WHAT IS POPIA?
The Protection of Personal Information Act 4 of 2013 (POPIA) is the comprehensive data protection legislation enacted in South Africa. POPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests, particularly the right of access to information.
POPIA was signed into law on 19 November 2013. However, to date, in accordance with Proclamation No. R25 of 2014, only the following sections of POPIA are currently in force:
- Section 1 of POPIA, relating to the definitions;
- Part A of Chapter 5 of POPIA, relating to the Information Regulator;
- Section 112 of POPIA, relating to the power to make regulations;
- Section 113 of POPIA, relating to the procedure for making regulations.
It remains uncertain when the commencement date of remaining provisions will be proclaimed. Section 114 provides that, once it comes into force, responsible parties will be required to comply with POPIA within a period of one year (which may be extended for an additional period not exceeding three years).
- In December 2017, regulations were promulgated in terms of POPIA. While final, these regulations are not yet in force.
Promoting the lawful processing of data.
APPLICATION OF POPIA _
Data protection in South Africa.
POPIA is a South African domestic law. As a general position, POPIA applies to the processing of personal information entered in a record by or for a responsible party that is domiciled in South Africa. However, POPIA may also apply to a responsible party not domiciled in South Africa where that responsible party makes use of automated or non-automated means within South Africa.
POPIA also provides for certain exclusions and exemptions, including for purely personal or household activities, for personal information that has been de-identified that cannot be re-identified again, or for journalistic, literary or artistic purposes.
Advising on cross-border data transfers.
WHAT DOES POPIA REQUIRE _
What you need to know.
POPIA sets out eight conditions for the lawful processing of personal information:
- Condition 1: Accountability (section 8) – that the responsible party must ensure that the conditions for the lawful processing of personal information are complied with at the time of determining the purpose and means of the processing, and during the processing itself.
- Condition 2: Processing limitation (sections 9-12) – that personal information must be processed lawfully and in a reasonable manner, and only if it is adequate, relevant and not excessive given the purpose for which it is processed.
- Condition 3: Purpose specification (sections 13-14) – that personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party, and should not be retained for longer than is necessary to achieve that purpose.
- Condition 4: Further processing limitation (section 15): that further processing of personal information should be compatible with the purpose for which it was collected.
- Condition 5: Information quality (section 16): that the responsible party is required to take steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
- Condition 6: Openness (sections 17 and 18): that the responsible party is required to take reasonably practicable steps to ensure that the data subject is aware of, amongst other things, what personal information is being collected, the source of the information, the purpose for which it is being collected, and the name and address of the responsible party.
- Condition 7: Security safeguards (sections 19-22): that the responsible party is required to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures, having regard to generally accepted information security practices and procedures.
- Condition 8: Data subject participation (sections 23-25): that a data subject has a right to request a responsible party to confirm whether personal information is held about the data subject, and be provided with the record or a description of the information held. A data subject may further request a responsible party to correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
POPIA further sets out substantive requirements for, amongst other things, direct marketing (section 69); the use of directories (section 70); automated decision-making about data subjects (section 71); and the circumstances under which personal information may be transferred outside of South Africa (section 72).
Certain processing may only take place subject to prior authorisation from the Information Regulator (sections 57-59). This includes, for instance, where information is processed for the purposes of credit reporting, or where special personal information or personal information relating to children is being transferred to a third party in a foreign country that does not provide an adequate level of protection. It is an offence under POPIA to fail to notify the Regulator as required.
These sections of POPIA are not in force as yet.
Conducting POPIA compliance audits.
THE INFORMATION REGULATOR _
Regulating data protection in South Africa.
The Information Regulator is an independent statutory body established in terms of section 39 of POPIA. It began its work on 1 December 2016. It comprises five members, with Adv Pansy Tlakula as its chair. The Information Regulator is empowered, amongst other things, to monitor and enforce compliance by public and private bodies with POPIA and with the Promotion of Access to Information Act 2 of 2000.
Advising on data protection in multiple jurisdictions.
POPIA AND THE GDPR _
Data protection in Africa and Europe.
Read our overview of the GDPR here.
The General Data Protection Regulation (GDPR) is the binding law that will regulate data protection across the European Union from 25 May 2018. The GDPR both has extraterritorial application, and regulates the transfer of personal information to third countries outside of the EU. Practically, this may require organisations based outside the EU to ensure compliance with the GDPR if they want to do business within the EU.
While POPIA is substantially similar to the GDPR, it is not identical. Importantly, the GDPR includes certain key protections that are not contained in POPIA. This includes:
- Consent: The GDPR contains stronger, clearer conditions for consent. It expressly requires that consent must be freely given, and be presented in a manner that is clearly distinguishable from other matters, in an easily and accessible form, using clear and plain language.
- Right of access by data subjects: The GDPR includes enhanced access rights for data subjects, including that in circumstances where personal information is transferred to a third country outside the EU, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.
- Right to erasure / right to be forgotten: The GDPR more expressly defines the ambit of the right to erasure (also known as ‘the right to be forgotten’), including the steps to be taken to give effect to the right and the balance to be taken into account with, for instance, the right to freedom of expression and information.
- Data portability: The GDPR introduces data portability, which relates to the right for a data subject to receive the personal information that they have provided in a structured, commonly used and machine-readable format, and the data subject’s right to transmit that information to another data controller.
- Privacy by design: The GDPR includes privacy by design as an express legal requirement, which requires appropriate organisational and technical measures to be implemented both at the time of the determination of the means for processing and at the time of the processing itself. These measures must be designed to implement data protection principles in an effective manner, and to integrate the necessary safeguards and protect the rights of data subjects.
Training key personnel on POPIA.
OUR POPIA SERVICES _
Helping you become POPIA compliant.
ALT Advisory offers the following services:
- Compliance audits: We conduct a review of your compliance with the legal framework, identify areas of concern or risk, and propose next steps to remedy this.
- Privacy policies, notices and consent clauses: We assist with drafting and/or updating privacy policies, notices and consent clauses to meet the necessary requirements.
- Cross-border data transfers: We map your cross-border data transfers and identify the applicable regulatory frameworks that require compliance. We also assist with drafting binding corporate rules.
- Advisory services: Have a question or want to know how a particular provision affects your organisation? We can assist with guidance and comparative research to resolve your concern.
- Training: We offer in-person and online training that is tailored to suit the specific needs of your organisation. This includes train-the-trainer sessions, training for key personnel, or workshops for larger groups.