Protection of Personal Information Act: Are you compliant?

The president signed the Protection of Personal Information Act (Popi) and it became law on November 26 2013.  Popi essentially regulates how anyone who processes personal information must handle, keep and secure that information.  It may have taken over eight years to complete, but the final result is a good piece of legislation.

As much as it has been signed into law, Popi isn't effective yet. The president still has to decide on the commencement date.  If this sounds confusing to those non-lawyers out there: the date when an Act is signed into law and the date when it actually applies, can be different.

There's another aspect to when Popi's provisions begin to apply. Not only do we need to wait for a commencement date, but Popi also gives everyone an additional year from the commencement date to comply with its requirements.

The fact that everyone who processes personal information still has more than a year to make arrangements to comply, shouldn't make anyone wait. 

Popi is strict and has substantial penalties. Anyone who contravenes Popi's provisions faces possible prison terms and fines of up to R10-million. Popi also allows individuals to institute civil claims so there's the possibility of further financial loss on top of any fine that may be imposed.

So what can anyone who processes personal information do to ensure that, when the one-year grace period is over, they are Popi compliant? You should, as a bare minimum, consider doing the following:

  • Read the Act. It's not a highly technical piece of legislation. It is long, so if you have time constraints focus on chapter three. It sets out eight conditions for the lawful processing of personal information.
  • Give some thought to the type of personal information you process and how your processing complies with the eight conditions in chapter three. A spaza shop and a huge medical aid scheme could both possibly process personal information but the sensitivity of the information and what Popi would expect of each would be very different.  
  • Consider whether your organisation's operations warrant information security awareness training for your staff. For example, your staff would need to be trained on the simple confidence tricks, such as a phone call to an unwitting staff member, that are often used to access personal information.
  • Train your staff on laptop, data storage and mobile device security. Put procedures in place to limit who can access certain information on those devices and your organisation's computer system.  
  • Ensure that laptops and other mobile devices have passwords and similar security and are preferably encrypted. Try to implement systems and software that allow lost devices to be remotely "wiped clean".  An unencrypted back-up disk that Zurich Insurance lost in South Africa cost it a fine of £2.3-million. You should draft policies dealing with each of these issues and educate your staff on them.  
  • Look at the physical security of the premises where you store the personal information that you process. Do you have reasonable security measures in place such as access control, burglar bars, CCTV and alarm systems? Assess these physical security measures in the light of the type of personal information you process (remember: spaza shop versus medical scheme).  
  • Assess whether any service providers who process information on your behalf, have considered and implemented each of the five points above.  Put proper contracts in place that compel your service providers to give you assurances that they will also comply with Popi. 
  • Given the potential for huge financial losses, consider whether your organisation would be justified in securing cyber insurance.  Your current "generic" insurance policy is not likely to cover losses arising out of a data breach by your organisation.  

Your organisation has more than a year to make changes that will help it comply with Popi.  If you start attending to them now, you should be fully compliant by the time Popi starts showing its teeth.  

Lucien Pierce is an attorney at Phukubje Pierce Masithela Attorneys in Johannesburg.  He specialises in both contentious and non-contentious aspects of commercial law, with an emphasis on communications, media and information security law.  

We make it make sense

If this story helped you navigate your world, subscribe to the M&G today for just R30 for the first three months

Subscribers get access to all our best journalism, subscriber-only newsletters, events and a weekly cryptic crossword.”

Related stories

WELCOME TO YOUR M&G

Already a subscriber? Sign in here

Advertising

Latest stories

Davos: How SA can build a digitally competitie future based...

There are many examples of this. Kenya is using blockchain-enabled AI solutions for the unbanked to secure loans

We are not disposable, say healthcare workers

The Gauteng health department’s budget has been slashed in half, resulting in nurses who worked through the pandemic sitting at home while 10 000 posts are vacant

Experience Africa in Johannesburg, Durban and Cape Town

If you had the opportunity to explore South Africa, to really see it, be confused by it, fall in love with the good, bad...

Clouds gathering as Safa approaches presidential elections

There are some members of the body’s national executive committee who are backing the re-election of Jordaan as the Safa president unopposed.
Advertising

press releases

Loading latest Press Releases…
×