The Protection of Personal Information Act 4 of 2013

THE PROTECTION Of PERSONAL INFORMATION (POPI) Act 4 of 2013
The Implications of
The Protection of Personal Information Act (POPI)
Presented by: Myron D. B. Betshanger
Corporate Governance, Legal & Regulatory Compliance Specialist

CONTENT
1. The purpose of the Protection of Personal Information Act (POPI) Act
2. Application of The POPI Act
3. Definitions In The POPI Act
4. Condition For Legal Processing of Personal Information
5. Restrictions on Cross-Border Information Flows
6. Automated Decision-making
7. Exceptions
8. FAQs
9. Consequences For Non-Compliance

The purpose of the Protection of Personal Information Act (POPI) is to:
 give effect to the constitutional right to privacy, by safeguarding personal information
when processed by a responsible party, subject to justifiable limitations that are
aimed at:
 balancing the right to privacy against other rights, particularly the right of access
to information; and
 protecting important interests, including the free flow of information within the
Republic and across international borders.
 regulate the manner in which personal information may be processed, by
establishing conditions, in harmony with international standards that prescribe the
minimum threshold requirements for the lawful processing of personal information;
 provide persons with rights and remedies to protect their personal information from
processing that is not in accordance with this Act
PURPOSE of The POPI Act

APPLICATION of The POPI Act
 As a result of the POPI Act, any party that collects, holds and uses a
person’s personal information will have to do so under certain
circumstances.
 The requirements will apply to personal information that is held in
relation to employees, customers, suppliers as well as prospective
customers and prospective suppliers (i.e. bidders) for supply
contracts.

POPI Act DEFINITIONS
WHAT IS PERSONAL INFORMATION FOR PURPOSES OF POPI ?
 “ Personal Information” is information relating to an identifiable, living natural person or juristic
person as far as applicable.
 POPI defines “personal information” very broadly to include, but which is not limited to the
following –
i. Information relating to the race, gender, sex, pregnancy, marital status, national, ethic or social origin,
colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience,
belief, culture, language and birth of the person;
ii. Information relating to the education or the medical, financial, criminal or employment history of the
person;
iii. any identification number, symbol, e-mail address, physical address, telephone number, location
information, online identifier or other particular assignment to the person;
iv. the biometric information of the person;
v. the personal opinions, views or preferences of the person;
vi. correspondence send by that person that is implicitly or explicitly of a private or confidential nature or
further correspondence that would reveal the contents of the original correspondence;
vii. the views or opinions of another individual about the person; and
viii. the name of the person if it appears with other personal information relating to the person or if the
disclosure of the name itself would reveal information about the person.

 “ Processing” means any operation or activity or any set of operations whether or not by automatic
means, connected to personal information including –
(a) the collection, receipt, recording, organization, collation, storage, updating or modification, retrievable,
alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c ) merging, linking, as well as restricting, degrading, erasure or deconstruction of information.
NOTE: POPI only covers the processing of personal information that is entered into a record by or on behalf of a
responsible party that is domiciled in South Africa, or, if not domiciled in South Africa, is using automated or non-
automated means that is situated in South Africa.
 “ Record” means any recorded information –
a) Regardless of the form or medium, including any of the following:
i. Writing on any material;
ii. Information produced, recorded or stored by means of any tape-recorder, computer equipment,
whether hardware or software of both, or other device, and any material subsequently derived fom
information so produced, recorded or stored;
iii. Label, marking or other writing that identifies or describes anything of which it forms part, or to which
it is attached by any means
iv. Book, map, plan, graph or drawing;
v. Photograph, film, negative, tape or other device in which one or more visual images are embodied so
as to be capable, with or without the aid of some other equipment, of being reproduced.

b) whether or not it was created by a responsible party; and
c) regardless of when it came into existence ( NB The retrospective provision in POPI)
 “ Electronic Communications” includes any text, voice, sound and imaged messages and includes the message
being stored prior to the recipient retrieving it. This would include social medium platforms such as Facebook, LinkedIn,
Twitter, etc in addition to e-mails, the Internet and the Intranet.
 “ Consent” for purposes of POPI means any voluntary, specific and informed expression of will in terms of which
permission is given for the processing of personal information.
NB
 It is important to note that “Consent” means specific consent . General consent will therefore not be sufficient and a
specific consent for each instance in which the personal information will be dealt with, must be obtained.
 The consent must have provided for exactly what personal information is required, why it is required, how it will be
dealt with, and where it will be stored.
 The consent must also provide for whether the personal information will be shared

 “ Data Subject” means the owner of the personal information (natural persons and/or juristic persons). In the
procurement context this will mean the bidding or contracting company or services provider, its owners, managers,
directors and employees.
 “ Information Officer” means the person appointed by the responsible party to manage the application of POPI.
 “Operator” means any person acting under a mandate or under contract of a responsible party who has a duty not to
disclose personal information. In the context of procurement this means any third party to whom procurement services has
been outsourced either in whole or in part. The operator must maintain the integrity and confidentiality of personal
information collected.
 “ Responsible Party” A private or public entity or any other person who determines the purpose of and the means for
processing personal information. In the procurement context, this would be the procuring entity often referred to as “The
Employer / The Purchaser” in procurement contracts.
 “Regulator” means the person to be appointed to implement and enforce the provisions of the POPI Act.

Conditions For Legal Processing of Personal Information
POPI sets out EIGHT (8) Conditions that must be complied with, namely –
1. Accountability (Section 8 of POPI)
2. Processing Limitation (Sections 9 - 12 of POPI)
3. Purpose Specification (Sections 13 – 14 of POPI)
4. Further Processing Limitation (Section 15 of POPI)
5. Information Quality (Section 16 of POPI)
6. Openness (Sections 17 – 18 of POPI)
7. Security Safeguards (Sections 19 – 22 of POPI)
8. Data Subject Participation (Sections 23 – 25 of POPI)

Condition 1. ACCOUNTABILITY (section 8 of POPI)
 The Responsible Party must ensure compliance with the conditions for the lawful
processing of personal information.
 Final responsibility for compliance with the provisions of the POPI Act 4 of 2013 and
any regulations issued in terms thereof rests with the Responsible Party even in
instances where the Responsible Party has entrusted the data collection to an
employee or operator (e.g. Outsourced Recruitment Services)

Condition 2. Processing Limitation (sections 9 – 12 of POPI)
 Processing of Personal Information must be lawful – there must be some
justification or reason for the processing of personal information.
 Processing of personal information must be done in a reasonable manner that does
not infringe on the privacy of the Data Subject and only if, given the specific purpose
for which it is processed, it is adequate and not excessive.
 Processing of personal information must take place with consent of Data Subject or
out of necessity.
 Where personal information is processed with the consent of the Data Subject, such
consent must be informed consent given voluntarily and specifically for a
particular purpose for which it is collected.
 Personal Information should be collected directly from the Data Subject except where -
 It would prejudice a lawful purpose, e.g. the protection of public safety.
 It is contained in a public record or is in the public domain e.g. social media such as Facebook.
 Voluntary Consent may be withdrawn at any time provided that the lawfulness of the
processing will not be affected.
 Data subject may lodge an objection if of view that processing of personal information does not
protect his/her legitimate interests or is not necessary for the performance of a public duty or does not
protect the interests of the Responsible Party.

Condition 3. Purpose Specific (sections 13 – 14 of POPI)
 Personal Information must be collected for a specific, explicitly defined and lawful
purpose.
 The Data Subject must be made fully aware of the purpose for which his/ her personal
information is being processed.
 Subject to certain exceptions, records of information must not be retained longer than is
to achieve the specific purpose for which it was collected and processed.
 Records no longer required or for which the Responsible Party no longer has
authorisation, must be destroyed in a manner that prevents their reconstruction.

Condition 4. Further Processing Limitation (section 15 of POPI)
 Any processing of Personal Information must be compatible with the purpose for
which it was initially collected.
 The “compatibility” of any further processing with the initial purpose can be ascertained by
consideration of -
 The relationship between the purposes
 The nature of the information
 The consequences for the Data Subject
 The manner in which the information was collected
 Any contractual rights existing between the parties
 The further processing of personal information would be compatible if –
 The Data Subject consented
 The Personal Information is available in the public record
 The Data Subject has deliberately made the personal information
public, e.g. by placing the information on social media platforms such
as Facebook.
 Necessary to prevent a threat to public health, public safety or the
protection of life or health of other Data subjects.
 The personal information is used for historical, statistical or research
purposes

Condition 5. Information Quality (section 16 of POPI)
 The Responsible Party must take reasonable practicable steps to ensure that
personal information is –
 Complete
 Accurate
 Not misleading; and
 Regularly updated where necessary
 Data subjects not only have right if access to personal information that a Responsible
Party holds about them, but also have the right to have this information corrected if and
where necessary.

Condition 6. Openness (sections 17 – 18 of POPI)
 The Responsible Party must maintain documentation of ALL processing operations as referred to
in section 14 or section 51 of the Promotion of Access to Information Act (PAIA)
 The Regulator must be advised and kept abreast of ALL processing operations –
 only need to notify once and not each instance of processing
 In instances where the processing operations is different than that of which the
Regulator was initially notified, the Regulator must be notified within 365 days (1 year)
 The Responsible Party must take reasonable steps to notify the Data Subject of –
1. The information being collected.
2. The purpose for which the personal information is collected
3. Whether the provision of the personal information is voluntary or mandatory
4. The consequences of failure to provide personal information
5. Any particular laws and/or regulations that applies
 The steps to notify the Data Subject about the collection of personal information must be taken –
 Prior to collection where the information is collected directly from the Data Subject; and
 In all other cases, before collection or as soon as reasonably practicable.
 Non-compliance with condition 6 is only permissible if -
1. The Data Subject consented
2. Non-compliance will not prejudice the legitimate interests of the Data Subject
3. Non-compliance will serve a awful purpose such as the protection of public safety

Condition 7. Security Safeguards (sections 19 – 22 of POPI)
 The Responsible Party must secure the integrity and confidentiality of personal information in its
possession by taking appropriate and such reasonable technical and organisational measures to
prevent –
 Loss, damage or unauthorised access
 Unlawful access to, or processing of personal information
 The Responsible Party must take all reasonable measures to:
 Identify all reasonable foreseeable internal and external risks
 Establish and maintain appropriate safeguards against the risks
 Regularly verify that all safeguards are being adequately implemented
 Ensure all safeguards are continuously updated in response to new risks or deficiencies
in previously implemented safeguards.
 Where the Responsible Party has outsourced the processing of personal information, the
Responsible Party must –
 Ensure that The Operator establishes and maintains appropriate safeguards
 Ensure that The Operator treats the personal information confidentially
 Conclude written contracts with The Operator that regulates the manner in which the
processing of personal information by The Operator will take place
 The Responsible Party must, in the event of security breaches, notify both the
Regulator and the Data Subject(s).

Condition 8. Data Subject Participation (sections 23 – 25 of POPI)
 The Data Subject has a right to request certain information from The Responsible
Party, namely –
 Confirmation where the personal information is being held
 A description of the information being held
 That The Responsible Party correct or delete personal information that is
inaccurate, irrelevant, excessive, out of date, incomplete, misleading or
obtained unlawfully.
 That The Responsible Party destroy or delete a record that the latter is no
longer entitled to retain.
 Where the Data Subject request personal information to be amended, the Responsible
Party must comply with the request or attached the amendment request to the
information if it is not amended.
 The Responsible Party may only refuse a Data Subject’s request for information on
the basis of any of the grounds set out in the Promotion of Access to Information
Act (PAIA) 2 of 2002.

Restrictions on Cross-Border Information Flows
 Cross-border transfers of personal information are only permitted if there is some justification such
as –
 The consent of the Data Subject has been obtained for the transfer of his/her personal
information,
 The cross-border transfer of personal information is a contractual necessity,
 Where there are binding corporate rules or an agreement which provide an adequate level of
protection,
 Where the recipient of the data is regulated by an adequate level of data protection in the country
where the data is to be received.
 Where the transfer of personal information is beneficial to the Data Subject and the Data Subject
would in all likelihood grant such consent.
NB - It is however always best practice to obtain the voluntary and informed consent of the
Data Subject prior to transferring any data outside the Republic of South Africa.

Automated Decision Making
 Examples of automated decision-making would be:
 Using software to create a profile of a Data Subject, including his/her
• Performance at work
• Creditworthiness
• Reliability
• Location
• Health
• Personal preferences, or
• Conduct
 A Data Subject may not be subjected to a decision resulting in legal consequences for, or affecting,
him or her to a substantial degree if the decision is based solely on automated processing.
NB - There is an exception to the principle if the automated decision has been taken in terms of an
employment contract or is authorized by a law or code of conduct. As long as appropriate
measures are taken to protect the employee’s (Data Subject’s) legitimate interests, the
automated decision-making will be lawful.

Exceptions to POPI Requirements
1. The Regulator may on application authorise the processing of personal information and
such processing will not be in breach of the POPI Act 4 of 2013.
2. The are a number of listed exceptions for specific categories of special personal
information, including if the processing of the personal information is –
 In the public interest, or
 Relates to an important economic and financial interest of a public body, or
 Is necessary for historic, statistical or research activity

FREQUENTLY ASKED QUESTIONS (FAQs)
The following are examples of some of the questions that arise in respect of the POPI Act:
 Can an organization (company) be both a Responsible Party and Data Subject ?
A. Yes ! Where the organization collects and process personal information of its employees, suppliers and
customers it will be a Responsible Party.
Where an organization provides information to for example Regulators, The Registrar of
Companies on who its founders, directors, senior executives, senior managers are or to the
Department of Labour, it will be a Data Subject.
 The Companies Act 73 of 2008 also requires the public display of information such as director’s
details ?
A. Generally, the POPI Act would not apply to such personal information, provided that there is minimum
disclosure of what is absolutely necessary.
 How must companies deal with their Hotline Calls where personal information may be disseminated
and/or investigations could occur that will involve the processing of personal information but which
may not lead to disciplinary action or a finding of guilt ?
A. The processing of personal information in these circumstances is exempted in terms of section 6 of POPI
as –
(1) the purpose for which could be the prevention, detection (including the identification) of the
proceeds of unlawful activities or the investigation or proof of offences, and/or
(2) it is being executed by or on behalf of a public body.

 How do organizations deal with future/existing employees in terms of consent in compliance with
the POPI ?
A. In respect of existing employees, the organization must consider the type of Personal Information in
relation to the justification provisions, namely –
I. Whether there is already consent for the purpose;
II. Whether it is necessary to carry out an action in relation to the employment contract with
that employee;
III. Whether it is necessary to comply with an obligation imposed by law;
IV. Whether it protects the legitimate interests of that employee;
V. Whether it is necessary for the organization to comply with a public law;
VI. Whether it is necessary for pursuing the legitimate interests of the organization or a third
party to whom the personal information is supplied.
The employee must be given notice of the use of the personal information and may withdraw his or her
consent. Should the personal information be processed in terms of ii to vi above, the employee may
only object on reasonable grounds, unless there is legislation that provides for processing.
The provisions in relation to consent also apply to medical screening and requests for employment
confirmation.
In respect of future employees, all documentation in relation to the collection of personal information,
or other mediums such as telephones or the internet, etc. being utilized, the organization must inform
the new or prospective employee of the specific reasons the personal information is being collected
and obtain their specific consent for the processing. All documents and procedures will have to comply
with the 8 Conditions for the lawful processing of personal information except to the extent where
exclusions, exemptions and specific categories apply.

 Are there any specific requirements relating to IT such as encryption, access control, etc. ?
A. There are no specific information technology related requirements prescribed by POPI. In terms of
Condition 7 of POPI (Security Safeguards), an organization must secure the integrity and
confidentiality of personal information by taking appropriate, reasonable technical and
organizational measures.
In doing so, the organization must have regard to -
i. generally acceptable information security practices; or
ii. industry specific practices; or
iii. professional rules and regulations.
 How do organizations deal with situations where the processing and storage of personal
information is being outsourced ?
A. This entail personal information processed by an Operator or persons acting under the authority of the
organization. In such cases the Operator must:
i. Process (i.e. receive, store, allow access to and return) personal information only with the
knowledge of the organization; and
ii. Treat the personal information which come to their knowledge with the high level of integrity
and confidentiality and not disclose it.
In addition to the above, and insofar as security measures is concerned, the organization must ensure
that there is a written contract with operators acting on behalf of and under the authority of the
organization which imposes upon them the obligation to:
i. establish and maintain security measures;
ii. Immediately notify the organization where there are reasonable grounds to believe that
there was or is unauthorised access to personal information.

 In a corporate group set up in which various subsidiaries exist or in which there are various
Business Units (Operating Divisions), how should personal information be treated that is being
shared between the business units/operating divisions ?
A. Any access to/sharing of personal information will amount to processing in terms of POPI even if
this occurs between the various business units / operating divisions of the same organization.
 How does POPI affect an organization’s internal investigative processes and lifestyle audits it
conducts on employees ?
Must the organization first obtain the consent of the Data Subject concerned for the above
processes ?
A. The processing of personal information in the above circumstances may be exempt in terms of
section 6 as –
1) the purpose for which it is processed could be the prevention, detection, including the
identification of the proceeds of unlawful activities or in the investigation or proof of
offences.
2) it may be by or on behalf of a public body.
Furthermore, in terms of the justification provisions it is justifiable to process personal information when
it is necessary to carry out an action in relation to the employment contract with that employee; in this
instance in relation to an audit, investigation and/or disciplinary proceeding.
It is also justifiable when it is necessary for pursuing the legitimate interests of the organisation, as the
case would be.

 How should organizations deal with social media under POPI ?
A. Given the wide definition of personal information and processing in POPI , social media (i.e.
Facebook, LinkedIn, Whatsapp, etc) will certainly involve the processing of personal information.
It must firstly therefore be considered whether the processing of personal information is by or on behalf
of the organization or whether it is processed by employees who are not acting in the course and
scope of their duties.
Should the processing be by or on behalf of the organization, then it would importantly require that the
Data Subject be informed, at the time of requesting the personal information, that such personal
information may be processed through social media platforms.
The processing of personal information on social media should also comply with other conditions or
lawful processing.
The issue of vicarious liability must be carefully considered although it is not expressly covered in the
POPI Act. Generally , an organization would be vicariously liable in civil law for any wrongful act
committed by its employee while in the course and scope of his/her duties or in any activities
reasonably incidental thereto.
An organization could even be found liable where it could be seen that it has passively approved, or
not expressly prohibited, these activities even though they may fall outside the course and scope of
employees’ duties.
It is therefore critically important that organizations ensures that the processing of personal
information such as defamatory, discriminatory or racist opinions, views and preferences whether via
social media, e-mail or the intranet, does not occur at the workplace

Consequences Of Non-Compliance With The POPI Act
 FINE and/or IMPRISONMENT (not exceeding 10 Years)
 Any person who hinders, obstructs, or unlawfully influences the Regulator or any person acting at
the direction of the regulator;
 An employer who fails to comply with an enforcement notice;
 An employer who violates any conditions of processing of an account number.
 FINES
 Administrative Fines :
o The Regulator may issue an infringement notice in the event of an alleged contravention of
the provisions of POPI.
o The Regulator must specify the amount of the administrative fine which may not exceed
ZAR 10 million.
o The Transgressor may within 30 days of receipt of the infringement notices
a) elect to pay the fine so determined by the Regulator, or
b) make instalment arrangements with the regulator to pay such fine as imposed, or
c) take the Regulator’s determination on review to the High Court.

Consequences Of Non-Compliance With The POPI Act
 Civil Damages
 The Data Subject may sue the Transgressor for damages or may request the Regulator to sue for
damages.
 The principle of strict liability applies, meaning its not necessary for the Data Subject or the
Regulator on behalf of the Data Subject to prove intent or negligence.
 The amount of damages that may be awarded is punitive and far in excess of what can
presently be awarded under South African law.
i. The damages could include monetary and non-monetary loss;
ii. Aggravated damages,
iii. Interest and costs
 Fact that court order must be published in the Government Gazette and requirement that
appropriate be made can inflict great reputational damage on organizations.

THANK YOU
MYRON D. B. BETSHANGER
Corporate Governance, Legal & Regulatory Compliance Specialist
16 Verveen Street
Westenburg
Polokwane, South Africa
Mobile: +27 74 780 3862
e-mail: betshangermyron2@gmail.com
LinkedIn: https://za.linkedin.com/pub/myron-duncan-burton-betshanger/37/219/1b8
Twitter: @betshangermyron

The Protection of Personal Information Act 4 of 2013

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to The Protection of Personal Information Act 4 of 2013 (20)

More from Myron Duncan Burton Betshanger (17)

Recently uploaded (20)

The Protection of Personal Information Act 4 of 2013