The Protection of Personal Information Act
Personal information – any data relating to a natural person or juristic person (company) that can lead to the identification of that person, or data that belongs to that person. Examples are email address, telephone number, street address, static IP address, religious belief, work performance review, criminal record.
Processing – there is a very broad definition in the Act. Processing includes actions like gathering, storing, backing up, reading, transferring, consulting on and destroying data. As an IT company, our core function is processing of personal information, whether we can physically read it or not. A common misconception is that we are not processing personal information if we cannot read/access the records. Examples are backing up data, updating a database, managing an O365 tenant, managing server hardware.
Responsible party – the company or person who decides that there is a need and purpose to process personal information. Note that there is no requirement for the responsible party to do the actual processing, as it could outsource that function. The responsible party is held accountable and liable for the security of personal information that it requires to be processed, whether it does the processing itself, or outsources it.
Operator – the company or person that performs the processing of personal information. This can be the responsible party (HR processing data of employees), outsourced vendors (medical aid company processing data of employees, marketing companies who does lead generation for us, outsourced IT company) or partners (helping us with work on our client’s O365 tenant). POPI requires that an operator agreement is concluded between the responsible party and the operator. This agreement specifies the operator’s obligations for safe processing, the information security safeguards that will be used and indemnifies the responsible party for damages (financial) that is caused by the operator.
POPI stipulates how the personal information of persons (including juristic persons, i.e. companies) should be processed in order to secure it from being used for harmful purposes, and to respect the right to privacy guaranteed by the Constitution of South Africa. The Act prescribes eight conditions for the lawful and safe processing of personal information. The Act also makes it clear that all companies who process personal information should take reasonable steps to keep that information secure, in other words implement some kind of information security framework.
Greater care must be taken to safely process the personal information of children, and special (sensitive) personal information which includes categories like health, union membership, religious belief and biometric data.
Where a company outsources the processing of information, the company must enforce its POPI obligations with the outsourcing partner by concluding an operator agreement. This agreement should also include an indemnity clause whereby the outsourcing partner assumes financial responsibility for damages caused by its actions that leads to a breach. Legally, the responsible party will be held accountable for the security of the processing, whether it does the processing itself or outsources it. The accountability can never be shifted to an outsourcing partner.
Marketing is addressed specifically in the Act, with a number of requirements that should be met.
Why do we care about complying with the Act?
The penalties can be severe, with up to R10 million and/or 10 years jail time of major infractions, and R1 million and/or 1 year of jail time for minor infractions.
A greater concern for companies would be the reputational damage that could result from a breach, or mishandling of personal information that becomes public.
Breaches have to be disclosed under certain circumstances, and the Information Regulator could instruct a company to disclose the breach in news media or via a prominent display on its web site if it is not able to identify all those affected by a breach.
A company that is able to demonstrate early adoption and compliance with the Act should enjoy a competitive advantage, and greater consumer trust.
And you never know, the Information Regulator might follow guidance from the GDPR, which advises a company not to use a processor that cannot demonstrate compliance.