Protection of personal information laws kick in
THE PROTECTION of Personal Information Act (Popia), which was signed into law seven years ago in 2013, came fully into effect (with the exception of two sections) this week, on July 1, after President Cyril Ramaphosa gave the go-ahead for its implementation. Companies and other organisations handling your personal information have a year to comply with the act.
Lize de la Harpe, legal adviser at Glacier by Sanlam, says that in essence, Popia gives effect to section 14 of the Constitution, which says that everyone has the right to privacy.
“Popia regulates, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy, subject to justifiable limitations that are aimed at protecting other rights and important interests,” De la Harpe says.
“Personal information” refers to information relating to an identifiable, living natural person (and, where applicable, a juristic person), including your gender, marital status, age, identity number, email address, telephone number and physical address.
The act also makes provision for “special personal information”, which is information of a more sensitive nature, such as information concerning children, your religious affiliation, race or ethnic background, trade union membership, political affiliation, medical and genetic information and criminal record.
A higher degree of protection is given to this special information.
The “processing” of personal information basically refers to anything the organisation can do with it, from receiving, storing, updating and disseminating it, through to erasing or destroying it.
De la Harpe says the act also provides for the establishment of a regulator, known as the Information Regulator, which will monitor and enforce compliance and deal with complaints from the public.
Conditions for processing your personal information include the following (with certain exceptions):
◆ The information must be collected from you, with your consent.
◆ It must be done for a specific purpose, must be fit for purpose (in other words, the demands cannot be excessive) and must be kept only for as long as it serves that purpose.
◆ You have the right to know of anything the organisation does with your information and the identity of third parties who have access to it.
◆ You may request the organisation to correct or delete information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
◆ The information must be kept as secure as possible, with the organisation obliged to take precautions against foreseen internal and external risks. Both you and the Information Regulator must be informed of any data breaches that compromise your privacy.
Companies must not only comply with Popia with regard to their clients; they must also comply with regard to their employees. In other words, it is not only companies you deal with as a customer that must protect your personal information, it is your employer too.
In a recent website article, Ahmore Burger-smidt, Jacques van Wyk and Bradley Workman-davies at Werksmans Attorneys point out that employers need to ensure that they comply with Popia regarding the processing of their employees’, customers’ and service providers’ information.
“It is also important that their employees are equally aware of, and comply with, these obligations when processing any such information on behalf of the employer,” they say.
Burger-smidt, Van Wyk and Workman-davies say it is important that adequate provisions be inserted into employment contracts and that workplace policies and procedures are implemented to ensure compliance. These should include:
◆ The designation of an information officer.
◆ Implementing procedures for processing information lawfully, in accordance with the conditions provided for in the legislation.
◆ Obtaining consent from employees for the processing of their personal information.
◆ Providing training and information to human resources practitioners as well as employees to ensure that information is processed lawfully and that employees, as “data subjects”, are aware of their rights.
◆ Putting in place measures to ensure the processing of special personal information is lawful.
◆ Dealing with any cross-border processing of information.
◆ Implementing procedures to address and deal with any complaints from, among others, employees regarding the processing of their personal information.