As most of us are aware the Protection of Personal Information Act (POPI) has been around for a long time but it is eventually coming to fruition and should become law later this year. It is a new act that brings South AfricaΒ in line with international data protection laws and it enacts SA citizensβ constitutional right to privacy. It is not to be confused with the much publicised Protection of State Information Bill
It must be read with other relevant statutes such as:
- ELECTRONIC COMMUNICATIONS & TRANSACTIONS Act, Act #25 of 2002 Β (βECTβ)
- PROMOTION OF ACCESS TO INFORMATION ACT, Act #2 of 2002 (βPAIAβ)
- REGULATION OF INTERCEPTION OF COMMUNICATIONS ACT Act #70 of 2002 (βRICAβ)
- CONSUMER PROTECTION ACT Act #68 of 2008 (βCPAβ)
The foundation comprises 8 principles or standards such as accountability to βdata subjectβ participation and it applies to:
- the βprocessingβ (βcollect, disseminate or mergeβ) of
- the βpersonal informationβ (as defined e.g. race, gender, identity number, religion, education, blood type, etc )[βPIβ]
- of the data subject (individual and in some cases a juristic person)[βDSβ]
- βentered into a recordβ (βany form or medium in possession or under the control of a responsible personβ: written, electronic, photo, graph)
- by or for responsible person (βprivate [βnatural person or partnershipβ] or public bodyβ) i.e. βwho determines the purpose and means of such processingβ [βRPβ]
It does NOT apply to e.g. information that pertains to a personal or purely household matter
It is certainly not a βtoothless tigerβ and offences include hindering, obstructing or unlawfully influencing the Information Protection Regulator (βIPRβ) and contravening confidentiality – penalties for non-compliance are as follows: Offenders can be fined up to R10 million and imprisoned for between 12 months and 10 years.
This is the first in a series of article explaining POPI.
