The Protection of Personal Information (POPI) Act 4 of 2013 was signed into law by President Zuma on 26 November 2013. Since then there has been little development in relation to the commencement date of the POPI Act, save for certain provisions relating to the establishment of the Information Regulator (IR) which was brought into force on 11 April 2014. Parliament has convened workshops to determine the role of the IR. However, hopes that the commencement date would be set in the latter half of 2016 have been in vain as we see the year on its way out.
Nonetheless, there has been some positive progress in October 2016 as the Presidency announced the appointment of Pansy Tlakula as the official chairperson and fulltime member of the IR along with other officials to run the regulator, effective 1 December 2016. It is fair to expect the promulgation of regulations and the commencement date to be announced in the near future.
Once the commencement date is stated, South Africa will have an Information Regulator to police and enforce the POPI Act. While this may seem alarming to Corporate South Africa, there will be a 12 months ‘grace period’ where organisations will not be held liable for non-compliance. The implications for those who have not already started preparing for the new era of POPI compliance will have to revisit how business is carried on and, in particular, how information is handled.
The scope of the imminent POPI Act is far reaching, traversing many sectors and businesses. Ultimately, POPI represents a paradigm shift regulating how Corporate South Africa receives, handles and shares personal information of their clients/consumers. Personal information includes identity numbers, physical addresses, email addresses and biometric information among others.
One of the fundamental objects of POPI is purpose specification which means that organisations are only allowed to collect information for a specific purpose which will in turn underpin how that information is stored and disposed of. Information must be kept up to date and must be disposed of when no longer necessary. POPI envisages that there will be an information officer who will be responsible to establish procedures and set up the necessary parameters to monitor the handling of information.
While the core objective of POPI is ensuring the right to privacy is respected by most, the POPI Act symbolises a progressive move for South Africa in keeping abreast with international standards. The intrinsic values in becoming compliant with POPI are vital to any developing organisation and it is hoped that Corporate South Africa will embrace the change instead of treating it as a hurdle.
ABOUT THE AUTHOR
Shamon Gounden obtained his B.Soc.Sci (Law), LLB and LLM (Labour Law) degrees from the University of the Kwa-Zulu Natal. He is SEESA Consumer Protection & POPI Legal Advisor.