In South Africa, businesses and organisations are obligated to collect a large quantity of information on their clients in order to comply with FICA (Financial Intelligence Centre Act, 38 of 2001), should they be accountable institutions in terms of FICA. Personal information is also collected within the general course and scope of business processes. These processes and systems have been significantly influenced by the implementation of the POPI Act and the data privacy requirements it sets out.
What is the POPI Act?
The Protection of Personal Information Act (POPI/POPIA) is South Africa’s primary legislation on data privacy and management. The POPI Act is designed to regulate and limit how the personal information of both natural and juristic persons (referred to in the Act as data subjects) is collected, processed, stored, shared, and destroyed by and for businesses and entities (both private and public bodies). The Act was enacted to promote, protect and fulfill individuals’ fundamental human right to privacy, constitutionally entrenched in the South African Bill of Rights, as well as to facilitate responsible access to information for both the private and public sector. The Act holds businesses, and parties that process personal information on behalf of businesses, accountable for how they process personal information, in line with international privacy law standards. The party who decides why and how to process personal information (the responsible party/controller) is responsible for complying with the conditions of the Act. The Act compels responsible parties to implement stringent security safeguards and controls to ensure all personal information is protected against unlawful activities and unauthorised access, for example money laundering, identity theft and discrimination, and outlines how information may be accessed, retained, and decimated.
The Collection/Processing of Personal Information:
The processing of personal information refers to all aspects of the collection, usage, storage, dissemination, modification, or destruction of personal information. As stipulated in the Act, the collection and processing of personal information should always be lawful, reasonable, relevant, and moderate. The processing of personal information should be carried out for a specific and explicitly defined purpose relating to the data collector’s activity or function, and the information should not be retained for any longer than is absolutely necessary for achieving that purpose. Additionally, the record of personal information should be destroyed or deleted as soon as reasonably practicable, provided this does not come into conflict with existing law or a code of conduct. Personal information must be collected directly from the data subject and should be a complete, accurate, and up-to-date representation of information.
What constitutes Personal Information?
Personal information, as defined in the Act, includes information relating to an identifiable, living, natural person (the data subject), and where it is applicable, an identifiable, existing juristic person (companies, CC’s etc.), including, but not limited to—
What is the Commencement Date?
Although enacted in 2013, the President of South Africa issued a Proclamation regarding the commencement of certain sections of POPIA to be 1 July 2020, and allowed a one-year grace period for businesses to comply and implement the necessary systems and procedures, which ended 30 June 2021.
What are the Penalties of Non-Compliance for Responsible Parties?
The risks of non-compliance include reputational damage, loss of clients and employees, fines of between R1 million and R10 million, and imprisonment of one to ten years, as well as paying out compensation claims to data subjects for the damages they have suffered.
What are the Rights of the Data Subject:
The data subject is fully within his/her rights; To be notified when personal information about them is being collected, the source of the information, the purpose for which the information is collected and any law authorising the required collection (e.g. FICA), and to be notified if their personal information has been accessed or acquired by an unauthorised person (for example, in a data hack or breach).