In South Africa, legislation specifically aimed at striking a balance between free data flow and the right to privacy includes the Promotion of Access to Information Act, No 2 of 2000, best known as “PAIA”, and the Protection of Personal Information Act, No 4 of 2013, or “POPIA”, with its Regulations of 2018.
How does this affect your business? POPIA applies to every company in South Africa that processes people’s (or other companies’) personal information. This can go from storing e-mails on your computer and processing employees’, guests’, members’ and customers’ details, to sending out direct marketing messages. “Personal information” and “processing” get a very broad definition in POPIA.
What’s the potential damage? Firstly, people value privacy, and companies that blatantly flout data protection rules stand to suffer considerable reputational damage among customers and potential customers. Secondly, data subjects and the Information Regulator may institute a civil action for damages resulting from a breach of any provision of POPIA. Thirdly, people and companies that obstruct, or fail to comply with, the Information Regulator in the performance of its duties, whether as a Responsible Party or as a witness, may be found guilty of a criminal offence in a Magistrate’s Court or may be ordered to pay an administrative fine by the Information Regulator.
What action needs to be taken, and when? Procedures, documents and people need to be in place to prove your company’s compliance with POPIA. Should it ever come to a complaint or dispute, your defence will rely on evidence of these measures, systems and remedies. Action is therefore required at two levels: at your company’s office, and on your website. POPIA provides a “grace period” of one year (section 114(1)). Full compliance with POPIA must be in effect one year after its commencement date, which was proclaimed on 22 June to be 1 July 2020.
May Section 4 Be With You 😉
Personal information is information by which a particular natural or juristic person can be identified, and includes race, sex, gender, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, birth, education, medical, financial, criminal or employment history, e-mail address, physical address, telephone number, location information, biometric information, personal opinions and private correspondence, and of course the name. These principles are as follows.
[ Accountability ] First, the law tells us who is legally held responsible for the protection of personal data. Now that this is clear, there’s no more passing the buck on that one. [ Minimality ] Secondly, processing of personal data relies on consent that has been received directly from the person whose data is being processed. The scope of the processing is determined and limited by that initial consent. [ Purpose ] Third, the purpose of the processing must be specific, clearly defined and lawful. [ Further processing limitation ] Four, before personal information can be further processed, consent must be received for that further processing. [ Data quality ] Five, the information must be up-to-date and accurate. [ Openness ] Six, transparency! One must be informed when personal data is being processed, and informed on its purpose, destination and on who will have access. Data controllers must at all times be able to provide evidence of administrative measures to safeguard transparence. [ Security ] Seven, data controllers must do everything in their control to safeguard the information. Should a security breach occur, data subjects affected by the breach must be notified without delay (GDPR states “within 72 hours”) [ Participation ] Eight, every data subject has the right to access, request a correction or deletion and object to the processing of personal information. This means that data controllers need to provide the personal information they have stored and a list of people that have access to this information at the data subject’s request, as per the data controller’s PAIA manual.