Your Partner in Innovation

Much has been spoken about POPIA – the Protection of Personal Information Act. Everywhere you go, online and physically, you are faced with forms and notices regarding POPIA. What is all the fuss about?

Well, there is more POPIA stuff about simply because the Act became law recently, forcing people and businesses that receive and, in any way, process personal information, to be compliant or face the wrath of the law.

Let’s start with the why – why all the fuss?

The simple answer is to protect your personal information from being misused. This protection is obligated by the right to privacy in the South African Constitution. In today’s age, information and in particular personal information is a valuable asset that big corporates are monetizing, and yet this information is not theirs to exploit without restraint, and certainly not at the expense of your right to privacy.

What is personal information?

Personal Information, by definition, means information relating to a living person such as the person’s age, sex, sexuality, nationality, age, religion, address, email address, telephone number, medical or financial history and biometric information.

How does POPIA “protect” your personal information?

POPIA does not so much protect as it regulates the manner in which personal information is processed by a third party. Personal information can be processed for a limited number of purposes or, if you give your consent.

The limited number of purposes include purposes necessitated by –

  • the carrying out an action of which the person himself is a party – think about the attorney asking for your information when you purchase a house to register the deed in your name;
  • the carrying out of a public function – think here about the department of home affairs and the information that they collect, or applying for a driver’s licence; or
  • pursuing a right or a legitimate interest of the data subject or the person processing the information.

In other words, there must be a justification for the processing of the information, and that justification must be a lawful objective. Gone are the days of arbitrary collection and retention of personal information.

Processing is broadly defined and includes the act of collecting, recording, collating, storing, modifying, updating, retrieving, distributing or destroying.

Can personal information be kept indefinitely?

No. Personal information, once recorded, collected and stored, cannot be retained for longer than is necessary to achieve the purpose for which the information was given in the first place. Therefore, old records that are kept without justification must be destroyed or de-identified (the information can no longer be associated with a particular person).

What must the person collecting your personal information tell you?

  • its/his identity and where it/he resides;
  • the reason why the information is being collected;
  • the consequences should the information not be provided; and
  • your right to object to the processing of the information; and
  • your right to ensure that the information collected is accurate and kept up-to-date.

Must the person who has your information keep it secure?

Yes, most certainly. The computer systems, on which most information is retained nowadays, must be secured against unauthorized access by employing best international practice. Stories abound about the threat of hackers hacking into an insecure banking or insurance company system and making off with personal information on the many thousands of customers of that entity.

What are my remedies should my personal information be misused?

Misuse of personal information can take many forms. For example –

  • you are subjected to a prejudicial decision based on the automated processing of your information intended to profile you (are you credit worthy? are you worth insuring?); or
  • you are subjected to harassment by direct marketers; or
  • your picture is posted on an online platform without your consent.

The Information Regulator is a State body that is created by POPIA for the purposes of, amongst other functions, enforcing the provisions of POPIA.

A person who feels that his personal information is being misused or processed outside to the ambit of the law, can bring a complaint in writing before the Regulator.

On receipt of the complaint, the Regulator has broad powers to investigate, apply for a search warrant, search and seize property under the warrant, make an assessment and refer the matter to an enforcement committee to enforce any finding.

However, a complaint to the Regulator will not provide monetary compensation. For that, the aggrieved person can also launch legal proceedings through a court for damages that the person suffered as a result of a breach of a provision of POPIA.