What Is POPIA (Protection of Personal Information Act)?

Introduction: South Africa and Personal Information Act

Personal information has become a precious commodity in this age of data-driven decision-making and digital interactions. The internet and digital revolution changes how we gather, keep, and use personal information.

Technology increasingly intertwines our lives, from online shopping and social media to healthcare and financial services. This digital age has brought unparalleled convenience and efficiency, but it has also exposed individuals to unprecedented risks concerning the security and privacy of their personal data. Statistica reported that data breaches exposed over 6 million data records globally in early 2023. As data breaches, identity theft, and privacy violations are making headlines on a regular basis, protecting individuals’ personal data is a paramount concern.

In response to these, various governments around the world have enacted different legislations to ensure data privacy and security. South Africa is no exception, having introduced the Protection of Personal Information Act (POPIA). This article serves as a guide to help you understand the key aspects of POPIA.

What Is POPIA?

POPIA, the Protection of Personal Information Act, is a South African law enacted to regulate the processing of personal information by public and private entities. It aims to protect individuals’ privacy and personal data by establishing principles and requirements for responsible parties (organizations) that handle personal information.

POPIA was signed into law in 2013, with full enforcement becoming effective on July 1, 2021. This law was crafted to align South Africa with global data protection and privacy standards. POPIA empowers individuals to have control over their personal information while imposing obligations on organizations to handle such data responsibly. To see the official documentation of the act, click here.

Now, let’s dive into the key principles and components of POPIA to understand how it works.

Who Is Affected by the POPIA Act?

POPIA is not limited to South African companies. It applies to any entity processing personal information within South Africa’s borders or entities processing the personal information of South African residents, even if they are located abroad.

Key Definitions in POPIA

There are some key definitions to take note of in order to understand the POPIA law. They include:

1. Personal Information: the definition of personal information in POPIA is very broad to accommodate all necessary information that relates to an identifiable, living, and natural individual or company. This information can encompass race, gender, sex, religion, disability, culture, nationality, language, educational background, biometrics, personal opinions, employment, health, and financial history, among others.
2. Processing: This refers to any operation or activity involving personal information, such as collection, recording, storage, retrieval, use, or disclosure.
3. Data Subject: A data subject is the individual to whom the personal information relates. In other words, it’s the person about whose the data is collected and processed.
4. Responsible Party: This refers to any person (which can include a company, government agency, or any other organization) that determines the purposes and means for processing personal information. In simpler terms, a responsible party decides why and how to collect and use personal information.
5. Operator: An operator processes personal information on behalf of a responsible party, but does not have the authority to do so. Responsible parties hire operators to handle particular processing tasks.

POPIA’s Conditions for the Lawful Processing of Personal Information

POPIA establishes conditions for the lawful processing of personal information. These conditions respect individuals’ privacy rights and handle personal data responsibly.

Here are the key conditions for the lawful processing of personal information under POPIA:

1. Accountability: Responsible parties must ensure compliance with POPIA’s principles and provisions. They are accountable for the lawful processing of personal information.
2. Processing Limitation: Organizations can only process personal information for specific, lawful, and relevant purposes in a manner that respects the data subject’s privacy. They must obtain full consent directly from the data subject before processing their personal information.
3. Purpose Specification: Responsible parties must specify their purpose for collecting and processing personal information at the time of collection.
4. Further Processing Limitation: Further processing of personal information must be compatible with the initial purpose of collection.
5. Information Quality: Responsible parties must take reasonable steps to ensure that personal information is accurate, complete, not misleading, and up-to-date.
6. Openness: Responsible parties must maintain documentation of their processing operations transparently. Data subjects should understand who uses their information and how.
7. Security Safeguards: Responsible parties must implement appropriate technical and organizational measures to protect personal information from loss, theft, unauthorized access, and disclosure. Data security is paramount.
8. Data Subject Participation: Data subjects have a right of access to the personal information that responsible parties hold about them. They can request corrections, deletions, or restrictions on processing under certain circumstances. Responsible parties must respond to these requests promptly.

Rights of Data Subjects Under POPIA

POPIA provides individuals with clear rights regarding the use of their personal data. These rights give people control over their information and maintain their privacy. Here are some of the main rights:

• When organizations collect data, they should inform the individuals.
• If there’s unauthorized access to their data, individuals must be informed.
• Individuals can ask for access to see the data that organizations have about them.
• For incorrect or incomplete data, individuals have the right to ask for corrections or removal.
• For specific reasons, individuals can decline the use of their data.
• Legal steps are available to individuals if their data is used improperly.

The Information Regulator in South Africa

Compliance with POPIA is not optional. The Information Regulator is an independent body established under the POPIA Act and responsible for enforcing compliance and investigating breaches.

The information regulator is an independent office. It is not affiliated with the government or any other institution. However, it is accountable to the National Assembly.

Due to its independence, the Information Regulator can operate without undue influence. Its primary role is to promote the protection of personal information in South Africa, ensuring both organizations and individuals adhere to POPIA’s provisions.

Here are some of its key responsibilities:

1. Public Awareness: The regulator actively raises awareness about data protection rights and obligations. This can involve conducting educational campaigns and providing resources to assist both individuals and organizations in understanding and complying with POPIA.
2. Oversight and Regulation: The regulator supervises the processing of personal information by both public and private entities. In cases of POPIA violations, it has the authority to issue codes of conduct, impose fines, and order corrective measures.
3. Monitoring and Enforcement: The regulator has the mandate to monitor compliance with POPIA, investigate complaints, conduct inquiries, and take enforcement actions against non-compliant entities.
4. Addressing Complaints: Individuals can approach the regulator if they believe their data protection rights have been compromised. The regulator responds by investigating and taking appropriate measures.
5. Collaboration: The regulator collaborates with other national and international regulatory and data protection authorities to ensure robust data protection measures, especially concerning cross-border data transfers and global data protection challenges.
6. Data Breach Reporting: Organizations must report data breaches to both the regulator and the affected individuals. The regulator ensures accurate reporting of these breaches and manages them effectively.

Information Officer

The information officer is a designated individual or position within an organization entrusted with specific data protection and privacy responsibilities. The information officer oversees and ensures the organization’s compliance with POPIA.

Additionally, this involves staying up-to-date with the legislation, interpreting its requirements, managing data subject requests, working with the information regulator, and implementing necessary measures to ensure compliance.

Codes of Conduct Under POPIA

Under POPIA, codes of conduct provide specific guidelines and standards for the responsible handling and processing of personal information within a particular industry or sector. They aim to assist organizations subject to POPIA in effectively interpreting and implementing the legislation.

Under the jurisdiction of the information regulator, these codes are an essential part of the data protection framework. The regulator maintains a public register of approved codes of conduct. At times, authorities can amend or revoke these codes if necessary. However, if a body or organization doesn’t comply with these codes, the regulator can fine or penalize them for violating the conditions for lawful processing of personal information.

Enforcement, Penalties, and Fines Under the POPIA

POPIA strongly emphasizes data protection and grants enforcement powers to the information regulator, the regulatory authority responsible for overseeing compliance with the act. The regulator has the authority to investigate complaints, initiate inquiries, and conduct audits to determine whether organizations adhere to data protection principles and requirements.

They can also refer complaints to other regulatory bodies when the need calls for it. The POPIA has provisions for enforcing its rules and dealing with non-compliance. Any aggrieved person can submit their complaints and follow through with the established channels and guidelines for redress.

When the information regulator investigates a potential violation, it may issue notices, conduct inquiries, and provide organizations with opportunities to respond to allegations and rectify non-compliance. The information regulator may impose appropriate penalties and fines if a violation is confirmed.

The penalties and fines for offenses or non-compliance differ according to their severity. Organizations can appeal decisions and penalties imposed by the information regulator through legal channels.

Other Data Protection Laws Similar to POPIA

The Protection of Personal Information Act (POPIA) in South Africa is just one of many data protection regulations around the world. Here are other data protection laws to be aware of:

1. General Data Protection Regulation (GDPR): Applies to any organization, regardless of location, that processes the personal data of individuals residing in the European Union.
2. Consumer Privacy Rights Act (CPRA): this regulation protects consumers’ personal information in California.

Conclusion 

The field of data protection is continually evolving. As technology advances, so do the challenges of protecting personal information. POPIA is a critical milestone in South Africa’s journey toward data protection and privacy. Embracing its principles and complying with its provisions ensures legal adherence and builds trust among concerned parties.

About Identity.com

It’s encouraging to see governments acknowledging and establishing the significance of data protection laws that safeguard the personal information of individuals and give them control over their data, a principle that Identity.com also embraces. Our company envisions a user-centric internet where individuals maintain control over their data.

This commitment drives Identity.com to actively contribute to this future through innovative identity management systems and protocols. As members of the World Wide Web Consortium (W3C), we uphold the standards for the World Wide Web and work towards a more secure and user-friendly online experience.

The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.