer required.
These measures are likely to improve the overall reliability of the organisation
databases.
Compliance demands identifying Personal Information
and taking reasonable measures to protect the data. This will likely reduce
the risk of data breaches and the associated public relations and
legal ramifications for the organisation.
Non-compliance with the Act could expose the
Responsible Party to a penalty of a fine and / or imprisonment
of up to 12 months. In certain cases the penalty for non-compliance could be a
fine and / or imprisonment of up 10 years.
No comments:
Post a Comment