The Protection of Personal Information Act (POPIA) is a comprehensive data protection legislation enacted in South Africa in 2013. The act aims to regulate how personal information is processed and ensure that data subjects’ rights are protected. POPIA is essential because it provides a legal framework for safeguarding personal information and sets out the rights and obligations of responsible parties and data subjects.
This article provides an overview of POPIA, its key definitions, scope, lawful processing of personal information, rights of affected data subjects, obligations of responsible parties, sensitive personal information, direct marketing, processing of children’s personal information, biometric data, special personal information, and data protection officers.
To understand POPIA, it is vital first to understand its key definitions. These definitions include:
Personal information: This refers to information relating to an identifiable, living, natural person or juristic person, including but not limited to contact details, identity numbers, financial information, and employment history.
Data subject: This refers to the person to whom the personal information relates.
Responsible party: This refers to a public or private body or any other person who processes personal information for a specific purpose.
Information officer: This refers to the person designated by the responsible party to ensure compliance with POPIA.
Data processor: This refers to any person who processes personal information on behalf of a responsible party.
Regulator: This refers to the Information Regulator established under POPIA.
Scope of POPIA
POPIA applies to all processing of personal information by a responsible party. It also applies to the processing of personal information outside of South Africa if the processing of such information is done in connection with the activities of a responsible party in South Africa.
There are, however, certain exclusions. For personal information processing, for example, POPIA does not apply to personal information processed for journalistic, literary, or artistic purposes or to sensitive data used for research purposes where the personal information has been de-identified. POPIA also does not apply to personal information individuals process for their personal or household activities.
POPIA regulates the processing of personal information, including any operation or activity or any set of operations concerning further processing of personal information, whether or not by automatic means. These further processing operations include collecting, storing, using, and destroying personal information.
Lawful processing of personal information
Under POPIA, personal information may only be processed if it is done lawfully and for a specific purpose. POPIA provides for several lawful processing grounds, including:
Consent: Personal information may be processed if the data subject has given consent to the processing.
Contractual necessity: Personal information may be processed if necessary for the performance of a contract to which the data subject is a party.
Legal obligations: Personal information may be processed if it is necessary for compliance with a legal obligation to which the responsible party is subject.
Legitimate interests: Personal information may be processed if it is necessary for the legitimate interests pursued by the responsible party or by a third party to whom the information is supplied.
Public interest: Personal information may be processed if it is necessary for the proper performance of a public law duty by a public body or for pursuing the legitimate interests of the public body or a third party to whom the information is supplied.
It is important to note that the processing of personal information must be limited to what is necessary for the purpose for which it is being processed.
Rights of data subjects
POPIA provides several rights to data subjects, including:
Access to personal information: Data subjects have the right to request access to their personal information held by a responsible party.
Correction of personal information: Data subjects have the right to request that their personal information be corrected by a responsible party.
Deletion of personal information: Data subjects have the right to request that their personal information be deleted by a responsible party.
Objection to processing personal information: Data subjects have the right to object to processing their personal information by a responsible party.
Data portability: Data subjects have the right to request that their personal information be transferred to another responsible party.
Restriction of processing: Data subjects have the right to request that the processing of their personal information be restricted by a responsible party.
Obligations of responsible parties
Responsible parties are required to comply with certain obligations under POPIA, including:
Accountability: Responsible parties are required to ensure that they comply with POPIA and that they have sufficient measures in place to protect personal information.
Security measures: Responsible parties are required to implement appropriate technical and organizational measures to ensure the security of personal information.
Information quality: Responsible parties are required to ensure that personal information is accurate, complete, and up-to-date.
Data breaches: Responsible parties are required to report data breaches to the regulator and data subjects where there is a risk of harm.
Data processing agreements: Responsible parties are required to enter into data processing agreements with data processors.
Data transfers: Responsible parties are required to ensure that any personal information transferred outside of South Africa is adequately protected.
Sensitive personal information
Sensitive personal information is given special protection under POPIA. This includes information relating to a person’s race, ethnicity, political opinions, religious beliefs, trade union membership, sexual orientation, mental health, or criminal behavior.
Definition of sensitive
Sensitive personal information is defined as information about the private or confidential nature of a data subject’s:
Race, ethnicity, or national origin
Political opinions, affiliation, or membership in a political party or trade union
Religious or philosophical beliefs
Health or medical history
Sex life or sexual orientation
Biometric information, such as fingerprints or facial recognition data.
Sensitive personal information may only be processed if:
The data subject has given explicit consent to the processing
The processing is necessary for the establishment, exercise, or defense of a right or obligation in law
The processing is necessary to comply with an obligation imposed by law on the responsible party
The processing is necessary for reasons of public interest or
The processing is necessary for the purposes of medical treatment or diagnosis, subject to certain conditions.
POPIA provides specific rules regarding direct marketing. Direct marketing is defined as any form of communication by means of electronic mail, automatic calling machines, fax machines, short message service (SMS), or multimedia messaging service (MMS) for the purpose of promoting or offering to supply goods or services.
Consent: Direct marketing may only be sent to a data subject if they have given prior consent or if they are an existing customer and the marketing relates to similar goods or services.
Opt-Out: All direct marketing communications must include an opt-out mechanism, such as an unsubscribe link or a reply mechanism.
POPIA has practical implications for all responsible parties that process personal information in South Africa. Responsible parties must ensure that they comply with the provisions of POPIA and implement appropriate measures to protect personal information. This may include:
Conducting a risk assessment: Responsible parties should conduct a risk assessment to identify potential risks to the confidentiality, integrity, and availability of personal information. This may include conducting a vulnerability assessment, implementing access controls, and encrypting personal information.
Implementing security measures: Responsible parties should implement appropriate technical and organizational security measures to protect personal information from unauthorized access, disclosure, or destruction. This may include implementing firewalls, anti-virus software, and intrusion detection systems.
Developing policies and procedures: Responsible parties should establish policies and procedures for the processing of personal information, including policies for data subject participation, data breaches, and lawful processing.
Providing training: Responsible parties should provide training to their employees and contractors on the requirements of POPIA and on how to protect personal information.
Appointing a data protection officer: Responsible parties that process a large amount of personal information or that process sensitive personal information may be required to appoint a data protection officer (DPO).
Data protection officer
As mentioned above, responsible parties may be required to appoint a data protection officer (DPO) if they process a large amount of personal or sensitive information.
Role of the DPO
The role of the DPO is to ensure that the data controller or the responsible party complies with POPIA regulations and to act as a point of contact between the responsible party, data subjects, and the regulator.
Qualifications of the DPO
The DPO must have the necessary knowledge and practical experience of data protection law and practices and be able to perform their duties independently.
Enforcement and penalties
POPIA is enforced by the Information Regulator, which has the power to investigate complaints and impose penalties for non-compliance.
Complaints: Data subjects may lodge complaints with the regulator regarding the processing of their personal information.
Penalties: The regulator may impose fines of up to ZAR 10 million or 10% of the responsible party’s annual turnover, whichever is greater.
Criminal offenses: Certain offenses under POPIA are also criminal offenses and may result in fines and imprisonment.
The Protection of Personal Information Act is an important legislation that provides a comprehensive framework for protecting personal information in South Africa. It places significant obligations on responsible parties to protect personal information and provides data subjects with certain rights concerning their personal information.
POPIA is enforced by the Information Regulator, which has the power to investigate complaints and impose penalties for non-compliance. Responsible parties should ensure that they comply with the provisions of POPIA and implement appropriate measures to protect personal information from a data breach. By doing so, they can help to build trust with their customers and stakeholders and protect their reputation and brand.