Download POPIA Additional resources
POPIA introduces four restrictions for POPIA to apply, eight conditions for the lawful processing of personal information, and five role players that must see to it that these conditions are at all times complied with. To make your company POPIA compliant, people need to be appointed, procedures established, and documents compiled and (some) made publicly available.
POPIA applies to (1) “personal information” that is (2) “processed” in a (3) “record and filing system” in (4) “South Africa”.
POPIA only applies to “personal information”. But what is personal information? POPIA gives a broad interpretation to the concept, by defining it as any information relating to an identifiable, living, natural person, or relating to an identifiable, existing, juristic person(*). Put differently, POPIA applies to any information by means of which a person or an organisation can be identified. Conversely, POPIA does not apply to information that cannot be associated with a particular person (or organisation), like anonymous statistics, or ‘de-identified’ data – personal data that has been stripped of its potential to identify the person it relates to (for example by converting a name to a random number or code name (**). POPIA also does not apply to the personal data of deceased persons.
(**) Let us not get into the heated debate about whether or not so-called ‘de-identified’ data can, or cannot … errr … identify persons. There is some evidence supporting the claim that so-called unidentifiable or de-identified data can be re-identified by aggregating it or linking it to other identifiable data. For example, this study found that four (unidentifiable) spatio-temporal data points are enough to uniquely identify 95% of individuals. But, again, we really don’t need to get into this, because POPIA circumvents the debate by excluding from its scope any data that cannot be re-identified in a reasonably foreseeable future. I take the liberty to assume that you, like me, have no idea what that means …
So, if you process “personal information” (remember, this can be ány information by means of which a person or an organisation can be identified), you must at all times do this compliant with POPIA’s conditions. BUT, two additions!
So far, we have established that POPIA only applies to certain kinds of information. But for POPIA to apply, we also need to look at what is done with the information: POPIA only applies if personal information is “processed”. But when are you processing personal information? Again, POPIA gives a broad interpretation to the term, and includes just about any step in the information’s life cycle: from the moment personal information is collected, stored, used, and shared, to the moment it is modified and deleted – digitally or physically, automatically or manually.
We know now that POPIA only applies to “personal information” that is “processed”. But POPIA establishes a third restriction: we must look at the circumstances within which the processing takes place.
POPIA only applies to personal information that is entered into a record that forms part of a filing system. But what are records, and when is a system a filing system? A record can be just about any known physical format, including writing (on any material), taping, recording, labelling, drawing, and photographing (it does not include personal information you have stored in your brain ;-) “Entering in a record” is not necessarily the same thing as “creating” – transferring existing personal information to a database, for example, is covered by the definition of “entering into a record”. That record is assumed to form part of a filing system (that is, a structured system that allows to easily retrieve information) if it is processed automatically (eg. by computers, software and cookies). If it is processed manually (eg. by a receptionist), POPIA only applies if the record is intended to form part of a filing system.
(b) in the possession or under the control of a responsible party;
(c) whether or not it was created by a responsible party; and
(d) regardless of when it came into existence;
Filing system means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;
Automated means, for the purposes of [section 3], means any equipment capable of operating automatically in response to instructions given for the purpose of processing information.
It should be clear now that POPIA only applies to the “processing” of “personal information” in “records” that form part of a “filing system”. In addition to these restrictions, POPIA adds one last – geographic – limitation: for POPIA to apply, the person or company that processes the information must be domiciled in South Africa, or make use of “means” (equipment, like servers, etc) located in South Africa, unless these means are only used to “forward” personal information.
Determining who is responsible for processing personal information is crucial at this point, because POPIA primarily depends on where this so-called “responsible party” is located – and only secondarily on where the personal information is processed. South African companies that process personal information in “the cloud” – that is, on servers stored outside of South Africa – must comply with POPIA.
POPIA does not apply to:-
The Information Regulator is the national, independent body that is authorised by POPIA to encourage, monitor and enforce compliance with the provisions of POPIA and PAIA. When a complaint is submitted to, or initiated by, the Regulator, it can decide to investigate, conciliate, take no further action (s77), or refer to the Enforcement Committee – an independent judicial tribunal established to adjudicate POPIA matters. Complaints ito. POPIA (and PAIA) may be lodged directly with the Regulator here.
The Responsible Party (GDPR “controller”) is the person or company that determines the purpose and means for processing personal information, and is responsible and liable for compliance with POPIA. Liability may include administrative fines, criminal convictions and civil damages.
The Information Officer is defined in POPIA (and PAIA) as the head of a private body and is responsible for ongoing compliance by the Responsible Party with POPIA. One or more Deputy Information Officers may be appointed. The Information Officer’s duties and responsibilities are stated in POPIA, PAIA and related regulations and notices, and may include personal liabilities for destroying, damaging, altering, concealing, falsifying or making a false record with intent to deny a right of access in terms of PAIA, for wilfully or in a grossly negligent manner failing to make available a PAIA manual as per section 51 of PAIA or for non-compliance with an Enforcement Notice. While POPIA or PAIA say nothing about it, the Information Regulator’s Guidance Notice of 1 April 2021 states that Information Officers and Deputies must be “an employee of a private body at a level of management and above”.
An Operator (GDPR “processor”) is an independent contractor that processes personal information on behalf of the Responsible Party. Section 20 and 21 of POPIA state that an operator may only act with the (written) knowledge or authorisation of the Responsible Party, and must treat personal information confidentially.
A Data Subject is the person the “personal information” relates to. Put differently, the person that may be ‘identified’ by the personal information.
By default, the head of the company, usually the CEO, is responsible for compliance with POPIA. POPIA refers to this company as the “Responsible Party” and to the head as the “Information Officer”. The administration (but not accountability) of the responsibilities and duties of the Information Officer may be delegated to one or more Deputy Information Officers. Processing operations (but not accountability) may be outsourced to third parties (“Operators”) – independent persons or companies that process personal information on behalf, with full knowledge and authorisation in writing by the Responsible Party.
This is the “Minimality Principle”. Firstly, processing of personal information must be adequate, relevant and not excessive in relation to the (specific) purpose for which is it processed. Secondly, personal information may only be processed if the data subject has consented (and for as long as this consent is not withdrawn), when it is necessary to meet contractual obligations with the data subject, when it is imposed by law, or when it is necessary to protect a legitimate interest of the data subject, responsible party or a third party.
Personal information may only be collected for a specific, explicitly defined and lawful purpose, and not be retained for longer than is necessary for achieving that purpose.
Once collected, personal information must be processed (stored, used, shared, etc) in accordance and compatible with the purpose for which it was initially collected.
The processor of personal information must ensure that the information is complete, accurate, not misleading and updated.
Data Processors must be transparent about how they process personal information at the moment of collection, and keep record of processing operations for the duration of the processing. Collection – At the time of collection (or as soon as possible after) the person whose information is collected must be made aware of which information is being collected, the contact details of the processor, the purpose for which it is collected, whether the supply of the information is voluntary or mandatory, the consequences of failure to supply the information, the processor’s intention to transfer the information outside of South Africa’s borders and the level of privacy protection offered in that country, the recipients of the information, the right of access and the right to rectify the information, the right to object, and the right to lodge a complaint with the Information Regulator. Processing – All processing activities in terms of Section 51 of PAIA must be recorded.
The integrity and confidentiality of personal information must be secured by means of appropriate, reasonable technical and organisational measures, to prevent loss, damage, and unauthorised access to, or destruction of information. Foreseeable risks must be identified, and safeguards implemented and updated as need be. Should there be reason to believe that personal information has been accessed by an unauthorised person, the Information Regulator and the person to whom the information relates must be notified (as per s22 POPIA) as soon as possible.
A person or a company, subject to providing adequate proof of identity, may request confirmation of the fact that personal information is being processed (free of charge), request the record or a description of the information (at a fee), and request the correction of the information, in the manner prescribed by Section 53 PAIA (Form C).
POPIA’s overall objective is to give people (and organisations) control over information that may identify them, by establishing specific conditions for how this information may be processed, and institutions that monitor compliance. The bottomline is simple: POPIA requires anyone that collects and uses information by means of which a person (or organisation) may be identified to establish procedures for how this information is managed, and to appoint people that monitor these procedures and any complaints they may give rise to. However, POPIA recognises that this is necessarily a balancing act … POPIA does not prohibit the processing of personal information as such, but establishes the legal framework within which this processing must be conducted, monitored and enforced. In its enforcement of POPIA, the protection of the right to privacy must be balanced with the protection of “all human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the legitimate interests of public and private bodies in achieving their objectives in an efficient way.” (s44 POPIA)