1. What does POPI do?
POPI governs the way personal information is collected, stored, used, disseminated and deleted. Personal information has a wide meaning and includes information which identifies and relates to living individuals (for example, gender and employment history) and existing corporates (for example, company contact details and correspondence of a confidential nature). The individual or corporate that the personal information relates to is referred to as the data subject. POPI protects personal information of data subjects by imposing minimum standards for its lawful processing. The data subject must consent to the processing of personal information except in certain circumstances. The most common of these is where processing is necessary to conclude or perform a contract with the data subject.
2. Does POPI apply to my organisation?
Both public and private organisations need to comply as well as individuals. There is no minimum threshold for compliance. It applies to South African organisations which process personal information (including employee personal information) and to foreign corporates that process personal information in South Africa (unless information is merely forwarded) using automated means (use of electronic equipment operating automatically under instructions) or where the personal information forms part of a filing system. Processing for purely personal or household activities, or for journalistic, literary or artistic purposes is excluded.
3. Compliance with other laws
POPI provides exemptions where the processing complies with legal obligations imposed by other laws (for example, providing personal information to a regulator). If another law provides more onerous obligations for the processing of personal information, the other law must be complied with (i.e. the highest standard applies).
4. Sensitive information
Personal information relating to children (i.e. under the age of 18) and special personal information (which includes private information relating to religious beliefs, race, trade union membership, health or sex life, biometrics and criminal offences) are subject to more onerous processing obligations. For example, cross-border transfers of these categories of information require prior approval from the regulator if the foreign recipient does not provide an adequate level of protection.
5. Subject access requests
A data subject has the right to (i) know if an organisation holds personal information about them, free of charge; (ii) access that information for a fee; (iii) request correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained personal information; and (iv) request destruction or deletion of personal information that an organisation is no longer authorised to retain.
6. Direct marketing
An organisation may not contact a prospective customer through automated calls, email or SMS to promote any products or services without that individual’s informed consent (i.e. the prospective customer must be given the opportunity to opt in to specific use). All communications must contain the organisation’s identity and contact details through which the customer can opt out at a later stage.
7. Cross-border transfers
Personal information may only be transferred to a third party who is in a foreign country in limited circumstances, such as with the data subject’s informed consent or where the foreign recipient is subject to obligations similar to those under POPI that provide an adequate level of protection of the information. You must tell the data subject if you collect information intending to transfer it to another country and give them particulars of the protection given offshore
8. Mandatory notification of data breach
The regulator and identifiable data subjects must be informed where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person. The regulator may direct that a data breach be publicised if there are reasonable grounds to believe that publicity would protect a data subject who may be affected.
9. Information officers
The information officer is the head of a private organisation or public body or their appointee. An information officer must be registered with the Information Regulator established under POPI before performing their duties (which include ensuring compliance with POPI, assisting the regulator with investigations and dealing with subject access requests). Employees may be designated as deputy information officers to assist with these duties.
Non-compliance with POPI may result in a civil action for damages, enforcement action by the Regulator (on its own initiative or on receipt of a complaint) or criminal action for any offence committed. Offences will be prosecuted in the magistrates’ court and, on conviction, may give rise to imprisonment of up to 12 months or 10 years, depending on the severity of the offence, or a fine or both imprisonment and a fine. Alternatively, the regulator may issue an administrative fine up to ZAR10million for an offence (which is higher than the maximum fine in the UK and most of Europe).