What is POPIA?
POPIA (Protection of Personal Information Act) regulates the way that South African residents’ personal information is processed. Like Many other global privacy regulations, POPIA was inspired by the GDPR but it stands out by including juristic persons, or organizations, under its scope of application, and by setting both prison and fines for violations of its provisions.
POPIA aims to:
- promote the protection of personal information processed by public and private bodies;
- introduce certain conditions so as to establish minimum requirements for the processing of personal information;
- provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of POPIA and the Promotion of Access to Information Act;
- provide for the issuing of codes of conduct;
- provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
- regulate the flow of personal information across the borders of the Republic; and
- provide for matters connected therewith.
POPIA states that compliance involves “doing what is reasonably practicable” but does not clarify what is or what is not considered to be reasonably practicable. This leaves open to interpretation certain compliance mechanisms of the law and organizations should review their compliance practices and methodologies in light of this vague language.
What is Personal Information and what are other key definitions?
Under POPIA, the definition for personal information is “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person,” including
- “information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.”
Although the text of the law offers no actual definition for what a ‘juristic person’ is, one can infer that it has the legal meaning of “entity, such as a corporation, that is recognized as having legal personality,” as defined by Oxford Reference.
Sensitive information, named here special personal information, is according to the text of the law, “personal information concerning—
- the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
- the criminal behavior of a data subject to the extent that such information relates to—
- the alleged commission by a data subject of any offense; or
- any proceedings in respect of any offense allegedly committed by a data subject or the disposal of such proceedings.”
Unlike other privacy laws in which a child’s age is generally defined as being somewhere between 13-16 years old, POPIA states that a child is “a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.”
There are a few other key concepts that this law defines, which are relevant when understanding the law itself. One such concept is that of ‘processing’ which means “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use; dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as restriction, degradation, erasure or destruction of information.”
To ‘de-identify’ personal information means “to delete any information that either identifies the data subject; can be used or manipulated by a reasonably foreseeable method to identify the data subject; or can be linked by a reasonably foreseeable method to other information that identifies the data subject.”
POPIA defines a responsible party as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.” You are considered to be a ‘private body’ if you are either “a natural person who carries or has carried on any trade, business or profession, but only in such capacity; a partnership which carries or has carried on any trade, business or profession; or any former or existing juristic person, but excludes a public body.”
POPIA defines ‘public body’ as:
- “any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
- any other functionary or institution when—
- exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
- exercising a public power or performing a public function in terms of any legislation.”
Last but not least, POPIA offers a definition for the concept of ‘operator,’ meaning “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.”
Who has to comply with the POPIA?
POPIA monitors the processing of personal information by a public body, private body or an operator who is either located in South Africa, or is not located there but uses both automated and non-automated means to process data that is located in the Republic. The exception is when the data is processed with the purpose of forwarding information through the South African Republic.”
This means that if your organization fits into the general category of responsible party, or the more specific public body, private body, or operator, you have to comply with the regulation.
As such, any processing of personal information “entered in a record by or for a responsible party by making use of automated or non-automated means” if “when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof.”
Who is excluded from POPIA compliance?
POPIA excludes certain types of processing of personal information such as:
- processing done in the course of a purely personal or household activity;
- processing of personal information that has been de-identified to the extent that it cannot be re-identified again;
- processing done by or on behalf of a public body who is either related to national security, through activities that “are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public safety,” or whose purpose is “the prevention, detection, including assistance in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offenses, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in legislation for the protection of such personal information;”
- processing done “by the Cabinet and its committees or the Executive Council of a province;
- processing that relates to “the judicial functions of a court referred to in section 166 of the Constitution;”
- “processing of personal information solely for the purpose of journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression;”
- exemptions granted by the Regulator as detailed in section 37;
- personal information processed for the purpose of discharging a relevant function as detailed in section 38.
How can I keep my organization POPIA compliant?
According to POPIA, in order to be compliant, organizations must respect 8 principles:
- Accountability - as detailed in section 8 of the law, you must ensure compliance with the law;
- Processing limitation - sections 9 to 12 detail that processing has to be lawful and minimal, consent has to be obtained and proven later on, and objection to processing has to be made available;
- Purpose specification - according to sections 13 and 14, the personal information of individuals must only be collected in connection with a specific purpose and must not be stored for longer than necessary;
- Further processing limitation - “further processing of personal information must be in accordance or compatible with the purpose for which it was collected ” as explained in section 15;
- Information quality - this is clarified by section 16 which says that as a responsible party your organization has to take “reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary”;
- Openness - this refers to being transparent both in terms of keeping accurate records and in informing individuals of what is collected, when and for what purpose, according to sections 17 and 18.
- Security safeguards - sections 19 to 22 explain that you must take security measures to protect the integrity and confidentiality of personal information being processed and in the event of a breach you are obliged to report this to the Information Regulator as well as to inform the affected individual(s).
- Data subject participation - sections 23 to 25 regulate the way access to personal information should be given to individuals and the way correction of their personal information should be carried out.
In addition to this, keep in mind that special personal information cannot be processed unless the exceptions in section 27, 33, or Chapter 3 of the law apply, for example, if the data subject gave their consent or if processing is necessary to comply with a legal obligation. The same applies to processing of personal information of children. Also, processing of personal information of children is prohibited unless exceptions in Section 35 apply, in which case processing is allowed. The same applies to special personal information which is also prohibited according to section 26, unless your organization falls under one of the exceptions outlined in sections 27 through 33.
Similar to the GDPR’s Data Protection Officer, POPIA establishes a need for an Information Officer whose responsibilities include
- “the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
- dealing with requests made to the body pursuant to this Act;
- working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
- otherwise ensuring compliance by the body with the provisions of this Act; and
- as may be prescribed.”
Once you have appointed an Information Officer, the law requires you to register them with the Information Regulator via the registration portal setup for this purpose. In addition to an Information Officer, you are also encouraged to appoint Deputy Information Officers, if there is need to support Information Officer to fulfill their responsibilities. Deputy Information Officers need to be registered with the Information Regulator as well, the number of Deputy Information Officers you may have is unlimited.
What data access rights does POPIA grant?
Section 5 of the law defines 9 rights that individuals have in connection with the processing of their personal information.
- Right to be informed: individuals have a right to be informed that personal information is being collected about them, and if that is the case, that their information has been subject to a breach.
- Right to access: individuals have the right to request access to their personal information that you hold about them.
- Right to correct: where necessary, a request can be made for the correction of personal information that is “inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.”
- Right to destroy or delete: same as above, if the personal information is “inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully” an individual can ask you to delete it, and if the information is no longer necessary for serving the initial purpose for its collection, it has to be destroyed upon request.
- Right to object (or withdraw consent): an individual can at any time withdraw consent for the processing of their personal information “ on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information.”
- Right to object to processing for direct marketing purposes by means of unsolicited electronic communications: individuals have a right to object to the processing of their personal information if this is done for the purposes of direct marketing via unsolicited electronic communications defined as being done by any “means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail.”
- Right to not be subject to decisions based on automated processing: individuals can object to being profiled meaning they have a right to “not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person.”
- Right to complain to the Information Regulator: an individual may submit a complaint to the Information Regulator “regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator.”
- Right of private action: individuals have a right “to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.”
How should your organization address data subject access requests under POPIA?
POPIA, unlike other privacy regulations, is less specific regarding timeframes for replying to data subject access requests, monetary charges that can be imposed, or informing individuals of their rights.
In the case of a request for access, individuals may submit such a request and, once they’ve provided “adequate proof of identity,” they should obtain access
- “within a reasonable time;
- at a prescribed fee, if any;
- in a reasonable manner and format; and
- in a form that is generally understandable.”
If you require the individual to pay a fee for services provided, you must give them a written estimate before providing the service and you may require them to pay a deposit for all or part of the fee.
If you refuse the request for access, you must provide the reasons for this as well.
When you receive a request for correction, deletion or destruction of personal information, you are required to perform one of the three actions, but only if the information is “inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.” Once this is done, you are required to provide proof to the individual.
For all the other requests, as well as for the ones above, the timeframe specified by the text of the law is “as soon as reasonably practicable” with no mention of an extension. While every organization should review their internal practices to determine what they believe is reasonable, a best practice may be to model timelines provided in other data privacy regulations such as GDPR or similar.
Enforcement and penalties
The regulating authority for POPIA is the Information Regulator, who is an independent body that has the power to enforce the law as follows:
- “has jurisdiction throughout the Republic;
- is independent and is subject only to the Constitution and to the law and must be impartial and perform its functions and exercise its powers without fear, favor or prejudice;
- must exercise its powers and perform its functions in accordance with this Act and the Promotion of Access to Information Act; and
- is accountable to the National Assembly.”
Any individual may submit a complaint to the Regulator if they believe that their personal information has been compromised.
Penalties can range between 12 months prison for less serious offenses, or both a fine and imprisonment, and to 10 years of prison for serious offenses, or both a fine and imprisonment, and the amount of the fine payable may not exceed 10 million Rand ($ 552,555 at the time of writing).
Data Subject Rights - GDPR vs. POPIA
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- Right to object to processing for direct marketing purposes by means of unsolicited electronic communications
- Right to not be subject to decisions based on automated processing
- Right to complain to the Information Regulator
- Right of private action
- Right to be informed
- Right to access
- Right to correct
- Right to destroy or delete
- Right to object - withdraw consent
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.