According to Lesego Makofane, Candidate Attorney at Jurgens Bekker Attorneys’ Bedfordview branch, the Protection of Private Information Act 4 of 2013 (POPI Act) sets out how businesses can legally process the personal information under their control, while offering individuals a certain degree of peace of mind that their personal information will be less easily accessible.
It is also designed to protect individuals from harm, by placing a duty on businesses to take the necessary steps to protect the personal information under their control. The POPI act gives effect to the Constitutional right to privacy, by protecting personal information handled and/or processed by a responsible party (a public or private body), subject to limitations aimed at balancing the right to privacy against other rights, by protecting important interests, including the free flow of information within the Republic, regulate the manner in which personal information may be processed and provide persons with rights and remedies to protect their personal information. Makofane discusses how businesses can ensure compliance with the act, and more.
1. Appoint or reassess the role of the information officer
Where an organisation, company or institution does not have an information officer, such a company would have to appoint one. However, no process is required to be followed by a company for the appointment of an individual as an information officer. The default information officer in any private organisation, company or institution is the CEO, but these duties can be delegated.
2. Create awareness in the workplace
This can be achieved by taking the necessary steps to ensure that all employees understand what data privacy legislation means and what is required of them. Ideally, having an interactive awareness training would be a great way to start.
3. Personal information impact assessment
Once all employees are informed, it is important that they understand what information is being collected, how it is being stored, processed, protected and destroyed and whether such information was collected with the perquisite consent. Only then will they be in a position to identify the gaps.
4. Develop a compliance framework, which can include processes and policies
These may include but are not limited to the following:
– Updates to the employment contract.
– Updates to supplier agreements.
– Changes to marketing practices, by including an opt-in and opt-out option.
– Implementation of policies such as:
i. Personal information sharing policy.
ii. Security compromises policy, subject access request policy and CCTV camera policy, to mention a few.
The compliance framework should be properly implemented, monitored and maintained, as policies and procedures alone without proper implementation do not guarantee compliance.
What are the penalties if a business does not comply with the act?
Contravention and non-compliance with Popi Act could upon conviction lead to a fine, 12 months to 10 years in prison or both and/or a damages claim by the person to whom the personal information relates. It does not matter whether the contravention or non-compliance was as a result of negligence or intention.
Do businesses need to get permission to contact consumers already on their direct mailing lists?
The processing of personal information for the purpose of direct marketing, by means of electronic communication, is prohibited unless the person whom the personal information relates to gives their express consent, or is an existing customer and such personal information was obtained in the context of the sale of a product or service. However, such a person must be given a reasonable opportunity to object to the receipt of any direct marketing both when personal information was first collected and on each occasion when direct marketing is made to the consumer (opt-in or opt-out).
Any communication for the purpose of direct marketing must contain the details and identity of the sender, and any such email must have an address or contact details of the sender where the recipient can request that such communication stop.
What are the requirements and regulations that organisations should adhere to for handling customers’ information and online payments?
A responsible party must take ‘appropriate reasonable technical and organisational measures’ to secure the integrity and confidentiality of personal information in its possession or under its control. A responsible party should consider the extent to which they process personal information as well as the nature of the personal information to assess which measures are appropriate.
Section 19(2) of the POPI act sets out the following requirements for a responsible party or organisation:
1. Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control, ideally evaluating any flaws in its existing data protection systems, in order to establish which of its systems and/or processes leave personal information at risk.
2. Establish and maintain appropriate safeguards against the risks identified: Once an organisation knows where vulnerabilities lie, it should implement practical steps to prevent this, including sophisticated IT solutions, anti-viruses or firewalls etc.
3. Regularly verify that the safeguards are effectively implemented. Once these practical steps have been taken, the organisation should ensure that these steps actually work.
4. Ensure that these safeguards are continually updated in response to new risks or deficiencies in previously implemented safe guards. Organisations should be mindful of the fact that compliance with the POPI act is an ongoing process and not a once-off activity.