When the Protection of Personal Information Bill (POPI) becomes law later this year, it will place a notable onus on businesses that process any personal data on any person.
While seeking to ensure that individuals have the maximum control over the flow of their personal information, the new laws will compel many organisations to entirely re-think the way they handle such information.
POPI is currently being reviewed by Parliament and is expected to come into law sometime this year.
It “will be the most comprehensive bill dealing with the protection of information in SA and will cover any person or entity that collects personal information”, says Pamela Stein at law firm Webber Wentzel.
“The moment you get any personal info in your possession you are covered by the Act,” she says.
With ‘personal information’ envisaged under the drafts to cover a very wide range of data pertaining to individuals, any business that employs staff, collects personal information from clients or holds information on its suppliers, is going to have to take heed of the Act.
The laws will impact almost every business in the country and, with hefty penalties envisaged for non-compliance, SA businesses are going to need to develop comprehensive data handling strategies to ensure that they comply with the law.
Implications for business
The Act itself will be “wide ranging, but basically what it is saying is that if you hold and process personal data you have to do so very carefully and with proper respect for the rights and interests of the people to whom it pertains,” says Iain Currie, a law professor at Wits University.
Essentially, the wide spectrum of protections afforded to the ‘data subject’ by the laws will become the practical and legal concern of any entity which ‘processes’ data relating to that subject.
Notably, but not exhaustively, these protections include the data subject’s right to know when information is being collected about him or her, and to have consented to the collection exercise. They also have the right to know what personal information is being held by an organisation and how to access this information. In addition, individuals can challenge the accuracy of data.
While ensuring that these rights are honoured, businesses will also need to ensure that data is kept safe, that it is not distributed to third parties without the consent of the subject and that it is not being used for any purpose other than that which was advised to the data subject.
Businesses will have to notify the regulator in writing should they engage in personal data processing activities and must ensure that they do not keep any personal information for a period longer than is strictly required for the stated purpose under which the data was collected.
According to Rohan Isaacs, a director at Norton Rose, the new law will result in some staff education to comply with the legislation. Not only will businesses have to qualify the reason for keeping data, they can also only use that data for that specific reason. For example, if data was collected when signing in at a building’s security desk, that data is only valid for security purposes.
A step-by-step guide
Stein advises firms to appoint an information protection officer who would be in charge of data. The next step is to ensure compliance; this involves an audit of all the data held by the business to ascertain what type of data is being stored and if it is covered by the Act.
The law differentiates between different types of personal information and the sensitivity thereof: “The most significant, the most detailed and I would say intrusive personal data, is that of employees, unless you are in the medical or insurance or banking industries.”
This type of sensitive information, defined as “special information” in the Bill relates to, amongst others, religious beliefs, health data and the personal views held by employees. It attracts greater protection under the law.
Businesses will also have ensure that the data is secure and handled properly. Firms will be given a grace period of a year to fully comply with the regulations, according to Isaacs.
He expects the final law to include a R10m administrative fine for non-compliance, while violations may also result in criminal charges or lengthy prison sentences.