The Protection of Personal Information Act is commonly referred to as POPI. The purpose of the this Act is to ensure all South African businesses conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise the third party’s personal information in any way.
POPI legislation considers your personal information to be ‘precious goods’ and therefore aims to grant you, as the owner of your personal information, certain rights of protection and the ability to exercise control over the following:
- When and how you choose to share your information (with consent).
- The type and extent of information you choose to share (information must be collected for valid reasons).
- Transparency and accountability on how your data will be used (limited to the purpose it was collected for).
- Providing you with access to your own information, as well as the right to have your data removed and/or destroyed should you wish.
- Who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same company, from accessing your information.
- How and where your information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised).
- The integrity and continued accuracy of your information, i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it.
Examples of personal information for an individual will include:
- Identity and/or passport number;
- date of birth and age;
- phone number/s (including mobile phone number);
- email address;
- physical address;
- race and ethnic origin;
- criminal record;
- religious or philosophical beliefs including personal and political opinions;
- employment information;
- financial information;
- educational information;
- physical and mental health information including medical history;
- blood type;
- details on your sex life; and
- membership to organisations and/or unions.
As such, the Act defines a ‘unique identifier’ to be data that “uniquely identifies that data subject in relation to that responsible party”. This would mean that a phone number on its own would not neccessary be personal information, but in combination with a name for instance, it could be damaging.
It is important to note that the right to protection of personal information is not only applicable to a natural person (i.e. an individual) but any legal entity, including companies and communities or other legally recognised organisations. All of these entities are considered to be ‘data subjects’, and afforded the same right to protection of their information.
POPI legislation is not unique to South Africa but rather ‘borrowed’ from other countries. Ignorance of the law is no excuse not to adhere to POPI legislation and a business will therefore not be able to bypass compliance solely on the basis that they were not aware of the Act.
SEESA Consumer Protection & POPI can assist businesses with the incorporation of POPI into the day-to-day operations of the business.
ABOUT THE AUTHOR
Nidene Lourens is a legal advisor in the Seesa Consumer & POPI department since July 2012. Through her vast knowledge gained in the private practice, and sheer commitment and love of research, she has won over the trust of her clients in advising on matters relating to the Consumer Protection Act as well as new legislation in terms of the Protection on Personal Information Act.