POPI refers to South Africa’s Protection of Personal Information Act which seeks to regulate the Processing of Personal Information.
Personal Information broadly means any information relating to an identifiable, living natural person or juristic person (companies, CC’s etc.) and includes, but is not limited to:
- contact details: email, telephone, address etc.
- demographic information: age, sex, race, birth date, ethnicity etc.
- history: employment, financial, educational, criminal, medical history
- biometric information: blood type etc.
- opinions of and about the person
- private correspondence
Processing means broadly anything done with the Personal Information, including collection, usage, storage, dissemination, modification or destruction (whether such processing is automated or not).
Some of the obligations under POPI are to:
- only collect information that you need for a specific purpose
- apply reasonable security measures to protect it
- ensure it is relevant and up to date
- only hold as much as you need, and only for as long as you need it
- allow the subject of the information to see it upon request
The Act was signed into law in November 2013. We are now awaiting a commencement date for the act. After the commencement date, a compliance grace period of 1 year will exist, which may be extended to a maximum of 3 years.
Accountability for compliance rests with a Responsible Party, meaning a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. Generally, the Responsible party must be resident in South Africa, or the processing should occur within South Africa (subject to certain exclusions).