South Africa’s Protection of Personal Information Act (POPIA) is set to come into effect from 1 April 2020.
Ahmore Burger-Smidt, Head of the Data Privacy Practice Group at Werksmans Attorneys, said that a high level of POPIA awareness is present in South Africa at the moment, despite the fact that the act is still not fully operational.
“In fact, none of the provisions of POPIA that deal with the protection of rights have been promulgated as yet,” Burger-Smidt said.
“Therefore, as much as anyone would wish to call upon POPIA to defend the non-disclosure of information, it does not change the fact that the road to promulgation has been long but finally a date is available for when the South African society will be able to claim the protection afforded by POPIA.”
She said that from a commercial perspective, the duties and responsibilities of companies to protect the privacy of users are never absolute – there are situations when they will be required to submit this data.
“POPIA cannot be put forward in all instances to refuse access or disclosure of personal information.”
Right to privacy
“POPIA recognises in its preamble that section 14 of the Constitution provides that everyone has the right to privacy,” Burger-Smidt said.
The limitations to protecting this right to privacy are dependent on the following:
- Balancing the right to privacy against other rights, particularly the right of access to information.
- Protecting important interests, including the free flow of information within the Republic and across international borders.
Based on the above considerations, your personal information can be disclosed under a number of circumstances.
When your information can be processed
These circumstances are listed in Section 11 of POPIA, which provides that personal information may be disclosed and processed if:
- The data subject (the customer or employee) consents to the processing
- Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party
- Processing complies with an obligation imposed by law on the responsible party
- Processing protects a legitimate interest of the data subject
- Processing is necessary for the proper performance of a public law duty by a public body
- Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied
Burger-Smidt said that taking the above into account, POPIA does permit the disclosure and processing of the confidential information of an employee or advisor in certain circumstances.
“Understanding the full application and impact of POPIA will definitely take time,” she said.
“The road has been long to get to this point. The problem is the road to full compliance will be very short once POPIA is fully effective.”
“Companies will be required to be in full compliance with POPIA within 12 months after POPIA comes into effect.”