In 2013, South Africa passed the Protection of Personal Information Act (POPI). The goal of the POPI Act is to protect data subjects from security breaches, theft, and discrimination. To accomplish this, it outlines eight principles that South African data processors must follow. Each principle encourages responsibility, security, and consent. It also provides special protections for distinct categories of data as well as the data of children.
POPI is shorthand for the Protection of Personal Information Act No. 4 of 2013. Signed into law on November 19, 2013, parts of the law became effective on April 11, 2014. The President proclaimed the effective date of the POPI Act to be 1 July 2020. When the Act became formal law 1 July 2020, it included a grace period of 12 months for businesses to update their systems.
In essence, POPI applies conditions for the lawful processing of personal data of South Africans (both South African citizens and those living in South Africa). It includes eight general conditions and three less descript conditions.
POPI makes responsible parties culpable for failures among those who process data on their behalf.
It also provides South Africans with rights regarding unsolicited electronic communications.
POPI differs from other privacy laws in several ways, but the biggest difference lies in consent.
POPI applies to data processors or responsible parties who are either domiciled in the Republic of South Africa or who are domiciled elsewhere but “makes use of automated or non-automated means” in South Africa.
“Automated” refers to using equipment that processes information automatically according to a data processor’s instructions.
POPI regulates your business’s use of personal information. According to the text, personal information is:
“Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”
POPI largely applies to people or groups in South Africa who process data for commercial purposes. The law cites exclusions from coverage, including:
The data also includes any processing completed for literary or artistic expression or for the purposes of journalism. POPI deems processing for these purposes to be a matter of public interest and any limits on the processing could be seen as an infringement on freedom of expression.
POPI issues its rules for using South African data in Chapter three of the Act. It refers to these rules as conditions, and they largely cover what data you collect, what you can do with the data, and how you protect both the data and the data subject.
For a full expression of the conditions, please visit: https://www.justice.gov.za/inforeg/
In line with regulatory requirements, the College has appointed Information Officers and Deputy Information Officers in all departments that collate, keep, and/or disseminate personal information of any kind for any purpose. These will be the people who will, on behalf of the college, ensure that they collate information in line with the eight (8) lawful conditions listed above, and that they safeguard this information, and ensure the safe keeping or secure destruction or de-identification of personal information, and will ensure the participation and consent of all data subjects (employees, students, and other stakeholders) when collating, using, storing or destructing/de-identifying personal information. The POPI team at the College is as follows:
As with all legislation, the College will comply with all requirements, and to this end has not only appointed this team to manage POPI, but has an overarching policy governing the collation, keeping and destruction/de-identification of information at the college. All Information and Deputy Information officers have been offered training to fully understand the POPI Act, and all employee contracts and service level agreements have been updated with clauses to ensure compliance to legislation, and informed consent of data subjects. The Registrar has updated many student forms and all departments are re-looking at their data collation and record keeping principles and policies.
The implementation of this Act will affect any social media sites the college has, and our website will ask users to consent to our privacy policy, and to read what that policy is.
The POPI Act allows for any data subject (employee, student or stakeholder) to access and see personal information that is kept about them. Your consent is needed to collate, use, and disseminate any personal information you share with any office at the college. You have the right to know how your personal information is safeguarded, and to object to the use of your personal information (which includes images). Forms have been developed, which allow you to request to see your personal information, ask how it is safeguarded, or for you to object to the use of your personal information in a specific media or format for a specific reason.
For further details or queries please contact: The Registrar – Ashwell Glasson or the Fundraising, Marketing and Media Relations Department.