Article by: Aamena Sayed
Essential to human dignity and the revered right to autonomy is the protection of one’s privacy. Serving as a foundation upon which many other rights in our Constitution take inspiration from, the right to privacy protects juristic and natural persons alike from arbitrary and unjustified use of power by the state, companies or other persons who wish to exert control over a body by virtue of possessing their personal information. The need to protect one’s privacy arises from the extreme state of vulnerability and disadvantage a particular person or company is placed in once their personal data becomes accessible to the public domain.
The right to privacy in South Africa is legally mandated in terms of our common law and section 14 of our Constitution. The recognition of the right to privacy as a fundamental human right in the overarching law of our land – The Constitution – provides an indication of the importance and sanctity of the right.
To further entrench and legislate the importance of this right, South Africa had enacted its own privacy legislation – the Protection of Personal Information (POPI) Act on the 26th of November 2013. The act robustly protects privacy rights and mirrors the constitutional notion that “everyone has the right to privacy”. The POPI Act ensures that the right to privacy is taken seriously and guarantees a data subject the right to be protected against any unlawful collection, retention, dissemination and use of their personal information in a way that exploits their sense of safety and security.
POPI IN A NUTSHELL:
The POPI Act is South Africa’s equivalent of the European Union’s General Data Protection Regulation (GDPR). The purpose of the Act to is protect personal information by striking a balance between the right to privacy, the need for access to information and how personal information is processed. Processing of information includes the collection, use, retention, deletion and alteration of data.
A further underlying purpose of the act is to ensure that all South African institutions and persons conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s or individual’s personal information by holding them legally accountable should they abuse or compromise personal information in any way. POPI hence demands that significant changes in the way in which personal information is processed must occur in order to avoid legally mandated civil and criminal consequences.
WHO DOES THE ACT APPLY TO?
Natural and juristic persons legally recognized in South Africa are subject to the POPI Act. Organizations and individuals alike are seen as data subjects under the Act and thus are afforded the same level of accountability and protection as the other. Any entity or individual who stores, in any form, data relating to the personal information of another must abide by the Act. POPI therefore sets minimum standards which must be adhered to by all for the protection of personal information acquired and to be acquired.
WHAT CONSTITUTES AS PERSONAL INFORMATION UNDER THE POPI ACT?
According to the Act personal information protected by the act includes but is not limited to:
- Identity or passport number
- Date of birth and age
- Phone numbers
- Email address
- Online messaging identities
- Physical address
- Gender, race and ethnic origin
- Photos, voice recordings, video footage
- Marital relationship and family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs including personal and political opinions
- Employment history and salary information
- Financial information
- Education information
- Physical and mental health information including medical history
- Membership to organizations
- Ect.
IS POPI CURRENTLY EFFECTIVE & WHAT IS THE TIMELINE FOR COMPLIANCE?
Majority of POPI’s sections came into effect on 1 July 2020. Businesses and individuals have been granted a 12 month grace period to amend policies and processes within their organizations or private spaces in order to be POPI compliant by the POPI Act deadline of 1 July 2021. The POPI Act is expected to be regulated by a new Information Regulator whilst within organizations an designated Information Officer is the key person to ensure compliance and will be held accountable for non- compliance purposes.
WHY IS POPI IMPORTANT FOR BUSINESS?
POPI encourages transparency and honesty relating to the information collected from a data subject and how it is and will be processed. Following data protection laws ensures that your business remains trustworthy in the eyes of customers and business partners. This trust will be solidified on the premise that their information will be safeguarded once it has been passed to your organizations’ possession. Failure to comply with the Act or customer expectations of compliance with the Act could lead to a loss of organizational reputation, which can have direct implications on business turnover with local and global business opportunities being negatively affected as complying organizations will be less enthusiastic to partner with non-compliant companies.
In order to comply with POPI an organization must meet minimum threshold requirements determined by the Act, these include:
- Data subject consent: consent from the data subject must be obtained in order for the subject to be aware that the personal information is being processed and for what specified purpose;
- Processing limitation: Only capturing the minimum amount of required information from a data subject;
- Accountability: the organization is accountable for complying with the measures indicated in the Act and thus an organization is responsible for the safekeeping of the information from the time it is acquired, during processing and up until deletion;
- Information quality: Ensuring that the information is complete and accurate whilst removing superfluous information;
- Purpose specification: data must be collected only when a legitimate and lawful purpose exists and should not be retained longer than its logical usefulness. Data should further not be disseminated to third parties without the data subject’s consent;
- Data subject participation: ensuring that the data subject has a measurable degree of influence over the processing methods of their own data;
- Transparency: informing a data subject the reason for the collection of data and how the data will be used before its final destination of being stored;
- Security safeguards: Identifying the personal information and taking appropriate, technical, physical and reasonable measures to keep the information safe, prevent loss, damage or unlawful access.
WHAT HAPPENS IF YOUR ORGANIZATION DOES NOT COMPLY?
Depending on the degree to which your organization does not comply, according to sections 100-107 of the Act, a fine, a jail sentence or both can be issued. The maximum fine for offences against the POPI Regulator is set at R10-million. The maximum jail sentence is set at 10 years.
WHAT ARE THE RIGHTS OF A DATA SUBJECT?
A data subject has unrivaled rights over their own data and can determine:
- If, how and when to share their information;
- The type of information divulged – for a valid reason – and to what extent the information should be shared;
- The level of transparency and accountability on how the information will be used, this is limited to the reason for collection, as well as a notification if or when your information is compromised;
- Access to the information along with the right to have the information removed and/or destroyed at the data subjects request;
- Who will have access to the information;
- How and where your information will be stored and what appropriate measures and controls are in place to protect the data from being compromised or stolen;
- The reliability and accuracy of their information when being captured, with the company being responsible for maintaining its accuracy.
CONCLUSION:
The way in which we live and do business is becoming more digital with every passing day. Our personal information is no longer as inaccessible as we think. Our core personal and professional communications, banking and shopping can all be done on digital platforms which store personal data. Therefore, as individuals and organizations it is important that our personal information is protected by law.
The POPI Act requires that a set of streamlined policies, processes and systems must be established that can easily identify where personal information is stored, understand how this information is processed physically and electronically, who has access to this information, as well as for what purpose it is required.
The benefits of complying with the Act far outweighs the adjustment period organizations and individuals must endure in order to attain compliance. Studies show that 90% of people want to do business with people who are honest, trustworthy and transparent. Controlling information is the central component to creating a successful business and complying with POPI can help you do just that.
