- Advertising and Data Privacy Blog
- Introduction to POPIA
Introduction to POPIA
The Protection of Personal Information Act in a nutshell
Download POPIA Additional resources
POPIA is South Africa’s answer to a global call for the protection of information by means of which people may be identified. Like the European Union’s General Data Protection Regulation (GDPR), POPIA regulates how that information may be collected and used, in light of the potential dangers that new digital technologies may pose to our human rights and liberties – including the right to privacy. But just like any human right, the protection of privacy must be balanced with other interests and concerns. This is why POPIA does not categorically prohibit the processing of personal information, but rather establishes conditions for how this balance ought to be reasonably maintained.
4 restrictions 8 conditions 5 role players.
POPIA introduces four restrictions for POPIA to apply, eight conditions for the lawful processing of personal information, and five role players that must see to it that these conditions are at all times complied with. To make your company POPIA compliant, people need to be appointed, procedures established, and documents compiled and (some) made publicly available.
POPIA does not protect all personal information: its application is restricted to definitions of who, what, how, and where.
POPIA applies to (1) “personal information” that is (2) “processed” in a (3) “record and filing system” in (4) “South Africa”.
1. Personal information
POPIA only applies to “personal information”. But what is personal information? POPIA gives a broad interpretation to the concept, by defining it as any information relating to an identifiable, living, natural person, or relating to an identifiable, existing, juristic person(*). Put differently, POPIA applies to any information by means of which a person or an organisation can be identified. Conversely, POPIA does not apply to information that cannot be associated with a particular person (or organisation), like anonymous statistics, or ‘de-identified’ data – personal data that has been stripped of its potential to identify the person it relates to (for example by converting a name to a random number or code name (**). POPIA also does not apply to the personal data of deceased persons.
(*) Including juristic persons
in the protection of personal information is a remarkable, if not bizarre legislative decision – most data protection regulations around the world only protect people
(**) Let us not get into the heated debate about whether or not so-called ‘de-identified’ data can, or cannot … errr … identify persons. There is some evidence supporting the claim that so-called unidentifiable or de-identified data can be re-identified by aggregating it or linking it to other identifiable data. For example, this study found that four (unidentifiable) spatio-temporal data points are enough to uniquely identify 95% of individuals. But, again, we really don’t need to get into this, because POPIA circumvents the debate by excluding from its scope any data that cannot be re-identified in a reasonably foreseeable future. I take the liberty to assume that you, like me, have no idea what that means …
So, if you process “personal information” (remember, this can be ány information by means of which a person or an organisation can be identified), you must at all times do this compliant with POPIA’s conditions. BUT, two additions!
- Section 26-35 POPIA: unless you fall into a particular category and you comply with the special conditions listed in sections 26-35 POPIA, you MAY NOT process “special (sensitive) personal information” concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, and criminal behaviour of a data subject, or personal information of children (<18).
- Section 57-59 POPIA: if you intend to process information listed in section 57 POPIA, including further processing and linking of unique identifiers, criminal behaviour, credit reporting, or transferring “special personal information” to a third party in a foreign country, you need to apply for “prior authorisation” from the Information Regulator.
View full definition
means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
- (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- (b) information relating to the education or the medical, financial, criminal or employment history of the person;
- (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- (d) the biometric information of the person;
- (e) the personal opinions, views or preferences of the person;
- (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- (g) the views or opinions of another individual about the person; and
- (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
So far, we have established that POPIA only applies to certain kinds of information. But for POPIA to apply, we also need to look at what is done with the information: POPIA only applies if personal information is “processed”. But when are you processing personal information? Again, POPIA gives a broad interpretation to the term, and includes just about any step in the information’s life cycle: from the moment personal information is collected, stored, used, and shared, to the moment it is modified and deleted – digitally or physically, automatically or manually.
View full definition
means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
- (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- (b) dissemination by means of transmission, distribution or making available in any other form; or
- (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
3. Records and filing systems
We know now that POPIA only applies to “personal information” that is “processed”. But POPIA establishes a third restriction: we must look at the circumstances within which the processing takes place.
POPIA does not apply to personal information processed for personal or household purposes, or for journalistic, literary or artistic purposes.
POPIA only applies to personal information that is entered into a record that forms part of a filing system. But what are records, and when is a system a filing system? A record can be just about any known physical format, including writing (on any material), taping, recording, labelling, drawing, and photographing (it does not include personal information you have stored in your brain ;-) “Entering in a record” is not necessarily the same thing as “creating” – transferring existing personal information to a database, for example, is covered by the definition of “entering into a record”. That record is assumed to form part of a filing system (that is, a structured system that allows to easily retrieve information) if it is processed automatically (eg. by computers, software and cookies). If it is processed manually (eg. by a receptionist), POPIA only applies if the record is intended to form part of a filing system.
View full definition
3. (1) This Act applies to the processing of personal information— (a) entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof.
means any recorded information-
(a) regardless of form or medium, including any of the following:
- (i) Writing on any material;
- (ii) information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
- (iii) label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;
- (iv) book, map, plan, graph or drawing;
- (v) photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
(b) in the possession or under the control of a responsible party;
(c) whether or not it was created by a responsible party; and
(d) regardless of when it came into existence;
Filing system means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;
Automated means, for the purposes of [section 3], means any equipment capable of operating automatically in response to instructions given for the purpose of processing information.
4. South Africa
It should be clear now that POPIA only applies to the “processing” of “personal information” in “records” that form part of a “filing system”. In addition to these restrictions, POPIA adds one last – geographic – limitation: for POPIA to apply, the person or company that processes the information must be domiciled in South Africa, or make use of “means” (equipment, like servers, etc) located in South Africa, unless these means are only used to “forward” personal information.
Determining who is responsible for processing personal information is crucial at this point, because POPIA primarily depends on where this so-called “responsible party” is located – and only secondarily on where the personal information is processed. South African companies that process personal information in “the cloud” – that is, on servers stored outside of South Africa – must comply with POPIA.
View full definition
3. (1) This Act applies to the processing of personal information— (b) where the responsible party is—
- (i) domiciled in the Republic; or
- (ii) not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic.
In summary, whatever the size of your company, or whatever the size of your data processing operations, POPIA applies. No specific categories of data processors have been excluded. However, POPIA lists a range of general and specific exemptions.
POPIA does not apply to:-
- Information that cannot, in itself or in combination with other information, identify a person (or company), and cannot be re-identified – s6(1)(b);
- Information that identifies a deceased person (or a company that no longer exists) – (s1);
- Personal information used for personal or household purposes – s6(1)(a);
- Personal information that is required for national security or in the prevention and detection of unlawful activities – s6(1)(c);
- Personal information used solely for the purpose of journalistic, literary or artistic expression – s7(1);
- Processing personal information manually (“non-automated”) that does not form part of a filing system or intended to form part thereof – s3(1)(a); and
- Personal information processed by a person or company not domiciled in South Africa who does not make use of equipment (“means”) located in South Africa – s3(1)(b)
- Further reading: Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information
In addition to these general exemptions, POPIA also lists specific exemptions
to one or more of its conditions
– for example to its condition that personal information must always be collected directly from the person it relates to (s12), to its condition that personal information may only be retained for as long as is necessary for achieving the purpose for which it was collected (s14), or to its condition that further processing must be compatible with the purpose of collection (s15(3).
5 Role players
POPIA introduces five role players that must see to it that its lawful conditions for processing personal information are at all times complied with.
1. Information Regulator
The Information Regulator is the national, independent body that is authorised by POPIA to encourage, monitor and enforce compliance by with the provisions of POPIA and PAIA. When a complaint is submitted to, or initiated by, the Regulator, it can decide to investigate, conciliate, take no further action (s77), or refer to the Enforcement Committee – an independent judicial tribunal established to adjudicate POPIA matters. Complaints ito. POPIA (and PAIA) may be lodged directly with the Regulator here.
2. Responsible Party
The Responsible Party (GDPR “controller”) is the person or company that determines the purpose and means for processing personal information, and is responsible and liable for compliance with POPIA. Liability may include administrative fines, criminal convictions and civil damages.
3. Information Officer
The Information Officer is defined in POPIA (and PAIA) as the head of a private body and is responsible for ongoing compliance by the Responsible Party with POPIA. One or more Deputy Information Officers may be appointed. The Information Officer’s duties and responsibilities are stated in POPIA, PAIA and related regulations and notices, and may include personal liabilities for destroying, damaging, altering, concealing, falsifying or making a false record with intent to deny a right of access in terms of PAIA, for wilfully or in a grossly negligent manner failing to make available a PAIA manual as per section 51 of PAIA or for non-compliance with an Enforcement Notice. While POPIA or PAIA say nothing about it, the Information Regulator’s Guidance Notice of 1 April 2021 states that Information Officers and Deputies must be “an employee of a private body at a level of management and above”.
An Operator (GDPR “processor”) is an independent contractor that processes personal information on behalf of the Responsible Party. Section 20 and 21 of POPIA state that an operator may only act with the (written) knowledge or authorisation of the Responsible Party, and must treat personal information confidentially.
5. Data Subject
A Data Subject is the person the “personal information” relates to. Put differently, the person that may be ‘identified’ by the personal information.
POPIA is “principles-based” legislation. It tells you what to do, but it doesn’t tell you how to do it. This allows POPIA to be applied to a wide and diverse range of circumstances under the general banner of “reasonability”. Central to POPIA’s reasonability test are its eight principles for processing personal information. These principles are:-
By default, the head of the company, usually the CEO, is responsible for compliance with POPIA. POPIA refers to this company as the “Responsible Party” and to the head as the “Information Officer”. The administration (but not accountability) of the responsibilities and duties of the Information Officer may be delegated to one or more Deputy Information Officers. Processing operations (but not accountability) may be outsourced to third parties (“Operators”) – independent persons or companies that process personal information on behalf, with full knowledge and authorisation in writing by the Responsible Party.
2. Processing Limitation
This is the “Minimality Principle”. Firstly, processing of personal information must be adequate, relevant and not excessive in relation to the (specific) purpose for which is it processed. Secondly, personal information may only be processed if the data subject has consented (and for as long as this consent is not withdrawn), when it is necessary to meet contractual obligations with the data subject, when it is imposed by law, or when it is necessary to protect a legitimate interest of the data subject, responsible party or a third party.
3. Purpose Specification
Personal information may only be collected for a specific, explicitly defined and lawful purpose, and not be retained for longer than is necessary for achieving that purpose.
4. Further Processing Limitation
Once collected, personal information must be processed (stored, used, shared, etc) in accordance and compatible with the purpose for which it was initially collected.
5. Information Quality
The processor of personal information must ensure that the information is complete, accurate, not misleading and updated.
Data Processors must be transparent about how they process personal information at the moment of collection, and keep record of processing operations for the duration of the processing. Collection – At the time of collection (or as soon as possible after) the person whose information is collected must be made aware of which information is being collected, the contact details of the processor, the purpose for which it is collected, whether the supply of the information is voluntary or mandatory, the consequences of failure to supply the information, the processor’s intention to transfer the information outside of South Africa’s borders and the level of privacy protection offered in that country, the recipients of the information, the right of access and the right to rectify the information, the right to object, and the right to lodge a complaint with the Information Regulator. Processing – All processing activities in terms of Section 51 of PAIA must be recorded.
7. Security Safeguards
The integrity and confidentiality of personal information must be secured by means of appropriate, reasonable technical and organisational measures, to prevent loss, damage, and unauthorised access to, or destruction of information. Foreseeable risks must be identified, and safeguards implemented and updated as need be. Should there be reason to believe that personal information has been accessed by an unauthorised person, the Information Regulator and the person to whom the information relates must be notified (as per s22 POPIA) as soon as possible.
8. Data Subject Participation
A person or a company, subject to providing adequate proof of identity, may request confirmation of the fact that personal information is being processed (free of charge), request the record or a description of the information (at a fee), and request the correction of the information, in the manner prescribed by Section 53 PAIA (Form C).
POPIA’s overall objective is to give people (and organisations) control over information that may identify them, by establishing specific conditions for how this information may be processed, and institutions that monitor compliance. The bottomline is simple: POPIA requires anyone that collects and uses information by means of which a person (or organisation) may be identified to establish procedures for how this information is managed, and to appoint people that monitor these procedures and any complaints they may give rise to. However, POPIA recognises that this is necessarily a balancing act … POPIA does not prohibit the processing of personal information as such, but establishes the legal framework within which this processing must be conducted, monitored and enforced. In its enforcement of POPIA, the protection of the right to privacy must be balanced with the protection of “all human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the legitimate interests of public and private bodies in achieving their objectives in an efficient way.” (s44 POPIA)