Finally, as of 1 July 2020, the remaining provisions of the Protection of Personal Information Act (POPIA) have become effective. We all now have one year to reach a state where we are compliant with this legislation. This period could possibly be extended, but we cannot rely on this occurring.
POPIA applies (with exceptions) to the processing of personal information in a record by, or on behalf of, a responsible party.
It is important to understand the meaning of the words: ‘processing’, ‘personal information, ‘record’, and ‘responsible party.
Personal information is widely defined and includes almost all information about a living, identifiable person (and where applicable juristic persons), including race, gender, pregnancy, marital status, medical history, contact details, biometric information, their personal opinions amongst other information (note for POPIA purposes, personal information about a deceased person is not personal information). It does not include de-identified information.
Processing is also widely defined and includes almost anything one does with personal information, including, receiving or collecting it, storing it (electronically or physically), filing it, or destroying it.
A record means any recorded information regardless of the form in which it is recorded. So a record includes electronic and paper information, x-rays, photos, labels, drawings, graphs, maps, etc which is in the possession of the responsible party (whether or not they created it).
A responsible party means the person who determines the purpose and means for processing information. In the retirement funds context, it will be mainly retirement funds (and employers) that are responsible parties. Their service providers, such as administrators and consultants will be operators. Operators process information for, or on behalf of, responsible parties. As an example, a retirement fund determines how its operators will process the personal information of the fund’s members (and others). Thus, the fund enters into an administration agreement with the administrator determining the purposes for which that administrator will process personal information on its behalf.
Responsible parties are required to comply with the Eight Conditions when they process personal information for the first time and every time. Importantly, they must also ensure that their operators comply with the Eight Conditions. Thus, it becomes important for responsible parties to ensure they are contracting with operators that are POPIA compliant. Many responsible parties will seek to contractually tie in their operators to ongoing POPIA compliance.
While POPIA provides us with Conditions it also provides a number of ‘exceptions’ or ‘authorisations’. If your processing falls into one of these ’exceptions’ or ‘authorisations’ the Condition then does not apply. This makes POPIA fairly complex to implement as one needs to understand the Conditions as well as the ‘exceptions’ or ‘authorisations’ that apply to the Conditions or one of the Conditions.
This does not give us much information about each Condition. It is necessary to dig a little deeper to understand the Eight Conditions. The Eight Conditions consist of more than eight requirements which are just grouped into the Eight Conditions. In the diagram below the number corresponds to the Condition number and there is often more than one requirement per Condition.
So, in more detail, the Eight Conditions with which responsible parties must comply when processing personal information appear below.
*PI refers to Personal Information
**RP refers to Responsible Person
It is not enough to simply comply with the Eight Conditions. There are many other provisions of POPIA, which we need to understand and with which we need to comply, for example:
With the exception of a brief discussion concerning special personal information and Information Officers, we have not discussed these other requirements in this note.
Special personal information is personal information that is very confidential and requires special protection.
The classes of special personal information are:
The general rule, under POPIA, is that the responsible party must not process special personal information. However, they may process special personal information if one of the following applies to us:
It is probable that in the future the Information Regulator will consider setting further rules with respect to these specific authorisations, especially with respect to the class of health and sex life.
Every responsible party must have an Information Officer. The Information Officer is automatically the head of a juristic person (like a company or a fund). The head of a juristic person is generally the Chief Executive Officer (CEO) or someone the CEO has authorised to be the Information Officer. In a retirement fund context, this may be the Principal Officer of a fund or whomever the Principal Officer has authorised to hold this position.
Information Officers have to be registered with the Information Regulator and the Information Regulator has issued a draft notice concerning registration requiring these registrations to be done by 31 March 2021 on prescribed forms. The Information Officer can appoint Deputy Information Officers but remains responsible for his/her statutory obligations. Information Officers and Deputy Information Officers must receive appropriate training and keep abreast of the latest developments in POPIA and the Promotion of Access to Information Act.
The draft notice referred to above sets out some of the statutory duties of Information Officers, which are:
Assuming the Fund is the responsible party, the following actions are required to be compliant with POPIA on an ongoing basis:
1. There must be a written contract between the responsible party and all identified operators to, among other things, ensure that the operator/s establishes and maintains security measures (s19).
2. In terms of S5(a)(i) members must be notified that their personal information is being collected. The member (data subject) has the right to be aware of:
3. S19 states that the responsible party must review and implement security measures to:
4. Appoint an Information Officer. The default would be that the Principal Officer would be the Information Officer.
Cookies are small text files that are stored on your device (computer, tablet, or mobile phone) when you visit certain websites. They are widely used to enhance your online experience by remembering your preferences and actions over time. Cookies are not harmful and do not contain personal information like your name or payment details.
You have the option to manage your cookie preferences. You can usually modify your browser settings to accept, reject, or delete cookies. Please note that if you choose to block or delete cookies, some features of our website may not function properly.