POPI Act promotes transparency with regard to what information is collected and how it is to be processed. Openness increases customer trust in the organisation. POPI compliance involves capturing the minimum required data, ensuring accuracy, and removing data that is no longer required. These measures should improve the overall efficiency and reliability of the organisation’s databases. Less data also means less storage / archiving cost and a reduced magnitude in the event of a breach (the safest data is that which you don’t unnecessarily store in the first place).
Compliance demands identifying Personal Information and taking reasonable measures to protect the data. This will minimise the risk of data breaches and the associated public relations and legal ramifications for the organisation.
Non-compliance with the Act could expose the Responsible Party (NTCSA) to a penalty of a fine and / or imprisonment of up to 12 months. In certain cases, the penalty for non-compliance could be a fine and / or imprisonment of up 10 years. (Section 107 Penalties)
POPIA states that personal information may only be processed if the data subject consents unless the individual already has a contract in place with an organisation and where the processing of their personal information is required in terms of the contract, or where there is a reason in law for collecting or processing personal information.
Consent must be:
- Voluntarily i.e. the data subject must have an active choice and consent should not be made conditional for using a product, service etc. This means cookie walls are not permissible under POPIA.
- Specific i.e. consent should also be taken for a specific purpose and cannot be vague, or ambiguous. POPIA states that the “personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party”. For instance, if consent is required for sending marketing emails, take explicit consent for only that purpose.
- Informed i.e. the data subject should be made aware of what they are consenting to and how their data will be processed upfront.
Personal information is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” This information about a person includes, but is not limited to:
- Name and age
- Race
- Gender/sexual orientation
- Marital status
- National, ethnic, or social origin
- Religion, beliefs, or culture
- Language
- Educational, medical, financial, criminal, or employment history
- ID number
- Email address, contact number
- Physical address
- Location
- Photo, video, voice recordings
- Biometric information
- Personal opinions, views or preferences
- The views or opinions of another individual about the person
Special personal information of a data subject is:
- The religious, philosophical beliefs, race, ethnic origin, trade union membership, political persuasion, health, sex life or biometric information of a data subject; or
- The criminal behaviour of a data subject to the extent that such information relates to:
- the alleged commission by a data subject of any offence; or
- any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
Any activity concerning personal information, e.g.
- The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use
- Dissemination by means of transmission, distribution or making available in any other form
- Merging, linking, restriction, degradation, erasure or destruction of information.
- only collect information that you need for a specific purpose
- apply reasonable security measures to protect it
- ensure it is relevant and up to date
- only hold as much as you need, and only for as long as you need it
- allow the data subject of the information to see it upon request
- Data Subject: the person to whom the information relates
- Responsible Party: a private or public body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information
- Operator: a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of the responsible party
- Regulator: The Regulator established by POPIA
What are the principles of data processing in POPIA?