Introduction to POPIA
The Protection of Personal Information Act, 2013
Enforced by the Information Regulator
POPIA regulates the ways in which people and companies use personal information about other people and companies, and gives effect to the constitutional right to privacy.
The Act aims to balance the need of the 21 century “information society” for the free flow of digital data on the one hand, with everyone’s right to control what happens with their private information on the other.
Do you manage a database with client, customer, member or patient details? A list of suppliers with contact details and personal notes? An online shop? Records about your employees, or a mailing list for email marketing? Then this is for you. Welcome to the world of POPIA. May Section 4 be with you …
While in South Africa there is no constitutional right to “data protection” there is a constitutional and human right to privacy, which POPIA seeks to uphold. However, POPIA does not protect all personal information: its application is restricted to 4 definitions of who, what, how, and where. To make your company POPIA compliant, people need to be appointed, procedures established, and documents compiled and (some) made publicly available.
It’s a balancing act … POPIA does not prohibit the processing of personal information as such, but establishes eight conditions for how this processing must be conducted, and five role players that must see to it that these conditions are at all times complied with.
POPIA’s overall objective is to give people control over which information is processed about them, and what is done with that information. POPIA, in other words, requires data processors to at all times take into account the perspective and interests of data subjects – a requirement that is met if the eight conditions for lawful processing of personal information are reasonably complied with.
In practice, it remains a balancing act. In its enforcement of POPIA’s lawful conditions for processing personal information, the Information Regulator must balance the protection of the right to privacy with the protection of “all human rights and social interests that compete with privacy.” This includes the right to access to information (PAIA) as well as the “general desirability of a free flow of information and the recognition of the legitimate interests of public and private bodies in achieving their objectives in an efficient way.” (s44 POPIA)
While there are some administrative and procedural requirements in terms of POPIA and PAIA, it is important to remember that these are not central to what they are trying to accomplish. What is central is their requirement to manage information respectful of the interests of data subjects and informed citizens.