In today’s modern communication age, instant pervasive connectivity is the defining feature. We are all electronically connected – clients, suppliers, colleagues, business leads, family and friends. We’re never far from an electronic device that puts us in touch with people we know and with those we don’t. These devices carry an incredible volume of data traffic essential to us and a piece of legislation is about to revolutionise the way South African businesses deal with, process and transfer the data that runs on their information networks.
Many organisations are only vaguely aware of the impending promulgation of this groundbreaking piece of corporate legislation. Up until now, electronic data has only been covered by the Electronic Communications Act. The purpose of the Protection of Private Information Act is to give effect to the constitutional right to privacy, by safeguarding personal information.
There are very few businesses in South Africa that will NOT be impacted by POPI.
POPI Act applies to:
- Any public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information (“responsible party”); and
- Any person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of the responsible party.
The POPI Act tightens up technology legislation in South Africa and focuses companies on taking responsibility for the responsible stewardship of data.
It also attaches stiff penalties/sanctions to those who are not compliant;
- Fine or imprisonment not exceeding 10 years or both (for obstructing Regulator).
- Fine or imprisonment not exceeding 12 months or both (for a breach of the duty of confidentiality, obstruction of a warrant, false statement by the responsible party in purported compliance with information notice).
- Or a fine not exceeding R1 million or imprisonment not exceeding 10 years or both (for unlawful acts by responsible parties or third parties in connection with the unique identifier, failure to attend or produce evidence properly before Regulator or Enforcement Committee).
This leaves organisations with a limited window of opportunity to safeguard themselves and put defences in place to secure not only their data but themselves against harsh sentences and financial penalties.
Practical steps to be implemented:
- The business will need to assess when, where, how and for what purposes they obtained personal information.
- They need to assess if this information was received with the consent or if it was a purchased database, or if it was a public record.
- The purpose of processing needs to be specific, explicitly defined and legitimate.
A QUICK “HOW TO COMPLY” CHECKLIST:
This short checklist will help you to start to comply with the Protection of Personal Information Act (POPI).
NOTE: A positive answer to all questions does not guarantee compliance, but it should mean that you are heading in the right direction.
- Do I really need this information about an individual?
- Do I know what I’m going to use it for?
- Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
- Am I satisfied the information is being held securely, whether it’s on paper or on a computer?
- Is my website secure?
- Am I sure the personal information is accurate and up to date?
- Do I delete/destroy personal information as soon as I have no more need for it?
- Is access to personal information limited only to those with a strict need to know?
- If I want to put staff details on our website have I consulted with them about this?
- If I use CCTV, is it covered by POPI? If so, am I displaying notices telling people why I have CCTV?
- Are the cameras in the right place, or do they intrude on anyone’s privacy?
- If I want to monitor staff, for example by checking their use of email, have I told them about this and explained why?
- Have I trained my staff in their duties and responsibilities under POPI, and are they putting them into practice?
- If I’m asked to pass on personal information, am I and my staff clear when POPI allows me to do so?
- Would I know what to do if one of my employees or individual customers asks for a copy of the information I hold about them?
- Do I have policies for privacy, data collection and usage, employment policies regarding monitoring of emails?
- Do I need to notify the Regulator of my processing activities?
- If I have already notified, is my notification up to date, or does it need removing or amending?
The POPI Act is going to place tremendous pressure on companies from a compliance perspective. Granted there have been many false starts with this legislation but companies will only have one year to comply and the financial consequences and reputational risk could be dire. POPI was signed into law on the 27th November 2013, however, the actual commencement date of the act is yet to be determined.
For safe mobile solutions contact us today.