The Protection of Personal Information Act (no.4 of 2013) (hereinafter referred to as 'POPIA' or 'the Act'), which gives effect to the Constitutional right to privacy in South Africa, commenced on the 1st July 2020. There has been a grace period for one year.
It is compulsory for all public and private bodies (subject to some exclusions) who process personal information, to comply with the Act. This includes personal information about employees, customers, clients, and/or suppliers, collectively known as ‘data subjects’.
In certain other countries, SME's are exempt from similar legislation, however in South Africa, this is not the case. It may be that in the future, SME's will be exempted by the Information Regulator (IR).
The correct use of terminology for the Act is very important. The IR has requested that everyone uses 'POPIA' when referring to the Act, and the term ‘POPI’ is rather to be used when referring to the action or process of protecting personal information.
In order to comply with POPIA, public and private bodies or ‘organisations’ are required to implement a ‘POPI’ programme to ensure that the safety and privacy of the personal information for their ‘data subjects’ is protected.
Some important terms which are defined in the Act, and are vital to understand from the outset are:
- “processing” this is defined very broadly in the Act, and means any activity (including automatic means) concerning personal information - and includes the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use, dissemination by means of transmission, distribution or making available in any other form or merging, linking, and restriction, degradation, erasure or destruction - of information.
- “personal information” is also defined very broadly in the Act, and includes a wide range of information that can be used to identify a data subject. It relates to information pertaining to an identifiable, living natural person, and where it is applicable, an identifiable existing juristic person, including (and not limited to) information relating to race, gender, marital status, pregnancy, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth. It also includes information relating to the education, or the medical, financial, employment or criminal history of the person, any identifying number, all contact details, biometric information, personal opinion, private or confidential correspondence of that person, the views or opinions of another individual about the person, and the name of the person.
Grace and Implementation
All organisations have a grace period, and will be required to be fully compliant with POPIA within 12 months of the commencement date, in other words, by the 30 June 2021. The Act applies retrospectively, which means that these bodies will need to ensure that they have been compliant are from the commencement date (1 July 2020)