This document summarizes South Africa's Protection of Personal Information Act (POPI), which protects individuals' personal information and regulates how organizations collect, store, use, and destroy personal data. It covers what information is considered personal and special personal data. POPI applies to any organization that collects or processes South African citizens' personal information. Organizations must comply with eight data protection principles and destroy personal records securely once they are no longer needed. Non-compliance can result in fines or imprisonment.

1. Legislative Summary:
POPI Overview
Protection of Personal Information Act (POPI)
Assented to by Parliament on 19 November 2013; full act yet to be commenced
What the law covers
• Each person’s right to privacy and the
measures that must safeguard their
personal information when it is processed
by a Responsible Party
• The eight principles governing the
protection of personal information – during
it’s processing and use – against loss,
damage and its unlawful or unauthorised
access, processing and destruction
What is “personal information”
There are two categories that cover any
information relating to an identifiable, living
natural person or juristic person (companies,
for example).
Examples include, but are not limited to:
Personal information:
• Identity and/or passport numbers
• Date of birth, age and marital/
relationship status
• Phone numbers, email addresses,
physical address
• Gender, race and ethnic origin
• Photos, voice recordings, video
footage (also CCTV)
• Biometric data
• Private correspondence and
financial information
Special personal information:
• Race, religion or philosophy on life
• Political persuasion
• Trade union membership
• Health and sexual life
• Criminal behaviour
Note: POPI prohibits the processing of special
personal information, unless the data subject
has given explicit consent to do so.
What is “processing”
In broad terms, processing means anything done
with the personal information including collection,
usage, storage, dissemination, modification or
destruction – both automated or manual.
Who must adhere to the regulations
A Responsible Party:
• A public or private body
• Any other person who, alone or in
conjunction with others, determines the
purpose of and means for processing
personal information
• They must either be a resident of or
process the information in South Africa
(subject to certain exclusions)
Use of Third-party Operators
• An operator is anyone who processes
personal information on behalf of a
Responsible Party with their knowledge
and authorisation
• They must treat all personal information
as confidential and have a written
contract with the Responsible Party to
ensure that the appropriate security
safeguards are established and maintained
1 4
2
3
5
This document does not constitute a legal opinion or legal advice. Do not rely on any of the information in this document without first obtaining legal advice. © Copyright 2015

2. Offences/penalties for non-compliance
Offences include:
• Breach by a person acting on behalf
of a Responsible Party
• Obstruction of the execution of a warrant
• Failure to comply with an enforcement
or information notice
• Obstruction of the Regulator
The penalty for a conviction is imprisonment of
up to 10 years or a fine of up to R10 million.
How to comply
Adherence to the eight data protection
principles is required:
1. Accountability
2. Processing Limitation
3. Purpose Specification
4. Further Processing Limitation
5. Information Quality
6. Openness
7. Security Safeguards
8. Data Subject Participation
Compliance is monitored and enforced by
the Information Regulator. They:
• Must be notified by a Responsible Party
before personal information can be processed
• Receive complaints which they may investigate
and refer to the Enforcement Committee
• Must be informed, along with the data
subject, when reasonable grounds indicate
a breach has occurred
Secure data retention and disposal
requirements
In order to comply with principle 7 and prevent
loss or unlawful access to personal information,
Responsible Parties must:
• Identify all reasonably foreseeable internal
and external risks to personal information
in their possession or under their control
• Establish and ensure the effective
implementation of appropriate safeguards
against these risks and ensure they are
updated regularly to account for new risks
Data retention:
POPI classifies a Record as any recorded
information, regardless of form or medium,
in possession or under the control of a
Responsible Party. Examples:
• Writing on any material, including labels
• Information produced, recorded or
stored with a tape-recorder or computer
equipment and any derivative material
• A book, map, plan, graph or drawing
• A photograph, film, negative or tape
Under POPI, records of personal information:
• Must not be retained any longer than is
necessary for achieving the authorised
purpose for which it was collected or
subsequently processed
• Must be destroyed, deleted or
de-identified in a manner that prevents
its reconstruction in an intelligible form
6
7
8
This document does not constitute a legal opinion or legal advice. Do not rely on any of the information in this document without first obtaining legal advice. © Copyright 2015
How Shred-it can help:
Secure Document and Hard Drive Destruction
• Secure end-to-end chain of custody
• Certificate of Destruction after every service
• Tailored solutions to your organisation’s needs
Advice and Expertise
• Trained experts in information security
• Provide a Security Risk Assessment at your organisation
• Helpful resources available at shredit.co.za
For peace of mind,
contact Shred-it today
0861 274 733 | shredit.co.za
For more information on the Protection of Personal
Information, The Promotion of Access to Information
or the Companies Act, please visit: justice.gov.za
9