POPI has been making news headlines since it was signed into law by President Zuma on 19 November and published in the Government Gazette, number GG 37067, on 26 November 2013.
Although the commencement date has not yet been proclaimed, once it is businesses are expected to have one year to comply – this period may however be extended by the Minister. The commencement date along with details pertaining to the regulation of the Act will be published in the Government Gazette once finalised.
The implications of the Act are far reaching and any business that processes personal information, even if this is limited to their Human Resources department, will be impacted. In particular those in the financial services field will be significantly affected and need to closely examine their processes and procedures for data processing and storage.
In summary, POPI contains eight main principles, namely:
- Accountability: The responsible party must ensure that the eight information processing principles are complied with;
- Processing Limitation: Processing of information must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed;
- Purpose Specification: Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. The responsible party must take steps to ensure that the data subject is aware of the purpose for which his/her personal information is being collected;
- Further Processing Limitation: This is where personal information is received from a third party and passed on to the responsible party for further processing. In these circumstances, the further processing must be compatible with the purpose for which it was initially collected;
- Information Quality: The responsible party must take reasonably practical steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, taking into account the purposes for which it was collected;
- Openness: Personal information may only be processed by a responsible party that has notified the Information Protection Regulator. Furthermore, certain prescribed information must be provided to the data subject by the responsible party including what information is being collected, the name and address of the responsible party, the purpose for which the information is collected and whether or not the supply of the information by that data subject is voluntary or mandatory;
- Security Safeguards: The responsible party must secure the integrity of personal information in its possession or under its control by taking prescribed measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information;
- Data Subject Participation: A data subject has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject and request from a responsible party the record or a description of the personal information held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information. In addition, a data subject may request a responsible party to:a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, misleading or obtained unlawfullyb) destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain.
Compuscan advises all its clients to begin reviewing their compliance with the Act. As a starting point, use the steps below to prepare:
- Conduct an audit on all your data and processing methods
- Create a project plan to address shortcomings and set milestones
- Consult a lawyer/consultant who specialises in POPI compliance
- Focus on ensuring data quality
- Ensure methods used to transfer data is secure and protected
- Ensure that all data received from bureaus, other sources and your own data is stored in a secure method and remains confidential
- Immediately report errors in data to the bureau or relevant sources
- Ensure you keep a record of consumer consent
- Ensure a legitimate reason for accessing/processing/storing of data
- Do not store any data for longer than its intended use
- Do not participate in any form of direct marketing without first obtaining consent from the data subject
The data and services supplied by Compuscan will be compliant. Keep an eye on our future newsletter articles for more updates on POPI and advice on how to prepare.