The Protection of Personal Information (POPI) Act

In 2013, South Africa passed the Protection of Personal Information Act (POPI). The goal of the POPI Act is to protect data subjects from security breaches, theft, and discrimination. To accomplish this, it outlines eight principles that South African data processors must follow. Each principle encourages responsibility, security, and consent. It also provides special protections for distinct categories of data as well as the data of children.

What is POPI?

POPI is shorthand for the Protection of Personal Information Act No. 4 of 2013. Signed into law on November 19, 2013, parts of the law became effective on April 11, 2014. The President proclaimed the effective date of the POPI Act to be 1 July 2020. When the Act became formal law 1 July 2020, it included a grace period of 12 months for businesses to update their systems.

In essence, POPI applies conditions for the lawful processing of personal data of South Africans (both South African citizens and those living in South Africa). It includes eight general conditions and three less descript conditions.

POPI makes responsible parties culpable for failures among those who process data on their behalf.

It also provides South Africans with rights regarding unsolicited electronic communications.

POPI differs from other privacy laws in several ways, but the biggest difference lies in consent.

Who Does POPI Apply to?

POPI applies to data processors or responsible parties who are either domiciled in the Republic of South Africa or who are domiciled elsewhere but “makes use of automated or non-automated means” in South Africa.

“Automated” refers to using equipment that processes information automatically according to a data processor’s instructions.

POPI regulates your business’s use of personal information. According to the text, personal information is:

“Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”

Who is Exempt from POPI?

POPI largely applies to people or groups in South Africa who process data for commercial purposes. The law cites exclusions from coverage, including:

  • Data processed for personal reasons
  • Data that is de-identified and cannot be reinstated
  • Data process by (or for) a public body relating to national security, law enforcement, or the justice system
  • Data processed by a province’s Cabinet and committees or Executive Council

The data also includes any processing completed for literary or artistic expression or for the purposes of journalism. POPI deems processing for these purposes to be a matter of public interest and any limits on the processing could be seen as an infringement on freedom of expression.

The POPI Act’s Eight Conditions for Lawful Processing

POPI issues its rules for using South African data in Chapter three of the Act. It refers to these rules as conditions, and they largely cover what data you collect, what you can do with the data, and how you protect both the data and the data subject.

POPI includes eight conditions for lawful processing including:
  1. Accountability
  2. Processing limitation
  3. Purpose specification
  4. Further processing limitation
  5. Information quality
  6. Openness
  7. Security safeguards
  8. Data subject participation

For a full expression of the conditions, please visit: https://www.justice.gov.za/inforeg/

 

What does this mean for the College?

In line with regulatory requirements, the College has appointed Information Officers and Deputy Information Officers in all departments that collate, keep, and/or disseminate personal information of any kind for any purpose. These will be the people who will, on behalf of the college, ensure that they collate information in line with the eight (8) lawful conditions listed above, and that they safeguard this information, and ensure the safe keeping or secure destruction or de-identification of personal information, and will ensure the participation and consent of all data subjects (employees, students, and other stakeholders) when collating, using, storing or destructing/de-identifying personal information. The POPI team at the College is as follows:

  • Junior Bookkeeper Creditors – Deputy Information Officer – dealing with all debtors, creditors and service provider details
  • Payroll Administrator– Deputy Information Officer – deals with personal information of employees and Board Members
  • Corporate Governance consultant – Deputy Information Officer – deals with personal information of Board Members and board regulated committee members
  • HR Business Partner/ HR – Information Officer – deals with personal information relating to employment and all issues associated with employment, as well as with Service Provider information. Collates biometric information on employees and/or their families for the security gate system. Overall governance of POPI Act at the College
  • IT Manager– Deputy Information Officer – deals with all the personal information stored as data and electronic records and the safe-keeping of such
  • Registrar–Information Officer – deals with all personal information relating to students and the organisations they come from
  • Head: Quality Management –Deputy Information Officer – deals with all personal information relating to students and the organisations they come from, and staff information in relation to quality management processes as and access to personal information during these
  • Marketing, Fundraising and Media Relations Manager –Information Officer: External Processing of Information- the department that deals with the external propagation of personal information in the media. Deals with information about employees, stakeholders, students and service providers.
  • Researcher: Research and Development – Deputy Information Officer – deal with information pertaining to researchers, research assistants and research projects
  • Junior Bookkeeper Creditors– Deputy Information Officer – dealing with all debtors, creditors and service provider details
  • Payroll Administrator – Deputy Information Officer – deals with personal information of employees and Board Members
  • Corporate Governance consultant – Deputy Information Officer – deals with personal information of Board Members and board regulated committee members
  • personal information of Board Members and board regulated committee members
  • Operations Manager – Information Officer – deals with information pertaining to students, visitors, stakeholders, and clients in respect of all bookings, biometrics for gate access, and contractor information

As with all legislation, the College will comply with all requirements, and to this end has not only appointed this team to manage POPI, but has an overarching policy governing the collation, keeping and destruction/de-identification of information at the college. All Information and Deputy Information officers have been offered training to fully understand the POPI Act, and all employee contracts and service level agreements have been updated with clauses to ensure compliance to legislation, and informed consent of data subjects. The Registrar has updated many student forms and all departments are re-looking at their data collation and record keeping principles and policies.

The implementation of this Act will affect any social media sites the college has, and our website will ask users to consent to our privacy policy, and to read what that policy is.

What does this mean for YOU?

The POPI Act allows for any data subject (employee, student or stakeholder) to access and see personal information that is kept about them. Your consent is needed to collate, use, and disseminate any personal information you share with any office at the college. You have the right to know how your personal information is safeguarded, and to object to the use of your personal information (which includes images). Forms have been developed, which allow you to request to see your personal information, ask how it is safeguarded, or for you to object to the use of your personal information in a specific media or format for a specific reason.

For further details or queries please contact: The Registrar – Ashwell Glasson or the Fundraising, Marketing and Media Relations Department.