Lize de la Harpe, Legal Adviser at Glacier by Sanlam
Introduction
After years of anticipation, the President recently announced the final implementation of the Protection of Personal Information Act, 2013 (often referred to as the “POPIA act”). In this article we recap on what POPIA entails and also look at the impact of its commencement.
Background
For the last seven years the media has been regularly updating the public on POPIA and what exactly it aims to achieve. In essence, POPIA gives effect to section 14 of the Constitution which provides that everyone has the right to privacy. It provides the regulatory framework within which responsible parties may process personal information of data subjects (both natural persons as well as juristic persons).
POPIA accordingly regulates, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy, subject to justifiable limitations that are aimed at protecting other rights and important interests.
Before going any further, it’s important to note a few material definitions as set out in this act:
- “Personal Information” refers to information relating to an identifiable, living natural person, and where applicable, juristic person – including information relating to the gender, sex, marital status, age, language, ID number, email address, telephone number and physical address, online identifier, etc.
- “Processing” means collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as restriction, erasure or destruction of information.
- “Responsible party”– public or private body which alone or in conjunction with others determines the purpose of and means for processing personal information.
- “Operator” – person who processes personal information for a responsible party in terms of contract or mandate, without coming under the direct authority of the responsible party.
As one can see from the above, the definition of “processing” covers basically everything a responsible party can do with personal information.
POPIA requires the responsible party to process personal information lawfully and in a manner that does not infringe on the privacy of data subjects. In order for such processing to be “lawful” it must comply with the minimum requirements as set out in Chapter 3 of POPIA (referred to as “conditions”). These conditions can be summarised as follows:
POPIA also provides for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of both this act as well as the Promotion of Access to Information Act, 2000. The Information Regulator is, amongst others, empowered to monitor and enforce compliance by public and private bodies with the provisions of POPIA.
Update
POPIA was signed into law on 19 November 2013 and certain sections thereof came into force the following year. These sections included:
- the definitions section;
- Part A of Chapter 5 which deals with the Information Regulator; and
- sections 112 and section 113 which empowers the Minister and the Information Regulator to make regulations.
The President has now proclaimed the commencement date of POPIA to be 1 July 2020. This means that the remaining sections (with two technical exceptions) will come into effect on 1 July 2020. These sections are the critical parts of the act, such as the conditions for the lawful processing of personal information (summarised above), the regulation of the processing of special personal information, the issuing of codes of conduct by the Information Regulator as well as the procedures for dealing with complaints.
Most important to note, from a business perspective, is the commencement of section 114(1) which provides that “all processing of personal information must within one year after the commencement of the section be made to conform to this Act”. This means that all responsible parties will have until 1 July 2021 to ensure that it complies with the provisions of the act.
Conclusion
As discussed above, POPIA will come into effect on 1 July 2020 and companies will have one year within which to ensure compliance. Having said that, it is advisable for companies to caution against waiting until the last minute to effect the necessary changes to systems/processes to ensure compliance before 1 July 2021.
Non-compliance will most certainly have dire consequences – section 107 details these penalties, which include (for serious offences) a fine or imprisonment for a period not exceeding 10 years (or both).
Think insurance. Now think again.
Western National Insurance Company Ltd, affiliates of the PSG Konsult Group, are authorised financial services providers. (FAIS: Juristic Reps under FSP 9465)