Understanding PoPIA: 8 fundamentals to comply with
While the actual date of when the Protection of Personal Information Act will finally come into effect is still a mystery, the act, also known as the PoPI Act, is becoming more prominent in conversations and business meetings. So, what is this Act all about and is it good or bad for businesses?
What is the Protection of Information Act?
The Protection of Personal Information or PoPI Act is a piece of legislation that outlines how South Africa institutions, both private and public go about collecting, processing, storing, sharing, and maintaining your personal information.
It aims to provide you with certain rights and a degree of protection when it comes to your personal information. This is done, by regulating how organisations use your personal information and hold them accountable for its use or misuse.
What are the Eight Conditions for the lawful processing of personal information?
Whether you are an individual or a company, you are responsible for ensuring that all the Conditions are complied with when it comes to peoples’ personal information.
Personal Information must be processed in a lawful manner that does not harm the subject’s privacy. The processing of the subjects information may only be done with their explicit consent and only the minimum amount of information needed for the intended purpose may be collected.
Information may only be collected for a specific purpose, which must be made known to the subject. Additionally, the subject’s information should only be retained for as long as it is reasonably needed. The information must hereafter be destroyed or de-identified. This also applies should the subject no longer consent to their information being processed.
Further processing limitation
Further processing of a subject’s personal information may only be done where it relates to and is in agreement with the original purpose for which the information was processed.
All personal information collected must be as complete and accurate as possible. Care must be taken to maintain this information so that it is up to date and not misleading in any way. Furthermore, the original purpose of collecting the information must be kept in mind along with ensuring the information’s quality.
If you collect personal information you must keep documentation of how and why you process that information. You must also make sure the subject is aware that you are collecting their personal information and be informed as to the purpose of such collection.
If you collect personal information then you must take every reasonable step to protect it. Ensuring that all information remains confidential and accurate is not optional. All information must have safeguards that protect it from unauthorised access, loss or damage, modification, accidental or purposeful disclosure and any act that jeopardises the privacy of the subject.
Should the subject’s information be compromised they must be notified immediately.
Data subject participation
The subject, whose information has been collected has the right to enquire whether you have collected information on them, so long as they provide acceptable proof of identity. Furthermore, they have the right to request the nature and the record of the information collected as well as the identities of any third parties who may have access to or hold their information.
The above is by no means a comprehensive look at the Protection of Personal Information Act. Reading the Act for yourself is strongly advises, especially the Eight Conditions. The Act itself, while long, is not a complex difficult Act to understand, but it will have far-reaching consequences for every organisation within South Africa, be they large or small.
Published by Michalsons