The Protection of Personal Information Act

Important definitions

Personal information – any data relating to a natural person or juristic person (company) that can lead to the identification of that person, or data that belongs to that person. Examples are email address, telephone number, street address, static IP address, religious belief, work performance review, criminal record.

Processing – there is a very broad definition in the Act. Processing includes actions like gathering, storing, backing up, reading, transferring, consulting on and destroying data. As an IT company, our core function is processing of personal information, whether we can physically read it or not. A common misconception is that we are not processing personal information if we cannot read/access the records. Examples are backing up data, updating a database, managing an O365 tenant, managing server hardware.

Responsible party – the company or person who decides that there is a need and purpose to process personal information. Note that there is no requirement for the responsible party to do the actual processing, as it could outsource that function. The responsible party is held accountable and liable for the security of personal information that it requires to be processed, whether it does the processing itself, or outsources it.

Operator – the company or person that performs the processing of personal information. This can be the responsible party (HR processing data of employees), outsourced vendors (medical aid company processing data of employees, marketing companies who does lead generation for us, outsourced IT company) or partners (helping us with work on our client’s O365 tenant). POPI requires that an operator agreement is concluded between the responsible party and the operator. This agreement specifies the operator’s obligations for safe processing, the information security safeguards that will be used and indemnifies the responsible party for damages (financial) that is caused by the operator.

POPI stipulates how the personal information of persons (including juristic persons, i.e. companies) should be processed in order to secure it from being used for harmful purposes, and to respect the right to privacy guaranteed by the Constitution of South Africa. The Act prescribes eight conditions for the lawful and safe processing of personal information. The Act also makes it clear that all companies who process personal information should take reasonable steps to keep that information secure, in other words implement some kind of information security framework.

Greater care must be taken to safely process the personal information of children, and special (sensitive) personal information which includes categories like health, union membership, religious belief and biometric data.

Where a company outsources the processing of information, the company must enforce its POPI obligations with the outsourcing partner by concluding an operator agreement. This agreement should also include an indemnity clause whereby the outsourcing partner assumes financial responsibility for damages caused by its actions that leads to a breach. Legally, the responsible party will be held accountable for the security of the processing, whether it does the processing itself or outsources it. The accountability can never be shifted to an outsourcing partner.

Marketing is addressed specifically in the Act, with a number of requirements that should be met.

Why do we care about complying with the Act?
The penalties can be severe, with up to R10 million and/or 10 years jail time of major infractions, and R1 million and/or 1 year of jail time for minor infractions.

A greater concern for companies would be the reputational damage that could result from a breach, or mishandling of personal information that becomes public.

Breaches have to be disclosed under certain circumstances, and the Information Regulator could instruct a company to disclose the breach in news media or via a prominent display on its web site if it is not able to identify all those affected by a breach.
A company that is able to demonstrate early adoption and compliance with the Act should enjoy a competitive advantage, and greater consumer trust.

And you never know, the Information Regulator might follow guidance from the GDPR, which advises a company not to use a processor that cannot demonstrate compliance.

Still reading? We’ve clearly captured your attention. Why not speak to us in person?

Privacy settings

Decide which cookies you want to allow. You can change these settings at any time. However, this can result in some functions no longer being available. For information on deleting the cookies, please consult your browser’s help function. Learn more about the cookies we use.

With the slider, you can enable or disable different types of cookies:

This website will:

  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected

This website won't:

  • Remember your login details
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
  • Advertising: Gather personally identifiable information such as name and location

This website will:

  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country

This website won't:

  • Remember your login details
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
  • Advertising: Gather personally identifiable information such as name and location

This website will:

  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settingsl Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions

This website won't:

  • Remember your login details
  • Advertising: Use information for tailored advertising with third parties
  • Advertising: Allow you to connect to social sites
  • Advertising: Identify device you are using
  • Advertising: Gather personally identifiable information such as name and location

This website will:

  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settingsl Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Use information for tailored advertising with third parties
  • Advertising: Allow you to connect to social sitesl Advertising: Identify device you are using
  • Advertising: Gather personally identifiable information such as name and location

This website won't:

  • Remember your login details
Save & Close