PoPI - ready or not?
Compliance with PoPI will, however, be mandatory for most organisations in South Africa sooner rather than later. The Act applies to any person or organisation who keeps records relating to the personal information of anyone unless those records are subject to other legislation, which protects such information more stringently.
The aim of the PoPI is to ensure that personal information is collected, managed, kept and disposed of in the prescribed manner. Personal information is kept in the form of data in databases or systems as well as in the form of documents or records.
PoPI prescribes eight conditions for the lawful processing of personal information in Section 4:
- Accountability The responsible party must ensure that the conditions and all other measures as set out in the Act that give effect to such conditions are complied with at the time of determining the purpose and form of the processing of personal information.
- Processing limitation Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
- Purpose specification Personal information may only be processed for specific, explicitly defined and legitimate reasons.
- Further processing limitation Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
- Information quality The responsible party must take reasonable steps to ensure the personal information collected is complete, accurate, not misleading and updated where necessary.
- Openness The data subject whose information you are collecting must be aware that you are collecting personal information and for what purpose the information will be used.
- Security safeguards Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction, and disclosure.
- Data subject participation Data subjects may request whether their personal information is being held by a particular business. They may also request the correction or amendment of their personal information or the deletion thereof from the business’ records.
Compliance in terms of these conditions is required and translates to the proper management, retention, and disposal of records. In order to achieve this compliance goal, a business should develop and adopt a plan or programme which is structured. This plan will have to be in the form of a manual which should be accessible to any person who wishes to see in what manner your business deals with personal information.
Remember; once PoPI comes into force, all public and private persons will have one year to comply with the provisions of PoPI, and there can be substantial penalties for non-compliance.