The Protection of Personal Information Act, No. 4 of 2013 (POPI) promotes the protection of personal information by public and private bodies. The POPI Act has been signed into law on 19 November and published in the Government Gazette on 26 November 2013. A proclamation was signed by the president on 11 April 2014, declaring parts of the Act is effective. This relates to the establishment of the Information Regulator. Given the fact that the POPI Act will inevitably become entirely effective, consent for collecting, processing and storing of personal information becomes essential. In order for an individual to grant consent, there needs to be a level of trust. Hence, Condition 6 in the POPI Act refers to openness.
Section 51 Manual
Many business owners are unaware of what a Section 51 manual is. This is mentioned in the Promotion of Access to Information Act (PAIA) with the aim of increasing information flows, transparency, and accountability in the public and private sector. Section 17 of the POPI Act refers to documentation. It states that the business must maintain the documentation of all information processing operations within the business which should be done in accordance with Section 14 and Section 51 of the PAIA.
Section 51 states that the head of the private body must compile a manual containing:
- The postal address, street address, phone, and fax number and, if available, an electronic mail address of the head of the body.
- A description of the business information guide and how to gain access to it.
- The latest notice, if any, regarding the categories of records of the business which are available without a person having to request access in terms of this Act.
- A description of the records of the business which are available in accordance with any other legislation.
- Sufficient detail describing the process to facilitate a request for access to a record, including a description of the subjects on which the business holds records and the categories of records held on each subject.
- Any other information that may be prescribed.
Having detailed the abovementioned, the POPI Act places a further obligation on private bodies to ensure that their Section 51 manuals are compiled and kept updated.
Section 18 of the POPI Act places an onus on businesses to notify the data subject when collecting information. Ideally, personal information should be collected for a specific purpose and businesses need to take reasonably practicable steps to inform the data subject of:
- The type of personal information being collected and where the personal information is not collected directly from the data subject, the source from which it is collected.
- The name and address of the business.
- The purpose for which the personal information is being collected.
- Whether or not the supply of the personal information by that data subject is voluntary or mandatory.
- The consequences of failure to provide personal information.
- Any particular law authorising or requiring the collection of personal information.
- Whether the business intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation.
- Any further information such as the:
- Recipient or category of recipients of the information;
- Nature or category of the information;
- The existence of the right of access to and the right to rectify the information collected;
- The existence of the right to object of the processing of personal information; and
- Right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator.
It is the responsibility of the information officer to ensure that a manual is developed, monitored and maintained. In the event that you have not drawn up a Section 51 manual, it is highly recommended that it is attended to urgently, copies are made, have them available at the business and/or on your website, make request forms available for data subjects and submit the manual to the South African Human Rights Commission. Non-compliance will lead to a fine or imprisonment.
ABOUT THE AUTHOR
Ashlin Naidoo is an admitted attorney who obtained his LLB degree from the University of KwaZulu-Natal. He worked as a professional assistant prior to joining SEESA and specialised in civil litigation. He is currently a SEESA Consumer Protection & POPI legal advisor at our Durban office.