PoPI refers to South Africa’s Protection of Personal Information Act which seeks to regulate the Processing of Personal Information.
The Purpose The PoPI Act has been put in place to ensure that all South African’s conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information, holding them accountable should they abuse or compromise your personal information. The PoPI Act basically considers your personal information to be precious, and therefore aims to bestow upon you, as the owner of your personal information, certain rights of protection and the ability to exercise control over: · When and how you share your information · The type and extent of information you share · Transparency and accountability on how your data will be used · Being notified if your data is compromised · Providing you with access to your own information · The right to have your data removed and destroyed should you so wish · Who can access your information · How and where your information is stored · The integrity and continued accuracy of your information Personal Information broadly means any information relating to an identifiable, living natural person or juristic person such as companies and close corporations, and includes, but is not limited to: · Contact details: email, telephone, address etc. · Demographic information: age, sex, race, birth date, ethnicity etc. · History: employment, financial, educational, criminal, medical history · Biometric information: blood type etc. · Opinions of and about the person · Private correspondence etc. Notice though that some personal information, on its own, does not necessarily allow a third party to confirm or infer someone's identity to the extent that this information can be used/abused for other purposes. The combination of someone's name and phone number and/or email address for example is a lot more significant than just a name or phone number on its own. As such the Act defines a "unique identifier" to be data that "uniquely identifies that data subject in relation to that responsible party". Some of the obligations under PoPI are to: · only collect information that you need for a specific purpose · apply reasonable security measures to protect it · ensure it is relevant and up to date · only hold as much as you need, and only for as long as you need it · allow the subject of the information to see it upon request Does PoPI apply to me? Accountability for compliance rests with a responsible party, which means a public or private body or any other person, alone or in conjunction with others, determines the purpose of and means for processing personal information. The responsible party must be a resident of South Africa or the processing should occur within South Africa. Why should I comply with PoPI? PoPI promotes transparency with regard to what information is collected and how it is to be processed. This openness is likely to increase customer confidence in the organisation. PoPI compliance involves capturing the minimum required data, ensuring accuracy, and removing data that is no longer required. These measures are likely to improve the overall reliability of the organisation databases. Compliance demands identifying personal information and taking reasonable measures to protect the data. This will likely reduce the risk of data breaches and the associated public relations and legal ramifications for the organisation. Non-compliance with the Act could expose the responsible party to a penalty of a fine and / or imprisonment of up to 12 months. In certain cases the penalty for non-compliance could be a fine and / or imprisonment of up 10 years.