In The Public Eye

Protection of Personal Information Act – When, Who, How?

Oupa Mbokodo Oupa Mbokodo

The POPI Act, which was signed into law by President Jacob Zuma on November 26 2013, regulates how anyone who processes personal information must handle, keep and secure that information. It carries strict and substantial penalties for contravention including prison terms and fines of up to R10-million.

Most government organisations – from national departments to municipalities – are in possession of vast banks of personal information – from ID numbers, to addresses, marital status, car ownership details, driver’s license details, social grants details, and even gun ownership details. They are therefore incredibly vulnerable to information theft and have to take steps to ensure compliance with the POPI Act.

Newly established Information Regulator’s chairperson, Adv Pansy Tlakula, announced in March that her office should be fully operational around December 2017 and from that time it is expected that institutions would have a 12 month grace period in which to become fully compliant. The Regulator will be responsible for monitoring and enforcing compliance and handling complaints related to breaches of data privacy.

When should we start preparation?

A snap survey conducted by Grant Thornton at a recent POPI seminar in Johannesburg indicated that:

  • 84% of respondents strongly agree that POPI compliance is important for their organization;
  • 51% and 43% strongly agreed and agreed respectively that POPI compliance is urgent;
  • 18% strongly agreed and 54% agreed that they had the internal resources and capacity to ensure compliance; and
  • 43% agreed while 40% disagreed that they had a detailed project plan in place to ensure POPI compliance.

Government departments and municipalities especially should not underestimate how much time they will need to assess their readiness and then implement appropriate systems. The Act will affect anyone who deals with private personal information – from video footage recorded in public areas to signing the visitors’ book at government buildings. The Act requires that all such information be adequately protected.

Ensuring POPI compliance is a time-consuming process that starts with a comprehensive gap assessment across the entire non-IT and IT and information storage infrastructure – from the receptionist to the administrative clerk. Once the gaps have been identified, then a privacy strategy can be put in place to ensure that the organisation complies with the legislation and data privacy principles.

The compliance strategy needs to include:

  • Establishing data ownership and data classification rules
  • Reviewing organisation processes;
  • Assessing the technologies needed to safeguard the information; and
  • Creating awareness across the organisation so that employees, vendors and other stakeholders know how to treat personal data.

Who does POPI really affect?

Much of POPI really filters down to individual employees and their actions. Employees need to be fully aware of what data they are collecting; they need to define exactly why they’ve collected said data; who is processing the information and for what reason. In some instances staff are collecting data and then passing it on to a third party for processing. They need to know how that data will be protected and when no longer needed, how it will be destroyed.

Under POPI legislation, individuals, organisations and government departments, municipalities and entities would be held accountable and they also risk legal action for not adequately protecting personal information.

If the POPI Regulator was operational already today, a government department or municipality suffering a data breach due to theft or cyber hack, for example, would have had a case to answer should it be found that they did not take adequate steps to protect the data; or if their security systems were inadequate in protecting such highly confidential information.

The sooner institutions start with the process in order to properly comply with this legislation, the better. Data extracted from Grant Thornton’s International Business Report (IBR) conducted in South Africa in 2015 indicated that 91% of business were aware of the POPI Act and were taking steps to comply with it. It is likely that the public sector employees and management are now as aware of the impending changes. The status of readiness to implement the Act is however unknown.

How will it affect public sector processes?

Under the Act, organisation are obliged to report any loss of information to the Regulator, the relevant industry body for the organisation and also to the victim affected. Organisation will be required to inform them of what steps would be taken to rectify the situation. In addition consumers will have the right to complain to the Regulator if individuals believe their personal data has been breached, following which the complaint will be investigated and any guilty parties would be sanctioned.

Organisation will have to prove that they have taken every reasonable step to protect the information they have gathered. A large entity such as a municipality or the Department of Home Affairs for example would require comprehensive non-IT and IT including information security, data storage mechanisms, and data backup and recovery processes (especially if they handle sensitive data) and it would need to prove that it had effectively communicated this policy to its employees and trained them adequately as well.