POPIA is the South African personal information privacy law, the Protection of Personal Information Act. All organisations collecting, holding and processing personal information have to comply with this law in a proportionate and demonstrable manner by the 1st July 2021.
Through its processing conditions, the Act regulates and protects personal information through its entire lifecycle of collection, transfer, storing, and deletion.
An example would be, at collection, is the person correctly informed of what the information is going to be used for, is a lawful basis applied correctly, is excess information being collected?
One of the conditions or principles, Accountability covers the entire lifecycle of personal information flow in an organisation. It means that the CEO or the head of an organisation is accountable for enabling the organisation’s entire privacy framework.
Why do these principles matter? Because they are the soul of the Act, everything about the regulation is built around them.
The 3 parties in POPIA
In order to place the principles in their context we need to describe the roles of organisations and people in POPIA.
The data subject is a juristic or natural person to whom the information belongs. This is the person whose information must be protected and only used for the lawful basis they have accepted.
The responsible party is a public or private body or any person who requires personal information to be processed in order to meet the purposes of the permitted transaction.
The operator is a party who processes personal information for a responsible party.
The eight principles or conditions are as follows:
Principle 1 – ACCOUNTABILITY–the head of the company is ultimately responsible for complying
Principle 2 – PROCESSING LIMITATION–usage must be lawful, with the minimal amount of information necessary
Principle 3 – PURPOSE SPECIFICATION–collected, used and retained for a specific purpose, related to your organisation’s activity
Principle 4 – FURTHER PROCESSING LIMITATION–further processing must be compatible with the original purpose for collection
Principle 5 – INFORMATION QUALITY–ensure that the personal information is up-to-date, complete and accurate
Principle 6 – OPENNESS–things you need to tell the person when you collect their personal information
Principle 7 – SECURITY SAFEGUARDS–measures to prevent loss of or unauthorised access to personal information
Principle 8 – DATA SUBJECT PARTICIPATION–the information does, after all, belong to someone else –they must be able to access it
These principles form the core of the regulation and all the actions and procedures that are required in order to meet compliance revolve around these, and that is why they matter. Note, I have kept the text simple and easy to understand, obviously one could write a lot more about each of these.
What must one do to meet the 8 principles or conditions?
This is the big question that we constantly get asked, and really it is creating and managing a privacy compliance program in an organisation.
This program comprises organisational and technological measures that must be put into place in order to ensure the initial and ongoing compliance with the POPIA regulation.
The areas covered by an ongoing privacy program are:
- The role and appointment of the information officer.
- Operational compliance in the areas of:
- Consent management
- Electronic Marketing
- Human Resources
- Information Technology and Security
- Mapping the flow of personal and sensitive data.
- Governance
- Employee Awareness
- Data subject Access Requests
- Breach logging and management
All these areas above require effort by an organisation to manage and control on an ongoing basis. They all serve to meet the requirements of the original POPIA principles.