printer friendly version

Beware of PoPI non-compliance

The Protection of Personal Information Act (No. 4 of 2013) (or PoPI Act) is soon to be promulgated in South Africa. Jenny Reid of iFacts recently discussed the matter with Kevin McCallum of Tuckers Incorporated, who specialises in corporate legal matters.

McCallum says that the PoPI Act, although already an Act of Parliament, has not yet come in to full effect. It will only take effect once the President of South Africa signs a proclamation declaring the Act to actually be in effect. By all accounts, compliance with the Act will then be enforced 12 months after its proclamation. It is, however, worthwhile preparing for its inception right now.

Being caught short for non-compliance could have disastrous consequences, given the onerous requirements placed on the collector of personal information and the huge penalties expected to be imposed for the breach of, or non-compliance with, the Act.

A number of companies and institutions have already begun moving towards full compliance with the Act, in anticipation of it coming into effect. This is partly because compliance requires a serious shift away from the haphazard or random collection of personal information. The Act also limits the use of personal information, as this information now cannot be used for just any purpose the collector desires. This includes adequate protection of information so that it cannot be used and shared by unauthorised parties. The Act has its origins in Section 14 of the Constitution of the Republic of South Africa (Act No. 108 of 1996), which governs our rights to privacy.

The collection of personal information in respect of a person (impersonally called a ‘data subject’ in the Act) will require the consent of that particular data subject. The data subject must know and understand the precise purpose for the collection of any information, how it will be utilised, how the information is to be protected against distribution or theft by unauthorised parties, how long it will be retained, and how it will be destroyed when it is no longer required (Section 13 of the Act).

Unlawful retention, distribution, sharing or unauthorised use of personal information may result in non-compliance with the Act, which will carry onerous penalties of up to R10 million in fines, and could even result in jail sentences (in some instances of up to 10 years, depending on the seriousness of the breach or non-compliance).

Section 14 of the Act governs the length of time for which personal information is to be securely retained. Generally the information should only be retained, in a secure manner, for as long as is required to achieve the purpose for which it was collected. Subsequent to this, it should be destroyed to prevent it becoming available to unauthorised users.

As an example, an employee also has the right to challenge the correctness of the information collected, so information should be retained long enough to afford that opportunity.

The PoPI Act in its entirety is more complex than can be dealt with here and contains numerous provisions under which various categories of personal information can and/or must be retained, shared or destroyed. In addition, there are various exceptions to those provisions. Various other statutes and laws may govern the period for which various types of information must be retained and those statutes would have to be read in conjunction with the PoPI Act.

Individuals, companies and other entities who are involved in the collection of personal information are urged to read and familiarise themselves with the PoPI Act. It is advisable to take legal advice to ensure strict compliance before, even inadvertently, falling foul of its provisions and suffering the potentially huge penalties for breach of its provisions.

Ignorance of the law may not be sufficient to save you from the Act when it comes into operation.

Share this article:

Further reading: