POPIA

Protection of Personal Information Act, No 4 of 2013 (POPI ACT)

• Purpose: To give effect to the Constitutional (S.14) right to privacy, by safeguarding personal information when processed by a private party subject to justifiable limitation.
• Purpose: To safeguard personal information. To regulate the way personal information is processed. Give effect to rights and remedies regarding protection of personal information. To establish information protection Regulator.
• Application: The Act applies to processing of information entered as a record, by a responsible party manually or electronically. Responsible parties must be RSA residents If not it only applies if information passes through RSA.
• Lawful processing of personal information: Minimality Consent, Justification, and objection. Data processing is necessary for performance or conclusion of a contract.
• Lawful processing of personal information: The data subject may withdraw consent or object to processing of personal information in a prescribed manner, unless in keeping with a law: on reasonable grounds. F or purposes of direct marketing, by means of unsolicited electronic communication. ( Read with S.69)
• Collection directly from data subject: Personal information must be collected directly from the data subject, unless the information is already in the public domain has been so made by the data subject or data subject (competent person) has consented to information derived elsewhere.
• Collection for a specific purpose: Personal information must be collected for a specific and lawful purpose. The data subject must be aware of the data collection in keeping with S.18 unless there are acceptable and legal grounds for noncompliance. (S.18.4)
• Retention and restriction of records Records of data subject must not be kept longer than necessary for achieving the purpose of collection unless required by law or contract between the parties or for purposes of historical, statistical, or research, but must be safeguarded from abuse.
• Retention and restriction of records: A responsible party must decide on the retention of the record as prescribed by law, or for such a period to allow the data subject opportunity of access to the record, the record must destroy or de-identify within a reasonable time allowed by law.
• Further processing limitation: Further processing of personal data must be done in keeping with the initial purpose of its collection. To assess if the further processing is in line with the initially intended purpose, the following must be satisfied: Initial purpose of data collected, nature of information, consequences of further processing.
• Further processing limitation: Contractual rights and obligations of parties. The further processing is permissible if consent has been obtained the information is already a public record, ensures law and order maintenance by a public body, including SARS enforcements, & prevention of imminent public health or safety threat, or arrest of a person.
• Information quality:  A responsible party must ensure that the personal information, is complete, accurate, up-to-date and not misleading. Must also keep in mind the purpose for which the data was collected and further processed.
• Openness Documentation:  A responsible party must maintain documentation relating to processing of data. This is also in compliance with the s14 and s 51 Promotion of Access to Information Act (PAIA), referring to records and a manual facilitating access categories of information.
• Openness Notification of data subject: Data collectors must ensure that the data subject is aware of the information collected, the purpose of collection the other sources where it is collected as well as the details of the collector.
• Security Safeguards: A responsible party must ensure the integrity and confidentiality of personal information. Should also take technical and institutional measures to prevent: Loss, damage, unlawful destruction and access and processing.
• Security Safeguards: Establish and maintain risk-mitigating measures to safeguard personal information. Must adhere to the generally accepted information security practices. Must also adhere to applicable industry-specific codes and regulatory tenets.
• Data subject participation:  A data subject has the right of access to all personal information held by a responsible party. A data subject may request corrections or deletion of personal information held by a responsible party, in keeping with this section and s14 of the Act.
• Processing of special personal information except with necessary consent and adherence to applicable laws and public interest (see s27- 33), the following is prohibited: Processing of religious or philosophical beliefs, race or ethnicity, trade union membership, political views, health or sex life, or biometric information and criminality related information.
• Exception from conditions for processing of personal information The Regulator may grant permission for interested parties to process personal information, that is normally prohibited, for reasons pertaining public interest issues detailed in s37. Exception also subsists for the processing of information “Relevant function” purposes, by an entity granted by law. See s38.
• Information Regulator This Act further establishes an independent Information Regulator, only subject to the Constitution, & accountable to the National Assembly. The Regulator enforces and monitors compliance with this Act, by public and private bodies, raises awareness, and facilitates training about this Act.