What is POPI: The Protection of Personal Information (POPI) Act 2013 explained
In simple terms, the purpose of the POPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and disposing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way. The POPI legislation demands that your personal information be treated as “precious goods”.
Examples of “personal information” for an individual could include:
- Identity and/or passport number
- Date of birth and age
- Phone number/s (including mobile phone number)
- Email address/es
- Online/Instant messaging identifiers
- Physical address
- Gender, Race and Ethnic origin
- Photos, voice recordings, video footage (also CCTV), biometric data
- Marital/Relationship status and Family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs including personal and political opinions
- Employment history and salary information
- Financial information
- Education information
- Physical and mental health information including medical history, blood type, details on your sex life
- Membership to organisations/unions
Why should I, or my company, comply with POPI?
POPI promotes transparency with regard to what information is collected and how it is to be disposed of. Openness increases customer trust in the organisation.
Compliance demands identifying Personal Information and taking reasonable measures to protect the data. This will minimise the risk of data breaches and the associated public relations and legal ramifications for the organisation.
Non-compliance with the Act could expose the Responsible Party to a penalty of a fine and / or imprisonment of up to 12 months. In certain cases, the penalty for non-compliance could be a fine and / or imprisonment of up 10 years.
Does POPI really apply to my company?
Here are cases where POPI does not apply. Exclusions include:
- Purely household or personal activity
- Sufficiently de-identified information
- Some state functions including criminal prosecutions, national security etc.
- Journalism under a code of ethics
- Judiciary functions etc.
When will POPI affect me?
We anticipate that the POPI commencement date will be early in 2017, but no later than 24 May 2017. Bear in mind that there is a one-year grace period that could be used by the Information Regulator to begin the work. We currently anticipate that you will have to comply with POPI from early in 2018 as the Information Regulator will start enforcing POPI by then.