There will be a one-year grace period
within which to comply with POPIA and the Regulations enacted thereunder.
Private and public bodies should ensure compliance by 1 July 2021.
POPIA reinforces a South African’s (called
a ‘data subject’s’) constitutional right to privacy in both the public and
private sectors by setting eight conditions for lawful processing of data.
These conditions are: (1) accountability, (2) processing limitation, (3)
purpose specification, (4) further processing limitation, (5) information
quality, (6) openness, (7) security safeguards, and (8) data subject
participation.
The act is not designed to prevent
the processing of personal information but seeks to ensure that it is done
fairly and without adversely affecting the rights of data subjects.
POPIA applies to the processing of
personal information of a data subject entered in a record by a ‘responsible
party’. He or she is the principal processor of personal data, who determines
the purpose and means of processing. S/he processes the information in South
Africa and is domiciled in South Africa or is domiciled elsewhere but uses
automated or non-automated means in South Africa to process the personal
information.
The POPIA defines “personal
information,” as generally meaning information relating to an identifiable,
living natural person and, where applicable, an identifiable company or other
similar legal entity. The definition includes information relating to
partnerships and unincorporated persons and provides a significantly detailed
list of examples of personal information. These examples range from private
correspondence and information about age, gender, sex and race to identifiers
such as identity numbers, telephone numbers, location information, online
identifiers, and personal opinions and preferences.
The responsible party processing
personal information must comply with all eight conditions and the measures
necessary to give effect to those conditions. Compliance must be achieved not
only when the actual processing of information takes place, but also when
determining the purpose and means of processing the personal information.
- Accountability: This condition requires that all
processing of data occurs in compliance with POPIA. Practically, this
requires that a data protection policy is established and that an internal
information officer furthers the aims of and compliance with the
legislation.
- Processing
limitation: Personal data must be processed lawfully and
in a reasonable manner that does not infringe on a data subject’s privacy.
A responsible party must develop procedures and policies to ensure that
personal information is processed in a “reasonable manner.”
- Purpose
specification: Among other
things, this entails that personal information may only be collected for a
lawful, specific, and explicitly defined purpose related to the function
or activity of the responsible party collecting the information. Data
subjects must be informed of the purpose of the collection, except in
exceptional circumstances, such as when the responsible party is required
to comply with an obligation imposed by law.
- Further processing
limitation: Once personal information has been
collected and lawful processing has occurred, a responsible party may only
further process that data in limited circumstances. These limited
circumstances are determined based on whether the purpose of the further
processing is “compatible” with the previously defined purpose.
- Information
quality: A responsible party must ensure that any
personal information in its possession is complete, accurate, not
misleading and updated when necessary. In maintaining information quality,
the responsible party must consider the purpose for which the personal
information is collected or further processed.
- Openness: A responsible party must compile a
manual that contains stipulated information as required by the South
African Promotion of Access to Information Act, 2000, including details on
the information that it holds. When personal information is collected, the
responsible party must take reasonably practicable steps to ensure that
the data subject is aware of: (1) the information being collected and the
source of the information; (2) the name and address of the responsible party;
(3) the purpose for which the information is being collected; (4) whether
the data subject is required to provide the requested information, or may
do so voluntarily; (5) the consequences of failing to provide the
information; (6) the legal basis for the collection of the information;
(7) whether the responsible party intends to transfer the information to a
third country and the level of protection afforded to the transferred
information; and (8) any further information necessary for the processing to
be reasonable under the circumstances.
- Security
safeguards: A responsible party must secure the
integrity and confidentiality of any personal information in its
possession or under its control by taking appropriate and reasonable
technical and organizational measures to prevent loss, damage,
unauthorized destruction of, and unlawful access to the personal
information in its possession.
- Data subject
participation:
- The data subject
has the right to request confirmation of whether a responsible party
holds personal information about the data subject. The data subject also
has the right to request a record or description of the personal
information about the data subject being held by the responsible party,
as well as information concerning the identity of all third parties who
have had access to the data subject’s personal information.
- The data subject
may request that a responsible party:
- correct or delete
personal information about the data subject that is inaccurate,
irrelevant, excessive, out of date, incomplete, misleading or unlawfully
obtained; and
- delete or destroy
personal information that the responsible party is no longer authorized
to retain.
No comments:
Post a Comment