21 Dec The POPI Landscape
South Africa has become well known for its escalating fraud levels, especially that of identity fraud. There is no doubt that protection of the identity and personal information of both natural and juristic persons is long overdue, hence the South African Legislature has finally decided to work towards giving effect to Section 14 of the Constitution of The Republic of South Africa, 1996 (the right to privacy), and by ensuring that the identity and personal information of persons are protected against such crimes, through enactment of the Protection of Personal Information Act, No. 4 of 2013 (“POPI”).
The main purpose of POPI is ‘to promote the protection of personal information processed by public and private bodies; to introduce information protection principles so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Protection Regulator; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matter connected herewith’.
Similar to that of international data protection laws, Chapter 3 of POPI sets out 8 Information Protection Principles or Conditions which have to be complied with in ensuring the lawful processing of personal information in general:
- Organisations are responsible for ensuring compliance with the conditions set out in POPI.
- Personal information must be processed in a rational and lawful way, which ensures that the privacy of the data subject is in no way infringed. The personal information has to be adequate, relevant and not excessive given the purpose for which it is processed, and must be collected directly from the data subject and with the consent of the data subject.
- Personal information which has been collected and processed cannot be used for any other purpose other than the purpose for which it had been collected and processed. Furthermore, information cannot be retained for longer than necessary and will have to be destroyed if no longer required. For example, if the Law Society of South Africa collects and processes personal information relating to attorneys for a specific purpose, the Law Society cannot give out the personal details of those attorneys to PPS to help PPS for potential insurance sales.
- ‘Further processing is to be compatible with the purpose of collection.’
- The responsible party must ensure that the personal information is updated regularly and that it is not misleading.
- The responsible must inform the data subject as well as the Information Regulator before processing any personal information.
- The responsible party must at all times ensure that the personal information is protected and should have some kind of strategy in place to ensure the protection of personal information.
- The data subject is entitled to access or request the correction or deletion of any personal information held about him/her which may be inaccurate, misleading or outdated.
Failure by a responsible party to comply with the eight conditions or principles of POPI may result in criminal fines, civil liability and complaints to the Regulator.
By enactment of POPI it would definitely be difficult for criminals to gain access to the personal identifications of persons. Hopefully, organisations will make it a priority in ensuring the protection of personal information of their customers or clients and fear the risk of criminal sanctions for non-compliance with POPI. Whether POPI will prove to be the key towards decreasing identity fraud within South Africa is question which can only be answered in the near future.