What is POPIA
POPI refers to South Africa’s Protection of Personal Information Act which seeks to regulate the Processing of Personal Information which was created as a means to ensuring that companies and organisations in South Africa treat the gathering, processing, stage and distribution of an individual’s person information, in a way which protects that individuals right to privacy. In South Africa, businesses have not been held to task over the personal information which they inevitably gain access to when an employee joins their organisation. Other businesses made a living out of pirating personal information away from those in the know as a means of making a profit by onward selling that private information to those who will use if for marketing, call centres and even scams.
Private and Confidential
Organisations will soon be held accountable should they not take the relevant steps to ensure that private information is not only protected, ensuring that personal information is only shared in a controlled way, if legally requested from a 3rd party and that the individual whose information is being shared, is informed. It’s no longer permissible nor legal, to freely distribute information pertaining to another individual or legal entity, including businesses and communities. Failure to comply with this legislation will result in fines of up to R10 million and/or up to 10 years in jail time for some offences.
The responsibility of the Employer
Employers need to start putting steps in place to ensure the protection of the information of their employees and customers, clients and suppliers, or risk their business. From the moment that your employee applies for a position in your organisation you immediately become privy to their information which comes in the form a CV which often includes all contact details, ID numbers, and other important details about a persons life thus far. From that moment onward, the onus is on your to make sure that you follow the Act accordingly until the point at which that individual is no longer in your employ at which you are required to discard of their information in a lawful, controlled and permanent manner, including all hard and softcopies of that information.
What to do
Do those in your organisation who have access to personal information understand the importance and risk of its protection? What measures has your company put in place to ensure that all personal information is correctly disposed of? Do you ever shar personal information with clients, suppliers, other branches of your organisation without asking permission to do so and if so, have you performed a risk analysis? Your responsibility to your employees, if not met, could cost your business dearly. Begin an audit now, of areas of risk and plan how you will ensure the protection of this information now, before fines are issued.