Get more Mail & Guardian
Subscribe or Login

Protection of Personal Information Act: Are you compliant?

The president signed the Protection of Personal Information Act (Popi) and it became law on November 26 2013.  Popi essentially regulates how anyone who processes personal information must handle, keep and secure that information.  It may have taken over eight years to complete, but the final result is a good piece of legislation.

As much as it has been signed into law, Popi isn't effective yet. The president still has to decide on the commencement date.  If this sounds confusing to those non-lawyers out there: the date when an Act is signed into law and the date when it actually applies, can be different.

There's another aspect to when Popi's provisions begin to apply. Not only do we need to wait for a commencement date, but Popi also gives everyone an additional year from the commencement date to comply with its requirements.

The fact that everyone who processes personal information still has more than a year to make arrangements to comply, shouldn't make anyone wait. 

Popi is strict and has substantial penalties. Anyone who contravenes Popi's provisions faces possible prison terms and fines of up to R10-million. Popi also allows individuals to institute civil claims so there's the possibility of further financial loss on top of any fine that may be imposed.

So what can anyone who processes personal information do to ensure that, when the one-year grace period is over, they are Popi compliant? You should, as a bare minimum, consider doing the following:

  • Read the Act. It's not a highly technical piece of legislation. It is long, so if you have time constraints focus on chapter three. It sets out eight conditions for the lawful processing of personal information.
  • Give some thought to the type of personal information you process and how your processing complies with the eight conditions in chapter three. A spaza shop and a huge medical aid scheme could both possibly process personal information but the sensitivity of the information and what Popi would expect of each would be very different.  
  • Consider whether your organisation's operations warrant information security awareness training for your staff. For example, your staff would need to be trained on the simple confidence tricks, such as a phone call to an unwitting staff member, that are often used to access personal information.
  • Train your staff on laptop, data storage and mobile device security. Put procedures in place to limit who can access certain information on those devices and your organisation's computer system.  
  • Ensure that laptops and other mobile devices have passwords and similar security and are preferably encrypted. Try to implement systems and software that allow lost devices to be remotely "wiped clean".  An unencrypted back-up disk that Zurich Insurance lost in South Africa cost it a fine of £2.3-million. You should draft policies dealing with each of these issues and educate your staff on them.  
  • Look at the physical security of the premises where you store the personal information that you process. Do you have reasonable security measures in place such as access control, burglar bars, CCTV and alarm systems? Assess these physical security measures in the light of the type of personal information you process (remember: spaza shop versus medical scheme).  
  • Assess whether any service providers who process information on your behalf, have considered and implemented each of the five points above.  Put proper contracts in place that compel your service providers to give you assurances that they will also comply with Popi. 
  • Given the potential for huge financial losses, consider whether your organisation would be justified in securing cyber insurance.  Your current "generic" insurance policy is not likely to cover losses arising out of a data breach by your organisation.  

Your organisation has more than a year to make changes that will help it comply with Popi.  If you start attending to them now, you should be fully compliant by the time Popi starts showing its teeth.  

Lucien Pierce is an attorney at Phukubje Pierce Masithela Attorneys in Johannesburg.  He specialises in both contentious and non-contentious aspects of commercial law, with an emphasis on communications, media and information security law.  

Subscribe to the M&G

Thanks for enjoying the Mail & Guardian, we’re proud of our 36 year history, throughout which we have delivered to readers the most important, unbiased stories in South Africa. Good journalism costs, though, and right from our very first edition we’ve relied on reader subscriptions to protect our independence.

Digital subscribers get access to all of our award-winning journalism, including premium features, as well as exclusive events, newsletters, webinars and the cryptic crossword. Click here to find out how to join them and receive a 40% discount on our annual rate..

Related stories

Advertising

Subscribers only

Seven years’ radio silence for taxpayer-funded Rhythm FM

Almost R50-million of taxpayers’ money has been invested but the station is yet to broadcast a single show

Q&A Sessions: Zanele Mbuyisa — For the love of people-centred...

She’s worked on one of the biggest class-action cases in South Africa and she’s taken on Uber: Zanele Mbuyisa speaks to Athandiwe Saba about advocating for the underrepresented, getting ‘old’ and transformation in the law fraternity

More top stories

New sex abuse claims against aid workers exposed in DRC

Investigation finds extensive abuse of power by men allegedly working at organisations such as the World Health Organisation

Platinum records for South African mines

The miners are in a comfortable position as the world creeps towards a lower-carbon future

Denel money woes clip air force’s wings

A senior officer says the shortage of spares and and ability to service aircraft and vehicles has a negative effect on the SANDF’s operational ability

State fails at-risk children as R55m orphanage stands empty

Boikagong Centre in Mahikeng has been closed for almost two years because it did not meet safety requirements. The discarded children say they want a safe place to learn, but instead endure rape and other violence
Advertising

press releases

Loading latest Press Releases…
×