Understanding the Protection of Personal Information Act

29 April 2021 | Leigh-Anne Harrison

With only 2 months to go until compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) is required, now is the time for organisations, which include community schemes, companies, partnerships, close corporations and government departments, to take action and ready themselves for 1 July 2021. However the question on everyone’s lips is, what action do I need to take in order to be compliant?

To answer this question, lets first look at the key terms that POPIA sets out and what they mean.

What is the purpose of POPIA?

POPIA was enacted to promote and protect an individual’s right to privacy as enshrined in the Constitution of South Africa, 1996. This includes the protection against the unlawful collection, use, disclosure and destruction of one’s personal information.

Who does POPIA apply to?

POPIA is applicable to any person or organisation that processes personal information and because the Act applies, a person or organisation is now legislatively required to implement and maintain reasonable, commercially acceptable security procedures in order to protect it from breaches of confidentiality, unauthorised access, destruction, use, modification or disclosure.

What is processing?

Processing is defined as any operation or activity or any set of operations, whether or not by automatic means, concerning personal information including the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use, dissemination or distribution and the erasure or destruction of personal information.

Almost all persons and organisation conduct some form of processing of personal information, whether it be for purposes of communication or the provision of services.

What is Personal Information?

Personal information can be defined as any information that relates to an identifiable, living, natural person and where applicable, an identifiable, existing juristic person. The scope of personal information is extremely wide and includes everything from information relating to a person’s race, gender, age, disabilities and religion, to any identifying number, e-mail address, physical address, telephone number or other particular assignment to the person, as well as the personal opinions, views or preferences of a persona. Personal information also includes correspondence sent by a person of a private nature and the biometric information of a person.

Now that we have established who POPIA applies to and how it applies, the next step is for an organisation to commence with the action that it needs to take to become compliant.

1. Training

   Knowledge is power. Having a high-level awareness and understanding of POPIA is crucial in helping an organisation decide what their next steps should be. It is advisable that a person consult with a suitably qualified professional to assist them in achieving POPI compliance before 30 June 2021.

2. Develop a POPIA compliance framework to guide compliance

   A person or organisation must develop and maintain a POPIA compliance manual or framework which must state the following:

   How personal information is collected;

   What personal information is collected;

   How personal information is stored;

   Who has access to the personal information processed;

   How personal information is maintained; and

   How personal information is destroyed.

3. Appoint an Information Officer

   An Information Officer is someone who is responsible for ensuring compliance with POPIA.

   Persons appointed and as Information Officers are responsible for encouraging and ensuring compliance with the conditions imposed by POPIA when processing personal information. They are also responsible for maintaining a compliance framework as mentioned in paragraph two above.

   An organisation is also responsible to ensure that an Information Officer receives the appropriate training and keeps abreast of all the latest developments in terms of POPIA and other data privacy regulations.

4. Don’t Panic!

   There is no shortage of people selling offerings related to POPIA: workshops, conferences, tech solutions, programmes and online courses. How does one cut through the noise? TVDM Consultants have done the hard work and put in the hours needed to uncover what an organisation requires for compliance with POPIA.

Contact us on info@tvdmconsultants.com or 061 536 3138 for assistance with training and consulting to determine the specific needs for yourself or your organisation.

About the Author: Leigh-Anne Harrison (LLB Stellenbosch) is a Portfolio Manager at RPA Property Administrators.