As most of us are aware the Protection of Personal Information Act (POPI) has been around for a long time but it is eventually coming to fruition and should become law later this year. It is a new act that brings South Africa in line with international data protection laws and it enacts SA citizens’ constitutional right to privacy. It is not to be confused with the much publicised Protection of State Information Bill
It must be read with other relevant statutes such as:
- ELECTRONIC COMMUNICATIONS & TRANSACTIONS Act, Act #25 of 2002 (‘ECT’)
- PROMOTION OF ACCESS TO INFORMATION ACT, Act #2 of 2002 (‘PAIA’)
- REGULATION OF INTERCEPTION OF COMMUNICATIONS ACT Act #70 of 2002 (‘RICA’)
- CONSUMER PROTECTION ACT Act #68 of 2008 (‘CPA’)
The foundation comprises 8 principles or standards such as accountability to ‘data subject’ participation and it applies to:
- the ‘processing’ (‘collect, disseminate or merge’) of
- the ‘personal information’ (as defined e.g. race, gender, identity number, religion, education, blood type, etc )[‘PI’]
- of the data subject (individual and in some cases a juristic person)[‘DS’]
- ‘entered into a record’ (‘any form or medium in possession or under the control of a responsible person’: written, electronic, photo, graph)
- by or for responsible person (‘private [‘natural person or partnership’] or public body’) i.e. ‘who determines the purpose and means of such processing’ [‘RP’]
It does NOT apply to e.g. information that pertains to a personal or purely household matter
It is certainly not a ‘toothless tiger’ and offences include hindering, obstructing or unlawfully influencing the Information Protection Regulator (‘IPR’) and contravening confidentiality – penalties for non-compliance are as follows: Offenders can be fined up to R10 million and imprisoned for between 12 months and 10 years.
This is the first in a series of article explaining POPI.