The PoPI Act and what it means for you

The era we live in is continuously referred to as the “information age.” This is because of how easy it has become to access information.

At the push of a button, information that would have required multiple visits to the library can be made available in seconds. The weather forecast, navigation routes, grocery store sales and even good holiday destinations can be accessed from a wide variety of mobile devices.

However, this rapid access to information has not been without complications and harmful hindrances. Identity theft, cyberbullying and digital hacking have also become an unfortunate part of the information age. To combat these threats the Protection of Personal Information (PoPI) Act will come into effect on the 25th of May 2018.

According to, “In simple terms, the purpose of the PoPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way.”

The National Assembly approved the appointment of members to the Information Regulator on 7 September 2016.  The Regulator will be responsible for education, monitor and enforce compliance, handle complaints, perform research and facilitate cross-border cooperation. further asserts, “The PoPI legislation basically considers your personal information to be “precious goods” and therefore aims to bestow upon you, as the owner of your personal information, certain rights of protection and the ability to exercise control over.”

However, the question remains, what does it mean for South Africans.

PoPI for average South African citizens

While the PoPI act does not guarantee that South Africans will never be victims of compromised information, it does give them an opportunity to make whatever organisation or individual that they can prove was careless with the distribution of their personal information accountable.

In order to prove misuse and carelessness of the citizens’ information, it is key they understand these rules of processing information set out by PoPI Act, particularly after the ‘masterdeeds’ incident:

Lawfulness, fairness and transparency

  • Information should be processed lawfully and not excessively. There should be openness with any processing activities. For transparency, data subjects may obtain confirmation of their personal information being used, where and why.
Purpose limitation
  • Processing of information should be for a defined purpose only and no further processing should be done without consent.
Data minimisation
  • Organisations should not keep unused data.
  • All data should be accurate and up to date.
Storage limitation
  • Once data is used, it should be removed and not kept longer than necessary.
Integrity and confidentiality
  • Correct safeguards should be in place to ensure the security of data. Organisations should prevent loss, damage or the unlawful accessing of data. All information is to be treated as confidential.

PoPI for businesses

While businesses have been given a year to comply with the requirements of the act, this will be a turning point in how every business manages personal information of their clients, specifically for many insurance companies, banks, credit record companies and other financial service providers.

Failure to comply with the stipulations of the act could result in huge court settlements, sanctions and even prison time (in extreme situations.) This means many business practices related to sharing client information will change.

In conclusion, the PoPI Act will mean a paradigm shift in the distribution, filing and safeguarding of information in one capacity or the other.

Courtesy of Skyways article page 46 | January, 2018

2 Comments on “The PoPI Act and what it means for you”

  1. Working in the Private Hospital Industry, where patient information is gathered constantly, taking of photo’s and sending it via several networks, like e-mail, what’s up and so forth, is a great concern, I do however suffer in getting information to read about this, do you have any suggestions? Kind Regards.

    1. Hi Elize,

      There has been alot of work done around the area of protecting personal information in the health care overseas, which can be found online. We have worked with some medical services regarding protecting patient information. There are many systems in the medical industry that have spent alot of time looking into this problem and your current software vendors should be able to provide information in regards to how they handle private information.

      Step one is to create some simple guidlines for your team to follow. It sounds like the staff are simply using whatever is easiest and not understanding the security issues around how data is stored and sent.

      If you would like some more help exploring this issue you can goto and get in touch to see how we can help.

Leave a Reply

Your email address will not be published. Required fields are marked *