POPI Act: The 2022 Guide
The Protection of Personal Information (POPI) Act is a complex new law, and according to Michalsons, it is hard to summarise – but broken up into sections, it is easy to wrap your head around – and very important. The law impacts many entities and industries, but each organisation is affected differently.
What is the POPI Act, and what does it mean for South Africans?
The POPI Act became law in November 2013. The remaining provisions of the Act were supposed to come into effect on 1 April 2020 but were delayed because of the COVID-19 pandemic.
On 22 June 2020, the President issued a Proclamation, and some of the POPI Act sections came into effect. The chosen selections covered application and exclusion provisions, the lawful retrieving of a person’s personal information and exemptions, the Information Officer, prior authorisation, codes of conduct and provisions that regulate direct marketing. More sections became effective on 30 June 2021.
The South African POPI Act sets certain conditions for responsible parties – also known as controllers in other jurisdictions – who can lawfully process (defined as collecting, receiving, recording, organising, retrieving, or the use, distribution or sharing) personal information of natural and juristic persons regarding data subjects.
The law does not prevent you from processing or require you to get consent from the data subjects about their personal information. If you decide why and how you want to process personal information, you must comply with the given conditions.
Currently, there are eight general conditions and three additional conditions. Your party is accountable if the failure occurs from your operators – the people who process for you – and they cannot meet the conditions.
All South African organisations and individuals who could obtain, handle and store personal information of another individual had to adhere to the requirements of the Act and prepare to safeguard the information. The terms of your employment or for suppliers or service providers did not matter.
South African companies had until 1 July 2020 to organise their systems and processes to fall in line with the Act. Non-compliance resulted in reputational damage and potential civil damage claims. Fines up to R10 million or ten years in prison – or both – were the consequences.
How to comply with the POPI Act
Almost every organisation is faced with achieving and sustaining compliance with the POPI Act. Here is a checklist that provides a step-by-step approach to compliance:
Formalise POPI Act compliance project
- Identify your pertinent stakeholders, project sponsor, and project manager and provide a high-level scope with a timeline and budget.
Assign an Information Officer
- When you appoint an Information Officer, make sure there’s alignment between your Promotion of Access to Information Act (PAIA) and the POPI Information Officer (IO).
- Decide whether your CEO can take on the role as an IO or if a deputy (DIO) is necessary.
- State and agree on the roles and responsibilities of the IO and DIO.
- Make the formal appointment process official.
Perform Gap Analysis In Comparison With The POPI Act
- Be realistic about your interim and final targets for compliance with the Act.
- Involve the relevant stakeholders in the assessment.
- Have an evidence-based approach
- Your assessments can be used for ongoing compliance monitoring
You have the three starting steps – go and research the next six steps that include the analysis of what and how you process personal information; implement compliance policies that adhere to the POPI Act; review your websites; update or create a PAIA manual; introduce POPI compliant PI management processes; train your stakeholders about their roles and finally, make the POPI Act compliance ‘business-as-usual’.
POPI Act and healthcare
Amendments made to the POPI do not replace or change regulations set by the Health Professionals Council of South Africa (HPCSA). Medical professionals still have a confidentiality policy commitment to patients.
There are, however, regulations that govern third party access to information which is similar to HPCSA and POPI. The permission to disclose any confidential information must come in a written or verbal format, and the patient is to be informed.
WhatsApp and POPI Act
Media reports show that WhatsApp group administrators do not need to send out a disclaimer before adding a person to the group – especially if the group is for friends, family or meme-sharing. You do not need the consent of the person you add, but it is an act of courtesy to send the relevant person an invitation to the WhatsApp group instead of adding them abruptly.
The same approach does not apply to non-personal, formal and business groups. Consent must be given before a person is added to a work WhatsApp group.
The Internet and POPI Act
You are probably familiar with entering your personal information into social media sites, e-commerce stores and official websites. If you Google your name, you may find more than you thought there was.
Because of the POPI Act, you can request to remove, correct or destroy your personal information from search engines and websites. It is applicable when your information is incomplete, misleading, or unlawful.
Change and privacy
The POPI Act has implemented a massive improvement for privacy and control over your personal data. Pay more attention to the personal information you share with anyone.
IER And The POPI Act
In order to help you effectively, iER needs to process some of your personal information. The more information you’re able to give us, the better we can help you.
We might ask for information such as your blood type, any chronic conditions you may have, and allergies. This information helps us to keep you safe because we’re able to give you the correct advice based on your current medical situation.
This information will not be accessed by call centre agents when you submit an alert via our app. We will then send the appropriate help to you.