POPIA is “principles-based” legislation. It tells you what to do, but it doesn’t tell you how to do it. This allows POPIA to be applied to a wide and diverse range of circumstances under the general banner of “reasonability”. Central to POPIA are its eight principles for processing personal information. These principles are:-
By default, the head of the company, usually the CEO, is responsible for compliance with POPIA. POPIA refers to this company as the “Responsible Party” and to the head as the “Information Officer”. The administration (but not accountability) of the responsibilities and duties of the Information Officer may be delegated to one or more Deputy Information Officers. Processing operations (but not accountability) may be outsourced to third parties (“Operators”) – independent persons or companies that process personal information on behalf, with full knowledge and authorisation in writing by the Responsible Party.
2. Processing Limitation
This is the “Minimality Principle”. Firstly, processing of personal information must be adequate, relevant and not excessive in relation to the (specific) purpose for which is it processed. Secondly, personal information may only be processed if the data subject has consented (and for as long as this consent is not withdrawn), when it is necessary to meet contractual obligations with the data subject, when it is imposed by law, or when it is necessary to protect a legitimate interest of the data subject, responsible party or a third party.
3. Purpose Specification
Personal information may only be collected for a specific, explicitly defined and lawful purpose, and not be retained for longer than is necessary for achieving that purpose.
4. Further Processing Limitation
Once collected, personal information must be processed (stored, used, shared, etc) in accordance and compatible with the purpose for which it was initially collected.
5. Information Quality
The processor of personal information must ensure that the information is complete, accurate, not misleading and updated.
Data Processors must be transparent about how they process personal information at the moment of collection, and keep record of processing operations for the duration of the processing. Collection – At the time of collection (or as soon as possible after) the person whose information is collected must be made aware of which information is being collected, the contact details of the processor, the purpose for which it is collected, whether the supply of the information is voluntary or mandatory, the consequences of failure to supply the information, the processor’s intention to transfer the information outside of South Africa’s borders and the level of privacy protection offered in that country, the recipients of the information, the right of access and the right to rectify the information, the right to object, and the right to lodge a complaint with the Information Regulator. Processing – All processing activities in terms of Section 51 of PAIA must be recorded
7. Security Safeguards
The integrity and confidentiality of personal information must be secured by means of appropriate, reasonable technical and organisational measures, to prevent loss, damage, and unauthorised access to, or destruction of information. Foreseeable risks must be identified, and safeguards implemented and updated as need be. Should there be reason to believe that personal information has been accessed by an unauthorised person, the Information Regulator and the person to whom the information relates must be notified (as per s22 POPIA) as soon as possible.
8. Data Subject Participation
A person or a company, subject to providing adequate proof of identity, may request confirmation of the fact that personal information is being processed (free of charge), request the record or a description of the information (at a fee), and request the correction of the information, in the manner prescribed by Section 53 PAIA (Form C).