2. INTRODUCTION
• POPI was signed into law on 19 November 2013
• Commencement date of:
• section 1; Part A of Chapter 5; and
• section 112; and
• section 113
was on 11 April 2014
3. INTRODUCTION
• Rationale behind POPI:
• Section 14 of the Constitution – right to privacy
• to protect the misuse and abuse of personal information in RSA and cross-
border flow of information
• introducing a minimum set of requirements for the processing of personal
information
• establishing an Information Regulator to perform duties in terms of POPI and
PAIA
• to align legislation with modern society
4. IMPORTANT DEFINITIONS
• “consent” – is any voluntary, specific and informed expression of will of which
permission is given for the processing of personal information
• “data subject” – is a person to whom personal information relates
• “filing system” – is a structured set of personal information, whether centralised,
decentralised or dispersed geographically
• “operator” – is a person who processes personal information in terms of a
contract or mandate
5. IMPORTANT DEFINITIONS
• “personal information” – is information relating to an identifiable, living, natural
person, juristic person including, but not limited to:
• Race, gender, pregnancy, marital status, national, ethnic or social origin
• Education, medical, financial, criminal or employment history
• ID, symbol, e-mail address, physical address, telephone number, location,
online identifier or particular assignment to the person
• Correspondence sent by the person that is explicitly or implied to be
confidential or private of nature or any further information that would reveal the
contents of the original correspondence
• about the person
6. IMPORTANT DEFINITIONS
• Views or opinions of another individual about the person
• Name of a person if it appears with other personal information relating to
the person or if the disclosure itself would reveal the information
7. IMPORTANT DEFINITIONS
• “processing” – means any operation or activity or set of operations, whether or
not by automatic means, concerning personal information:
• the collection, receipt, recording, organisation, collation, storage, updating or
modification, retrieval, alteration, consultation or use
• dissemination by means of transmission, distribution or making available in any
other form
• merging, linking, as well as restriction, degradation, erasure or destruction of
information
• “responsible party” – is a public or private body or any person which, alone
or in conjunction with others, determines the purpose of and means for
processing personal information
8. APPLICATION OF THE ACT
• Applies to the processing of personal information where the information is entered
in a record by a responsible party AND
• when it is recorded by non-automated means, it forms part of a filing system or is
intended to form part thereof AND
• where the responsible party is domiciled in RSA
• If not domiciled in RSA, but makes use of automated or non-automated means in
the republic – unless those means are used only to forward personal information
through the republic
9. CAVEATS
• If any other legislation provides for lawful processing of personal information that
are more extensive, then the extensive conditions will prevail – section 3
• POPI will apply in any other case irrespective of whether other legislation provides
for the lawful processing of information
10. EXCLUSIONS
• Section 6 determines that POPI does not apply:
• when data is processed for personal or household activities
• when personal information has been de-identified
• if a public body processes personal information for national security, criminal
matters or judicial functions
• when personal information is processed for Journalistic, artistic or literary
expression
• Caveat in section 3 – more extensive protection in other legislation
11. LAWFUL PROCESSING
• There are 8 principles that has to be followed:
• Accountability
• Processing limitation
• Purpose specification
• Further processing limitation
• Information quality
• Openness
• Security safeguards
• Data subject participation
12. LAWFUL PROCESSING
• Accountability
• The responsible party must ensure that he/she/it comply with the provisions of
POPI at the time of determination of the purpose and means of the processing
• Processing limitation
• Lawfulness (should not infringe privacy)
• Consent, justification and objection
• Processing is just if there is an obligation, protects a legitimate interest of the
data subject, pursuing legitimate interests of the responsible party
• Consent may be withdrawn at any time
13. LAWFUL PROCESSING
• Minimalism – purpose for which information is processed has to be:
• Relevant
• Not excessive
• Adequate
• Collection – directly from the data subject
14. LAWFUL PROCESSING
• Purpose specification
• Collection
• Must be for a specific purpose relating to the function of the responsible party
• The data subject must be informed of the purpose of collection
• Retention and restriction
• Not longer than it is necessary for unless required by law or for the function of
the responsible party
• Personal information must be destroyed, deleted or de-identified as soon as
practicable after it is no longer required to be retained
15. LAWFUL PROCESSING
• Further processing limitation
• Must be for the purpose for it was collected for
• Further processing is not incompatible with the purpose if further processing is
necessary for compliance with section 1 of the SARS Act, No.34 of 1997
• Information quality
• Openness
• Documentation
• Must maintain documentation of processing operations – section 14 or 51 of
PAIA
• Notification when collecting data
16. LAWFUL PROCESSING
• Notify of the purpose of collecting the information
• Whether supply is mandatory or voluntary
• Flow of information is cross-border and need to advise on the other countries’
privacy laws
17. LAWFUL PROCESSING
• Security Safeguards
• Security measures on data integrity and confidentiality
• appropriate and reasonable
• Identify internal and external risks
• Regularly verify, review and update safeguards
• Information processed by operator
• Only with authorisation of the responsible party
• Confidentiality
• Security Compromises
• Need to notify the regulator and the data subject
• Notify as soon as becoming aware of breach
18. LAWFUL PROCESSING
• Data subject participation
• Access to personal information
• Correction of personal information
• Manner of access – in accordance with PAIA
• Prohibition on processing special personal information
• Beliefs, race, sex, trade union membership and health (act contain more)
• Criminal behaviour – all that is alleged
• Section 27 - 33 list exclusions to special personal information
19. CROSS BORDER INFORMATION FLOW
• Responsible party may not transfer personal information to a 3rd party in a foreign
country unless:
• The 3rd party has similar privacy laws, corporate rules or a biding agreement to
that effect
• The data subject consents to the transfer
• The transfer is necessary for contractual performance
• Transfer is necessary for the conclusion of agreements in the interest of the
data subject
• Transfer is for the benefit of the data subject
20. COMPLAINTS
• Any person may submit a complaint with the Regulator
• It must be in writing
• The Regulator may then conduct a pre-investigation
• Act as a conciliator at any time during the investigation
• May decide not to take any action on a complaint
• Conduct a full investigation
• Refer the compliant to the Enforcement Committee
• Take any other action referred to in terms of the Act
21. OFFENCES AND PENALTIES
• 2 categories
• Serious offences – fine or imprisonment of not more than 10 years
• Less serious offences – fine or imprisonment of not more than 12 months
• Administrative fines – not exceeding R10 million Rand
22. TRANSITIONAL ARRANGEMENTS
• All processing of personal information must within 1 year conform to the Act
• The 1 year period may be extended by the Minister