By now I would think that the majority of us knows about the “Protection of Personal Information (POPI) Act, 2013“, which basically determines the conditions for processing information. Although it sounds simplistic, it is a rather complex requirement and non-compliance can see you being fined up to R10 million or even face 10 years in jail.
Kind of a buzzword at the end of 2013 and early 2014. I received 4-5 emails per week from companies wanting to show me what impact POPI is going to have on business processes. Companies started jumping at the opportunity to try and make a quick buck, charging thousands for 1 day workshops and seminars. Comparing the costs, it appeared worth it to attend a workshop or seminar, given they heavy fines POPI imposes for non-compliance.
Let’s see if I can put a brief on this, for those still uncertain about POPI. At the same time I want to look at the impact of the POPI Act on technology and what technologies should you have to acquire, adapt or upgrade to become compliant?
There’s a lot of controversy surrounding POPI, especially in the the light of the Protection of State Information Bill (aka “Secrecy Bill”). For the purpose of this article, I will not give my views on the differences, nor the controversy surrounding the “Secrecy Bill”. Even though the implementation time-frames of POPI is very short, I support the POPI Act. My simple reason being that my personal information is my property and regarded personal for a reason. Therefore I want to be the one who decides who does what with my property. Yes, information is an asset and thus I regard my information as my property.
In discussions, I find that many are still unsure, but it should be noted that there is a huge difference between the POPI Act and the “Secrecy Bill” and the two should not be confused. Both impact the rights of the citizen and you should make a point to read both.
What does the POPI Act mean for the citizen in a nutshell?
The act basically regulates what businesses can do with our information and how they should protect it. This leads to two basic things. On the one side, as consumers, we are awarded the protection against the unauthorised use of our personal information and on the other side there’s strict standards and process requirements that all businesses needs to implement in order to protect the personal information of customers/clients.
If you think of the penalty for non-compliance with the provisions of POPI, it can really harm your business. Worst of all is the fact that business only have 12 months to implement the required standards and strategies.
What is regarded as personal information?
Basically you should see this as any information relating to the customer/client that is not in the public domain. Examples hereof includes, amongst others, ID Numbers, age, phone number/s, email addresses, social media identifiers, physical addresses, gender, race, photos, voice recordings, video footage (incl. CCTV), relationship status, criminal record, religion, political opinions, employment history, salary information, and so forth.
It is my opinion that personal information that is available in the public domain, does not fall under this. For example, if someone has an open or public Facebook account where they upload pictures for anyone to view, or someone publishes their political views on a public blog. Such information is already public, however I do think that the person (owner of the information) may in terms of the POPI principles ask any business to relinquish the use of such information.
What is it that businesses have to comply with?
In summary, there are basically 8 key principles: ** adopted from Entrepreneur Mag.
Business needs to make sure they are compliant with all the provisions. In other words, you need to know the principles and make sure your processes are aligned. If you have not yet read the act, please use the hyperlink above and download it.
2. Processing limitation
Business must ensure that the processing customer/client information lawfully. Such processing of information should not infringe on the privacy of the customer/client. Further to this, business should only process personal information that is relevant to the purpose for which it is acquired or to be used.
3. Purpose specification
Business must make sure that the customer is aware of the information it collects in any form and such collection of personal information must be for a specific purpose. Once the purpose of the record is served, the information collected can no longer be kept.
4. Further processing limitation
Should the business require any further processing of the personal information, it can only be done if such processing is in-line with the original purpose.
5. Information quality
Business must always make sure that the collected personal information is accurate, not misleading and updated (when necessary). It is important to note that the original purpose for the collection of the personal information should always be kept in mind.
Business must ensure that the customer/client is made fully aware of the collection of personal information and the specific purposes of such collection.
7. Security safeguards
Business have the responsibility and will be accountable for the security of personal information collected and under their control.
8. Data subject participation
Business should have clear processes in place to ensure that the customer/client can request whether their private information is held, as well as what information is stored and for what purpose. Further to this, the customer/client may at any time request removal of personal information, even if such information was obtained legally.
The aforementioned points puts a huge strain on the business requirements to comply with the provisions of the POPI Act. It is common that ignorance of the law is no excuse. Compliance with POPI will have a financial impact and require significant amount of time and effort. You’ll have to train staff, update processes and implement technology to ensure compliance.
POPI compliance is relative to the business concerned and thus there is no implementation template to show you exactly how to implement POPI in your business. I found a brief checklist created by Werkman’s Attorneys and you should be able to Google them to find the template.