POPI for dummies
The POPI Act regulates whatever you do with whoever else’s personal information.
Raise your hand if The Protection of Personal Information (POPI) Act confuses you as well.
If your hand is up there, don’t feel alone. POPI tends to boggle the best of minds.
- What is POPI all about?
We have two Constitutional imperatives that clash. On the one hand, there’s the democratic imperative of a free flow of information. On the other hand, the right to privacy of individuals needs to be protected. The act seeks to balance these two truths in a justifiable way.
- Has the act come into force yet?
Partially.
- When will my business have to be fully POPI compliant?
Twelve months after the act has fully come into force.
- When will that be?
I do not know. No average Joe knows. Everyone’s guessing it will be anytime soon.
- How will POPI affect me?
POPI will affect us all. This is because the act applies to anyone who keeps record of anyone else’s personal information.
POPI will dictate how you obtain, keep, store, share and do away with such data.
Let me rephrase: The POPI Act regulates whatever you do with whoever else’s personal information.
- Who will be allowed to access or process my personal information?
POPI ensures that your personal information may not be accessed by another without your knowledge.
Exceptions will apply in obvious situations, such as when a life/death situation requires it or the police needs to access a suspect’s personal information. If information is on the public record, it will not be wrong to obtain or process it.
- What should I remember when gathering someone’s personal information?
You need that person’s permission. The act refers to that person as the “data subject.”
The data subject must know who you are, why you need the information and what you want to do with it. You must provide the data subject with your contact details, allowing them to update your records of their personal information and to revoke their permission for you to have or use it – something they may do in terms of the act.
The data subject must be told whether he/she is obliged to produce the personal information or whether they can choose to do so or not.
If the information is collected in accordance with a law, this should be stated.
- What do I do with the personal information I had collected?
Use it only as agreed to by the data subject.
Take good care of it – act reasonably to prevent it from being leaked.
If you are an employer, your employees must be made aware of their responsibilities in terms of the act.
- What to do if personal information has been leaked or compromised?
The Information Regulator (IR) facilitates the implementation of the act.
Any leak of personal information must be reported to the IR and the data subject in a way that allows the data subject to protect him/herself against possible negative consequences.
- What does POPI mean when it comes to direct marketing?
This is dealt with in section 69. No direct marketing may be conducted electronically unless the data subject has consented thereto. The marketer may approach the subject only once to obtain consent.
Anyone uses electronic direct marketing must disclose the identity of the advertiser and provide the consumer with an opt-out route. The rules of personal information collection apply here as well – any person whose information is sought must be offered the opportunity to consent thereto.
If the data subject feels that his/her rights in terms of the POPI Act have been infringed upon, he/she may approach the IR, who facilitates the implementation of the act.
- Penalties
These are discussed in sections 100-106 of POPI.
Maximum penalties are a fine or imprisonment of not more than 10 years – or both. Less serious offences bare a fine and/or imprisonment of 12 months or less.
- POPI and the media:
The POPI Act will not apply to the processing of personal information for certain journalistic purposes. Journalists who seek to be exempted from the act’s application will most likely have to prove that they subscribe to a code of ethics that meets certain minimum standards. The exact meanings of relevant sections have not yet been confirmed.
Also read: Mienke Mulder is terug by die huis
Also read: Protests force early Easter break
