Newsletters & Blogs


2013-11-05
Protection of Personal Information Act (PoPI) and what it means to business.


All businesses keep personal information of some kind – be it employee records, customer information or data related to their supply chain. PoPI (the Protection of Personal Information Act) is going to change the way we handle this information from the point it is collected right through to how it is eventually disposed of or destroyed.

Too many companies put themselves and their employees at risk due to the way they handle personal information – if you look at cases from Europe and the UK, which have similar legislation, companies have paid fines of hundreds of thousands of pounds for cases of information neglect!

The South African Constitution states that “everyone has the right to privacy” but until now there was nothing to enforce it – now there is! Every organisation that “works with personal information” is impacted – this includes information that can identify both people and organisations – including employees and suppliers – and anyone else.

POPI is built around 8 conditions for lawful processing for information – these 8 conditions are;

  1. Accountability
  2. Processing Limitation
  3. Purpose Specification
  4. Further Processing Limitation
  5. Information Quality
  6. Openness
  7. Security Safeguards
  8. Data Subject Participation

In brief each means that;

  1. The organisation is accountable for the lawful processing of the personal information it collects, stores and disposes of – PoPI refers to the organisations Information Officer (a role most will not have) – this is the party accountable – and in cases where they have not been identified will be the CEO;
  2. Information to be processes must meet 4 criteria (i) Fit for the purpose collected – no more, no less (ii) Collection of data should not infringe on people’s privacy, (iii) Consent from the person is required, (iv) Data must be sourced directly from the person;
  3. Personal information can ONLY be collected for a specific purpose – and then only used for this purpose, and also only kept as long as required for this purpose – and the person must be aware of this purpose;
  4. If it is necessary to provide the information to another party it can only be done to as a continuation of the original purpose – not for anything else;
  5. It is the responsibility of the organisation collecting and using the data to ensure that it is accurate and complete – while ensuring that only the necessary information is collected and it kept for the minimum amount of time;
  6. Any organisation must inform the regulator of its intention to process personal information before commencing the processing of personal information (unless registered in terms of PAIA (Process of Access to Information Act) AND complete openness with people whose information is being collected is required (purpose, information etc);
  7. This is perhaps the biggest one – to quote PoPI – S(19)(1) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent…”;
  8. People whose information you hold have a right to interact with you regarding this information (i.e. know what information you hold and why, change it or delete it) – proof of these interactions needs to be kept.

PoPI is bound to cause some real challenges for businesses into 2014 and beyond.

SINK or SWIM is holding a half day PoPI Seminar to not only cover the Act but also, and more importantly, discuss what you need to do to manage these challenges:

Date: Tuesday 3rd December 2013

Cost: R 1,495 per delegate (20% discount for 3 or more delegates)

Venue: Pretoria East Area (delegates will be informed of the venue closer to the date)

You can REGISTER ONLINE for this event.

This can also be run as an In-House event should you require it – please CONTACT US BY CLICKING HERE for a quote and to arrange this.