The PoPI Act and what it means for you

The era we live in is continuously referred to as the “information age.” This is because of how easy it has become to access information.

At the push of a button, information that would have required multiple visits to the library can be made available in seconds. The weather forecast, navigation routes, grocery store sales and even good holiday destinations can be accessed from a wide variety of mobile devices.

However, this rapid access to information has not been without complications and harmful hindrances. Identity theft, cyberbullying and digital hacking have also become an unfortunate part of the information age. To combat these threats the Protection of Personal Information (PoPI) Act will come into effect on the 25^th of May 2018.

According to www.workpool.com, “In simple terms, the purpose of the PoPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way.”

The National Assembly approved the appointment of members to the Information Regulator on 7 September 2016.  The Regulator will be responsible for education, monitor and enforce compliance, handle complaints, perform research and facilitate cross-border cooperation.

Workpool.com further asserts, “The PoPI legislation basically considers your personal information to be “precious goods” and therefore aims to bestow upon you, as the owner of your personal information, certain rights of protection and the ability to exercise control over.”

However, the question remains, what does it mean for South Africans.

PoPI for average South African citizens

While the PoPI act does not guarantee that South Africans will never be victims of compromised information, it does give them an opportunity to make whatever organisation or individual that they can prove was careless with the distribution of their personal information accountable.

In order to prove misuse and carelessness of the citizens’ information, it is key they understand these rules of processing information set out by PoPI Act, particularly after the ‘masterdeeds’ incident:

Lawfulness, fairness and transparency

• Information should be processed lawfully and not excessively. There should be openness with any processing activities. For transparency, data subjects may obtain confirmation of their personal information being used, where and why.

Purpose limitation

• Processing of information should be for a defined purpose only and no further processing should be done without consent.

Data minimisation

• Organisations should not keep unused data.

 Accuracy

• All data should be accurate and up to date.

Storage limitation

• Once data is used, it should be removed and not kept longer than necessary.

Integrity and confidentiality

• Correct safeguards should be in place to ensure the security of data. Organisations should prevent loss, damage or the unlawful accessing of data. All information is to be treated as confidential.

PoPI for businesses

While businesses have been given a year to comply with the requirements of the act, this will be a turning point in how every business manages personal information of their clients, specifically for many insurance companies, banks, credit record companies and other financial service providers.

Failure to comply with the stipulations of the act could result in huge court settlements, sanctions and even prison time (in extreme situations.) This means many business practices related to sharing client information will change.

In conclusion, the PoPI Act will mean a paradigm shift in the distribution, filing and safeguarding of information in one capacity or the other.

Courtesy of Skyways article page 46 | January, 2018