What is POPI and what does it mean to your business?
Well, POPI is the short name for the “Protection of Personal Information Act No. 4 of 2013.” It is a law enacted to protect the use and processing of personal information by “public and private bodies” – that means you if you run any form of business that deals in any way with personal information, and with the way the act is worded it’s almost impossible to think of a business that does not deal in some form of personal information. Whether it’s your employees’ details, name, address, bank and so forth or your customers or clients, or even some market research you did, it all involves the collection and processing of personal information, and therefore falls under the act. The main point of the act is to enforce the customers right to privacy granted by section 14 of our constitution.
This act also puts South African law in harmony with similar laws enacted elsewhere in the world, such as Europe, and therefore helps with cross border flows of data which contains personal information.
The press have been emphasising the use of POPI against abuse of personal information for “spam” purposes, but this is only a very small part of the act.
The act defines “responsible parties” as anyone who processes private information. Unless the “responsible party” (read here your business) does not comply with the 8 conditions for the lawful processing of personal information then either a data subject (someone who’s data you are processing) or the data regulator may refer a complaint, and if found wanting by the enforcement committee may be subject to some harsh penalties, including jail terms and or large (R10 million) fines.
So what are the conditions that you the responsible party must comply to?
1) Accountability: The responsible party must ensure all measures are complied with.
2) Processing limitation: The responsible party must process the data lawfully and in a manner that does not infringe the privacy of the data subject.
3) Purpose specification: The responsible party must only use the data for the purpose it was collected.
4) Further processing limitations: You can only use the data for the purpose for which it was collected, and not anything else.
5) Information quality: The responsible party must take all reasonable steps to ensure the information is complete, accurate and not misleading.
6) Openness: The responsible party must maintain records of all it’s processing operations and have these accessible under the Promotion of Access to Information Act.
7) Security Safeguards: The responsible party must ensure that the personal information is kept under reasonable secure technological standards.
8) Data Subject Participation: The data has the right to request what personal information is being held, and request the correction of such information as necessary.
If this was not enough the act goes further. If processing “special personal information,” such as religious views, philosophical beliefs, political persuasions, health, sex or biometric information this is prohibited unless specific consent is given by the data subject (or it is in the public realm).
If this has not made you concerned as a business owner, manager or responsible party in a business – that’s you guy in IT and HR – then you must be pretty happy with your information security management. If not you need to look at getting some advice as to how to comply to the act, and what is “best practice” in this regard. The first step here is Education.