Purpose of POPI & the responsibility of the Business Owner

Category: General
Date: 22 August 2018

The purpose of the POPI Act, as defined by the Act itself, is to protect personal information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed.

The Act applies to any individual without bias and to those who are in the possession of any personal information belonging to another, unless those records are subject to other legislation which protects such information more strictly. The Act sets the minimum standard regarding personal information as well as regulating the “processing” of personal information.  By “processing” the Act refers to the collecting, receiving, recording, organising, retrieving, or use of any such information; and the distribution or sharing of any such information.

If you are in a position where you obtain, handle and store the personal information of another individual, whether it be in terms of their employment or as suppliers or service providers, you must adhere to and implement steps to safeguard this information, by the April 2018 deadline.

Personal information is deemed to be information which identifies a person. Obvious and commonly accessible examples include cell phone numbers and email addresses which are easy to come by and can and have been shared easily. A harder to come by personal details, is one’s ID number which, in an era of identity theft, are becoming more sought after and can have disastrous effect on someone’s life should it be “lost”.

It is therefore the responsibility of the Business owner, Employer, Legal Department, IT department and Human Resources departments to ensure that any and all personal information is not only stored safely but also prohibited from being accessed by individuals who may mishandle the information or worse, share it with onerous intent.

So with the next phase of the POPI act’s implementation nearing, what steps need to be taken to ensure that your business does not fall foul of the Act?

As individuals who have access to and stores personal information of other, we have to identify all risks and establish and maintain safeguards against these identified risks.  We have to regularly verify that the safeguards are being effectively implemented and update the safeguards in response to new risks or identified deficits in standing safeguards.

  • Anybody processing personal information must have the necessary authorisation from the individual to do so.  They must also treat the personal information as entirely confidential.
  • A written contact must exist where it specifically obliges the processor to maintain the information, confidentially and with integrity so as to mitigate all potential risks.
  • Your staff members and employees are obliged to advise the processors of information, if they believe that their information has been compromised.
  • The Information Regulator is a new regulator that has been created to monitor the protection of personal information and should be notified of any compromise of personal information and, where possible, the identity of the unauthorised person will need to be handed over.
  • Should anyone ask to know who has seen their personal information or who has accessed their personal information, records of when the records were accessed, will need to be kept.

While you are not allowed to process personal information unless by consent, there are also limited exceptions to the Act which allows for personal information to be shared under special circumstances. If it is necessary by law for information to be shared, and if this can be substantiated, then personal information may be shared. Also in some instances for historical, statistical or research purposes. For example, situations when this information is specifically relevant and constitutes the purpose for which the information is being collected, for example for the purposes of BEE, Employment Equity or for insurance.

It is decidedly important that processors of personal information align their processes and procedures to safeguard the protection of personal information within their organisations. Training and education programs will advantageous in ensuring that involved know their roles, rights and responsibilities regarding this highly important Act.