The Protection of Personal Information Act 4 of 2013 (POPI) is legislation that was introduced to encourage the protection of personal information which is processed by both public and private bodies. Due to the wide definition of ‘personal information’, the commencement of POPI will have far reaching implications for responsible parties. All businesses are required to comply with the provisions as set out in POPI.
Purpose of POPI?
The purpose of the POPI Act, as defined by the Act itself, is to protect personal information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed.
POPI therefore seeks to ensure that all South African institutions are responsible in the way in which they collect, process, store, and share another person or entity’s personal information. It further seeks to protect data subjects from security breaches, theft, and discrimination.
When does POPI come into effect?
Important sections of POPI came into effect on 21 July 2020, however there will be a one-year transitional period after the commencement date for all companies to comply with its provisions. Employers will, therefore, bear increased liability for the conduct of their employees with effect from 21 July 2021.
SOME STEPS EMPLOYERS CAN TAKE TO COMPLY WITH POPI
OBTAIN CONSENT AND SPECIFY WHAT THE DATA IS GOING TO BE USED FOR
People whose personal information has been collected are entitled to an explanation of the personal information, to request information regarding who will receive their personal information, and to request that their personal information be amended or deleted. Processing of personal information must be for historical, statistical or research purposes and the information must have deliberately been made public by the data subject.
Employers must note that the collection of personal employee information does not entitle the employer to make free and unlimited use of it. Employers should obtain the consent of their employees before processing their personal information. Consent must be voluntary, informed and specific.
POPI sets out that special personal information may only be processed when:
- consent is obtained; or
- where the processing is necessary for the establishment, exercise or defence of a right or obligation in law.
Employers may therefore be statutorily obliged to process personal information of employees by legislation such as the Basic Conditions of Employment Act, 1997, the Employment Equity Act, 1998, and the Occupational Health and Safety Act and may do so without the consent of the employee.
IMPLEMENT POLICIES AND PROCEDURES FOR PROCESSING INFORMATION
Employers must implement, develop and monitor specific policies and processes to protect personal information in the workplace and ensure POPI compliance. An employer may, depending on the business, adopt a single and overarching policy document, or a variety of policies that operate collectively to govern the protection of personal information in the workplace.
Examples of polices employers may adopt include:
- Communications Policy;
- Protection of Personal Information Policy;
- Data Protection Policy;
- Data Retention Policy;
- Information Technology Security Policy; or
- CCTV Policy.
It is important that employers provide their employees with adequate training to ensure that they are aware of and understand the policies and procedures implemented in respect of the protection of their personal information in the workplace.
IMPLEMENT SECURITY MEASURES TO PROTECT DATA
Employers must ensure that the integrity and confidentiality of the personal information in its possession is secured. They are therefore required to implement appropriate technical and organisational measures to secure the integrity and confidentiality of any personal information in their control.
This requires employers to identify potential risks, establish safeguards against identified risks, and regularly update these safeguards to prevent breaches. Personal data must be collected and stored in a secure manner to ensure that it is not lost. As the responsible party the employer is also required to notify the Regulator and affected data subject of any data breaches.
Employers should ensure that all third parties appointed to process special information on the employer’s behalf sign a written contract specifying their compliance with the required security measures.
APPOINT AN INFORMATION OFFICER
POPI requires employers to appoint an Information Officer and, if necessary, Deputy Information Officer. The Information Officer will bear the responsibility of ensuring compliance with the condition for the lawful processing of personal information and other relevant provisions of POPI, deal with requests made in terms of POPI and work with the Information Regulator in relation to investigations.
What happens if I fail to comply with the POPI Act?
Penalties for failing to comply with the POPI Act include prosecution, with a possible prison term of up to 10 years, a fine of up to 10 million Rands and the institution of civil action by the Information Regulator on behalf of the data subject.
Employers must also be aware that employees have the right to submit a complaint to the Information Regulator and to institute civil proceedings in respect of an alleged interference with the protection of their personal information.
It is important to note that the implementation of a comprehensive POPI compliance plan can take up to 6 months to finalise. It is therefore advised that if you have not already started working on your plan – now is the time!
Contact our marketing manager and training co-ordinator, Leslie Catt-Ambrosi at leslie@caf.co.za., should you require any assistance in ensuring that your real estate company is POPI compliant.
by Andi Hoole
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE).