POPIA does not prohibit the processing of personal information as such, but establishes the legal framework within which this processing must be conducted, monitored and enforced. In its enforcement of POPIA, the Information Regulator must balance the protection of the right to privacy with the protection of “all human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the legitimate interests of public and private bodies in achieving their objectives in an efficient way.” (s44 POPIA)
POPIA introduces four conditions for POPIA to apply, eight conditions for the lawful processing of personal information, and five role players that must see to it that these conditions are at all times complied with. To make your company POPIA compliant, people need to be appointed, procedures established, and documents compiled and (some) made publicly available.
POPIA applies to (1) “personal information” that is (2) “processed” in a (3) “record or filing system” in (4) “South Africa”.
POPIA gives a broad interpretation to “personal information”, and defines it in its Section 1 as information relating to an identifiable, living, natural person, or relating to an identifiable, existing juristic person. It follows that POPIA does not apply to the personal information of deceased persons, or to personal information that has been ‘de-identified’ (in other words, when one is no longer able to identify a person by means of the information, eg. by converting a name to a random number).
So, if you process “personal information”, you must at all times do this compliant with POPIA’s conditions. BUT, two additions!
Processing gets an equally broad interpretation in Section 1 of POPIA. As soon as you get near information about a person, it is safe to assume that you are “processing” it. Or for those who prefer more formal definitions: processing is any operation or activity or any set of operations, concerning personal information, whether digital or physical, automatic or manual.
POPIA, in other words, applies to the ‘full life-cycle’ of personal information: from its creation, collection, storage, usage, transfer and amendment to its destruction.
POPIA supports the concept of ‘privacy by design’ – data processors need to respect privacy from the very first step in the life-cycle of personal information, to the very last.
POPIA only applies to personal information that has been “entered in a record” – which can be just about any known format, including writing (on any material), taping, recording, labelling, drawing, and photographing. Don’t worry, this does not include personal information you have stored in your brain – you are still free to process your own memories, even those that contain very personal information about other people 😉 “Entering in a record” is not necessarily the same thing as “creating” – transferring existing personal information to a database, for example, is covered by the definition of “entering into a record”.
POPIA makes a further distinction between “automated” and “non-automated” means of entering a record. Only in the case of non-automated entering does POPIA require that the information forms part (or is intended to form part) of a structured “filing system” (some kind of list, record or database).
POPIA does not apply to personal information collected for personal or household purposes, or for journalistic, literary or artistic purposes.
(b) in the possession or under the control of a responsible party;
(c) whether or not it was created by a responsible party; and
(d) regardless of when it came into existence;
Filing system means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;
Automated means, for the purposes of [section 3], means any equipment capable of operating automatically in response to instructions given for the purpose of processing information.
For POPIA to apply, the Responsible Party (the person or company that determines the purpose and means for processing, see below) must be domiciled in South Africa, or make use of “means” (equipment, like servers, etc) located in South Africa, unless those means are only used to “forward” personal information. Remember: processing information in “the cloud”, on servers stored outside of South Africa, does not discharge you of the need to comply with POPIA.
The Information Regulator is the national, independent body that is empowered by POPIA to encourage, monitor and enforce compliance by Responsible Parties with the provisions of POPIA and PAIA. When a complaint is submitted to, or initiated by, the Regulator, it can decide to investigate, conciliate, take no further action (s77), or refer to the Enforcement Committee – an independent judicial tribunal established to adjudicate POPIA matters (a bit like the CCMA for labour disputes).
The Responsible Party (GDPR “controller”) is the person or company that determines the purpose and means for processing personal information, and is responsible and liable for compliance with POPIA and PAIA. Liability may include administrative fines, criminal convictions and civil damages.
Because there is some overlap between POPIA and PAIA (the “Promotion of Access to Information Act”), I will be mentioning both regulations here. The Information Officer is defined in POPIA and PAIA as the head of a private body and is responsible for ongoing compliance by the Responsible Party with POPIA and PAIA. One or more Deputy Information Officers may be appointed. The Information Officer’s duties and responsibilities are stated in POPIA and PAIA and related regulations and notices, and may include personal liabilities for destroying, damaging, altering, concealing, falsifying or making a false record with intent to deny a right of access in terms of PAIA, for wilfully or in a grossly negligent manner failing to make available a PAIA manual as per section 51 of PAIA or for non-compliance with an Enforcement Notice. While POPIA or PAIA say nothing about it, the Information Regulator’s Guidance Notice of 1 April 2021 states that Information Officers and Deputies must be “an employee of a private body at a level of management and above”.
An Operator (GDPR “processor”) is an independent contractor that processes personal information on behalf of the Responsible Party. Section 20 and 21 of POPIA state that an operator may only act with the (written) knowledge or authorisation of the Responsible Party, and must treat personal information confidentially.
A Data Subject is the person the “personal information” relates to. Put differently, the person that may be ‘identified’ by the personal information.
By default, the head of the company, usually the CEO, is responsible for compliance with POPIA. POPIA refers to this company as the “Responsible Party” and to the head as the “Information Officer”. The administration (but not accountability) of the responsibilities and duties of the Information Officer may be delegated to one or more Deputy Information Officers. Processing operations (but not accountability) may be outsourced to third parties (“Operators”) – independent persons or companies that process personal information on behalf, with full knowledge and authorisation in writing by the Responsible Party.
This is the “Minimality Principle”. Firstly, processing of personal information must be adequate, relevant and not excessive in relation to the (specific) purpose for which is it processed. Secondly, personal information may only be processed if the data subject has consented (and for as long as this consent is not withdrawn), when it is necessary to meet contractual obligations with the data subject, when it is imposed by law, or when it is necessary to protect a legitimate interest of the data subject, responsible party or a third party.
Personal information may only be collected for a specific, explicitly defined and lawful purpose, and not be retained for longer than is necessary for achieving that purpose.
Once collected, personal information must be processed (stored, used, shared, etc) in accordance and compatible with the purpose for which it was initially collected.
The processor of personal information must ensure that the information is complete, accurate, not misleading and updated.
Data Processors must be transparent about how they process personal information at the moment of collection, and keep record of processing operations for the duration of the processing. Collection – At the time of collection (or as soon as possible after) the person whose information is collected must be made aware of which information is being collected, the contact details of the processor, the purpose for which it is collected, whether the supply of the information is voluntary or mandatory, the consequences of failure to supply the information, the processor’s intention to transfer the information outside of South Africa’s borders and the level of privacy protection offered in that country, the recipients of the information, the right of access and the right to rectify the information, the right to object, and the right to lodge a complaint with the Information Regulator. Processing – All processing activities in terms of Section 51 of PAIA must be recorded
The integrity and confidentiality of personal information must be secured by means of appropriate, reasonable technical and organisational measures, to prevent loss, damage, and unauthorised access to, or destruction of information. Foreseeable risks must be identified, and safeguards implemented and updated as need be. Should there be reason to believe that personal information has been accessed by an unauthorised person, the Information Regulator and the person to whom the information relates must be notified (as per s22 POPIA) as soon as possible.
A person or a company, subject to providing adequate proof of identity, may request confirmation of the fact that personal information is being processed (free of charge), request the record or a description of the information (at a fee), and request the correction of the information, in the manner prescribed by Section 53 PAIA (Form C).