Kimberley Tee
THE purpose of the Protection of Personal Information Act 4 of 2013 (the POPI Act or POPIA) is to give effect to the right to privacy as enshrined in section 14 of the Constitution of the Republic of South Africa, 1996.
In a nutshell, and from a business perspective, POPIA seeks to ensure that all persons and companies that process personal information do so lawfully. By imposing this overarching obligation on businesses in particular, POPIA seeks to create a framework through which the personal information of ordinary members of the public is:
* Correct and up to date;
* Processed for a specific purpose only; and
* Protected from misuse by unauthorised persons and companies.
Implications
The implication of POPIA on companies is significant. All companies are required to, among other obligations, appoint an information officer (that is an internal enforcement official of sorts), to maintain a record of retained personal information and implement several policies in respect of the lawful processing thereof.
Furthermore, POPIA is closely associated with the Promotion of Access to Information Act 2 of 2000 (PAIA); and all companies are required to draft and give effect to a PAIA manual with specific reference to a privacy policy.
This document should be made available to general members of the public and accessible on your company’s website.
POPIA further imposes duties in regard to the company’s website. Everyone who visits your website must immediately be informed of the use of any cookies and the like and they must be afforded the opportunity to opt out of the potential collection of their data.
If there is widespread compliance with the prescriptive provisions of POPIA, the impact on ordinary members of the public is similar to its purpose – their personal information will be processed lawfully and protected against misuse.
This means that the receipt of cold calls and unsolicited marketing material, etc. should, in essence, be a thing of the past.
Recourse and Enforcement
The newly established Office of the Information Regulator (the IR) is responsible for the enforcement of POPIA and accordingly afforded widespread powers, functions and duties in this regard. In addition to the IR monitoring general POPIA compliance, any individual having knowledge of breach or non-compliance is entitled to lodge a formal complaint with the IR immediately.
Furthermore, the penalties for breach or non-compliance with POPIA are severe. The applicable penalty for serious offences is a R10 million fine and/or imprisonment (not exceeding 10 years).
In conclusion, it is important to note that merely having a manual does not automatically render your company POPIA compliant.
Compliance must be incorporated in everyday business practice.
Companies are to ensure that all risk in terms of a data breach are mitigated and further that all employees be trained in accordance with the duties prescribed by POPIA.
* Tee is an associate attorney at HJW Attorneys in Johannesburg.
* The Office of the Information Regulator can be reached be emailing inforeg@justice.gov.za