POPI must comply

POPI provides the regulatory framework within which organisations may process personal information and seek to give individuals control over how their personal information is used or disclosed.

The bill defines "personal information" as all information relating to an identifiable, living natural person and where applicable, an existing juristic person - all such persons being defined as "data subjects".

The definition of "processing" is drafted wide enough to cover any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including the collection, receipt, collation, storage, updating and use of the information.

In order for the processing of personal information to be lawful, it needs to comply with the following eight conditions:

1. Accountability

The "responsible party" (being the party that determines the purpose of and means for processing) must ensure that the conditions for processing are complied with at all times.

2. Processing limitation

Processing must be lawful, done in a reasonable manner that does not infringe the privacy of the data subject and must not be excessive. Processing may only take place with the consent of the data subject, subject to certain exceptions (such as is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party, it complies with an obligation placed on the responsible party by law or it protects a legitimate interest of the data subject). Personal information must be collected directly from the data subject to certain exceptions.

3. Purpose specification

Collection must be for a specific purpose and records may not be kept for any longer than is necessary for achieving the purpose for which it was collected or subsequently processed, subject to certain exceptions (for example it is required or authorised by law or the data subject has consented).

4. Further processing limitation

Further processing must be compatible with purpose of collection taking into account, amongst others, the nature of the information, the consequences for the data subject and the manner in which the information was collected.

5. Information quality

The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

6. Openness

A responsible party must maintain documentation of all processing operations. When personal information is collected, the responsible party must (subject to exceptions) take reasonably practicable steps to ensure that the data subject is aware of, inter alia, the information being collected, the source, the purpose of the collection and the rights of the data subject.

7. Security safeguards

Reasonable measures must be taken to identify all foreseeable internal and external risks, establish and maintain appropriate safeguards against these risks, regularly verify that the safeguards are effectively implemented and ensure they are continually updated. The responsible party must notify the Information Regulator and the data subject when the personal information of a data subject has been accessed or acquired by any unauthorised person.

8. Data subject participation

The data subject has a right to request a responsible party to confirm whether or not it holds personal information about the data subject (free of charge), to request the record or a description of the personal information held, as well as the identity of third parties who have access to the information. The data subject also has the right to request the correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

In addition to the above eight conditions of processing, POPI also deals with:

• the processing of special personal information - which relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life and criminal behaviour of a data subject;
  
• personal information of a child and the processing thereof;
  
• cross-border flow of information - no transfer of personal information outside of SA unless the recipient is subject to a law, binding corporate rules or contract which provides similar protection for the processing of personal information, the data subject consents, it is necessary for performance of a contract with the data subject, or contract with a third party in the interest of the data subject, or the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the data subject's consent (but would likely have got such consent); and
  
• the establishment of a new regulatory body ("Information Regulator") which will issue codes of conduct, monitor and enforce compliance with POPI (by means of issuing enforcement and infringement notices and fines) and handle complaints.

The legislation will apply to both public and private bodies, including retirement funds and administrators. There will be a transitional period of one year whereafter full compliance with the legislation will be required.

Extracts taken from the Sanlam Employee Benefits Newsletter (Legal - August 2013)