A SUMMARY OF “POPI” THE PROTECTION OF PERSONAL INFORMATION ACT, ACT No. 4 OF 2013
The purpose of Act to is protect personal information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed.
WHEN WILL IT COME INTO FORCE?
The Act was signed into law in November 2013, and in April 2014 certain sections of the Act came into force. The sections which came into force were:
- the sections giving the definitions of certain terms that are used in the Act;the sections dealing with the appointment of the administrative body that will oversee the operation of the Act, namely the
- Information Regulator; and
- the sections empowering the Minister and the Information Regulator to make regulations as regards the implementation of the Act.
Everybody is now awaiting the final implementation of the Act which we think is imminent. The reason for this belief is that the office of the Information Regulator has been filled (by Adv. Pansy Tlakula and some other members) and they will soon have the capacity to implement the Act.
Once the Act comes into force, we will have 12 months to bring our business practices in line with the new laws.
The cross referencing in the Act is particularly confusing and makes it difficult to read and understand. The compliance requirements emphasize that once again we are going to be up to our eyeballs in more red tape.
WHO DOES THE ACT APPLY TO?
The Act applies to anyone who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently. It therefore sets the minimum standards for the protection of personal information. It regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organising, retrieving, or using such information; or disseminating, distributing or making such personal information available. The Act will also relate to records which you already have in your possession.
KEY DEFINITIONS
“data subject” – you or me, being a person to whom personal information relates.
“direct marketing” – sending a data subject an electronic communication about goods and services that you are promoting or offering to supply in the ordinary course of business, or requesting a donation of any kind for any reason.
“processing” – any operation or activity concerning personal information.
“record” – any recorded information, regardless of when it came into existence.
“responsible party” – a public or private body or any other person which determines the purpose of and means for processing personal information.
WHAT ARE OUR RIGHTS?
We all have the right to be told if someone is collecting our personal information, or if our personal information has been accessed by an unauthorised person. We have the right to access our personal information. We also have the right to require our personal information to be corrected or destroyed, or to object to our personal information being processed.
The Act does not apply to personal information processed in the course of a personal or household activity, or where the processing authority is a public body involved in national security, defence, public safety, anti-money laundering, or the Cabinet or Executive Council of the province or as part of a judicial function.
Personal information can only be processed: – (section 11)
- with the consent of the “data subject”; or
- if it is necessary for the conclusion or performance of a contract to which the “data subject” is a party; or
- it is required by law; or
- it protects a legitimate interest of the “data subject”; or
it is necessary to pursue your legitimate interests or the interest of a third party to whom the information is supplied.
We all have the right to object to having our personal information processed. We can withdraw our consent, or we can object if we can show legitimate grounds for our objection.
A Responsible Party has to collect personal information directly from the “data subject”, unless:
- This information is contained in some public record or has been deliberately published by the data subject.
- collecting the information from another source does not prejudice the subject;
- it is necessary for some public purpose; or to protect your own interests;
- obtaining the information directly from the subject would prejudice a lawful purpose or is not reasonably possible.
You can only collect personal information for a specific, explicitly defined and lawful purpose and the subject must be aware of the purpose for which the information is being collected. (section 13)
Once the personal information is no longer needed for the specific purpose, it must be disposed of (the subject must be “de-identified”), unless you need to keep it (or are allowed to keep it) by law, or you need to keep the record for your own lawful purpose or in accordance with the contract between yourself and the subject, or the subject has consented to you keeping the records. (section 14)
You are entitled to keep records of personal information for historical, statistical or research purposes if you have established safeguards to prevent the records being used for any other purposes.
Records must be destroyed in a way that prevents them from being reconstructed.
You can only use personal information that you have collected for the purpose which you collected it for. (section 15)
Documentation relating to personal information and how it has been processed must be maintained as referred to in section 14 or 51 of the Promotion of Access to Information Act.
When information is being collected, subjects must be made aware of: (section 18)
- the information that is being collected and if the information is not being collected from the subject, the subject must be made aware of the source from which the information is being collected;
- the name and address of the person/organisation collecting the information;
- the purpose of the collection of information;
- whether the supply of the information by the subject is voluntary or mandatory;
- the consequences of failure to provide the information;
- whether the information is being collected in accordance with any law;
- If it is intended for the information to leave the country and what level of protection will be afforded to the information after it has left South Africa.
- who will be receiving the information;
- that the subject has access to the information and the right to rectify any details;
- that the subject has the right to object to the information being processed (if such right exists);
- that the subject has the right to lodge a complaint to the Information Regulator. The contact details of the Information Regulator must also be supplied.
These requirements have to be met before the information is collected directly from the subject, or soon as reasonably practicable thereafter if the information is not collected directly from the subject, unless the subject is already aware of these rights. If you collect additional information from a subject for a different purpose, you have to go through this process again. S18(3)
I therefore envisage all clients of estate agents signing a form acknowledging that they are aware of their rights before you fill in any personal details on a mandate or an offer to purchase or a FICA form.
It is not necessary to meet these requirements if the subject has consented to non-compliance or if, by non-compliance, the rights of the subject would not be prejudiced, or if by compliance you would prejudice some public interest, or if the information is only going to be used for historical statistical research purposes, or if the subject is not going to be identified.
IF WE COLLECT PERSONAL INFORMATION HOW MUST WE HANDLE IT?
Anybody who keeps personal information has to take steps to prevent the loss, damage, and unauthorised destruction of the personal information. They also have to prevent unlawful access to or unlawful processing of this personal information. (section 19)
We have to identify all risks and then establish and maintain safeguards against these identified risks. We have to regularly verify that the safeguards are being effectively implemented and update the safeguards in response to new risks or identified deficiencies in existing safeguards.
Anybody processing personal information on behalf of an employer must have the necessary authorisation from the employer to do so. They must also treat the personal information as confidential. (section 20)
Such a person must have a written contract with their employer in which they are specifically obliged to maintain the integrity and confidentiality of the personal information and to implement the established safeguards against identified risks.
This employee is also obliged to notify their employer if they believe that personal information has fallen into the wrong hands (section 21(2))
I can therefore see new employment contracts for administrative staff and data capturers, and for any employees who deal with personal information, to comply with these requirements.
If there has been a breach and personal information has been accessed or acquired by any unauthorised people you need to notify the Information Regulator, and the subject (if you still know who the subject was). The notification to the subject needs to provide sufficient information to allow the subject to protect themselves against the possible consequences of the personal information falling into the wrong hands.
We all have the right to enquire as to whether somebody has our personal information, all we have to do is provide proof of identity and this information must be provided free of charge. We can also find out what this information consists of and if this information has been disseminated to any third parties. For these last bits of information however we might have to pay a fee. Access to this information is also subject to the Promotion of Access to Information Act.
We all have the right to have our personal information corrected or deleted if it is inaccurate, irrelevant, excessive, dated or misleading, or if it has been obtained unlawfully, or if the responsible party is no longer authorised to retain the information.
The Act creates a special category of personal information called “special personal information”. This relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information. Also included in this category is information relating to the alleged commission of any offence or any proceedings in respect of any offence allegedly committed and the outcome of such proceedings. (section 26)
You are not allowed to process this special personal information unless it is done with consent; or is necessary in law; or is done for historical, statistical or research purposes; or the information has been deliberately made public by the subject.
I do not think that this will prevent processing of information concerning the conviction of a subject for a criminal offence, as such an offence will then no longer be “alleged”.
There are also limited exceptions to the prohibition against the processing of “special personal information”.
These relate to situations when this information is specifically relevant and constitutes the purpose for which the information is being collected, for example for the purposes of BEE or for insurance.
Special rules apply to the processing of personal information of children. (section 35)
The Information Regulator has the power to grant exemptions to allow people to process personal information without complying with the Act if the public interest outweighs the subject’s rights of privacy or where there is a clear benefit to the subject. Such exemptions may be granted upon conditions.
Exemptions may also be granted for the processing of personal information for the purposes of discharging a “relevant function”. A relevant function would include the processing of personal information with a view to protecting members of the public against:
- financial loss due to dishonesty of persons in the banking or financial services industry; and
- dishonesty by persons authorised to carry on any profession or other activity.
WHO IS GOING TO IMPLEMENT THE TERMS OF THE ACT?
As expected, the Act comes along with a whole bureaucracy entitled the Information Regulator. The people who will comprise the management of this body are appointed by the President on the recommendation of the National Assembly. They are answerable to the National Assembly. There will be a large body of staff working under this senior management.
Their duties are the following:
- to provide education to the public relating to the Act and to give advice to government or private bodies as regards their obligations under the Act.
- to monitor and enforce compliance of the Act and to keep up-to-date with the latest developments in information processing and computer technology to ensure that this does not impact negatively on the protection of personal information.
- to monitor proposed legislation to make sure that this is in line with the Act;
- to report to Parliament on its own accord on any policy matters;
- to submit an annual report to Parliament;
- to conduct assessments as to whether any specific public or private body is complying with the Act;
- by maintaining registers that are prescribed in the Act;
- by consulting with interested parties on matters relating to personal information and mediating disputes;
- by handling complaints about violations of rights;
- by enforcing the provisions of the Act;
- by conducting research;
- by drafting codes of conduct and guidelines;
- by facilitating cross-border cooperation to enforce privacy laws; and
- by doing anything further which they think is necessary to further the aims of the Act.
The Information Regulator will also have an Enforcement Committee. (section 50)
The Information Regulator will be funded by the National Fiscus.
If a person wishes to process personal information for a purpose other than for which the information was collected with the intention of linking the information to information processed by others, such a person will need to get prior authorisation from the Regulator. Such prior authorisation will also be needed for processing information on criminal, unlawful or objectionable conduct or credit reporting. Failure to obtain such prior authorisation would be a criminal offence.
The Regulator is entitled to issue codes of conduct regarding the processing of personal information which codes of conduct may be of general or specific application. Prior to issuing such a code of conduct the Regulator has to advertise their intention and call for written submissions. These codes of conduct must be published in the Government Gazette and the Regulator must keep a register of approved codes of conduct. These codes of conduct can be reviewed and revoked from time to time. (section 60 – 68)
DIRECT MARKETING
Section 69 of the Act outlaws direct marketing by means of any form of electronic communication unless the subject has given their consent. Such an electronic communication obviously includes emails and SMSs. Automatic calling machines are also included. A subject can only be approached once to obtain such a consent. Once such consent is refused, it is refused for ever.
Slightly different rules apply if the subject is a customer. Here the customer’s contact details must have been obtained in the context of the sale of a product or a service, the direct marketing by electronic communication can only relate to the suppliers own similar products or services, and the customer must have been given the right to opt out at the time that the information was collected and each time such a communication is sent.
Anybody sending out direct marketing electronic communications has to disclose the identity of the advertiser and provide an address to which the customer can send a request to opt out.
Any subject whose name is included in any type of directory must be advised of the purpose of the directory and about any future uses to which the directory might possibly be put, based on search functions embedded in electronic versions of the directory. Such a subject must be given the opportunity to object to such use of the personal information. This will however not apply to directories that were printed or which were created in off-line electronic form prior to the commencement of this section.
If your personal information is contained in a public subscriber directory which has been prepared in accordance with the safeguards set out in the Act, prior to the commencement of this portion of the Act, your personal information can remain in the directory provided that the subject has received notification about the purposes of the directory and the future uses to which the directory might be put. Once again the subject must be given the opportunity to opt out. (section 70)
The Act controls the transfer of personal information from South Africa to foreign countries and prohibits this unless: (section 71)
- the person receiving the information is subject to similar laws;
- the subject has agreed to the transfer of information;
- such transfer is part of the performance of a contract which the subject is a party; or
- transfer is for the benefit of the subject and it is not reasonably practicable to obtain their consent and that such consent would be likely to be given. (section 72)
DISPUTES AND BREACHES
The procedures set down in this section of the Act seem a bit illogical and impractical.
If someone is alleged to be in breach of the Act, any person may submit a complaint to the Information Regulator. This complaint will be dealt with by an adjudicator. From the Act it would appear that anybody can submit this type of complaint. It does not have to be one of the subjects whose rights have been breached.
If a person is not happy with the determination of the adjudicator, they can still approach the Information Regulator for another ruling. This seems to be a type of in-house appeal process and is quite confusing.
When a complaint is referred to the Regulator, the Regulator has certain options. He can
- conduct pre-investigation;
- act as a conciliator;
- if after investigating the complaint the Regulator believes there is no case either because of the passing of time, the trivial subject matter of the complaint, the fact that the complaint is frivolous or vexatious or not made in good faith, or if the complainant does not have a sufficient personal interest in the matter, or where there is another internal remedy which has not yet been exhausted, or where further Action would be unnecessary or inappropriate, decide to take no action;
- conduct a full investigation;
- refer the complaint to the Enforcement Committee.
The Regulator also has the right to commence an investigation on their own initiative. (sections 76 & 77)
the Information Regulator can also refer any complaint to another body if the Regulator believes that the complaint falls more properly within the jurisdiction of this other body.
The Information Regulator has the right to summon people to appear before it and to give evidence. This evidence does not have to be evidence that would be admissible in a court of law. This now seems to be a trend as, in their dispute resolution function, the Community Schemes Ombud also has the right to receive evidence which would not be admissible in an ordinary court of law.
The Information regulator can also enter and search any premises, conduct private interviews at any place or carry out other enquiries that the Regulator sees fit.
The Information Regulator is entitled to approach the judge of the High Court or a magistrate to issue a search warrant which would empower the Regulator to search, inspect, examine, operate and test any equipment used for the purposes of processing personal information on the premises.
The Information Regulator also has the powers of seizure in respect of evidence or prospective evidence.
It would appear that anybody is entitled to ask the Information Regulator to make an assessment as to whether an instance of processing of personal information complies with the Act. The Regulator can also do this on its own initiative. The results of the assessment must be communicated to the person who has made the request. If the Regulator deems it appropriate and in the public interest, the results of the assessment can be published. (section 89)
After completing an investigation, the Regulator may refer the complaint or other matter to the Enforcement Committee for consideration, for a finding and for a recommendation in respect of proposed remedial Action. The Regulator may prescribe the procedure to be followed by the Enforcement Committee. (section 92)
The Enforcement Committee will make recommendations to the Regulator necessary or incidental to any Action that should be taken against the responsible party.
The Information Regulator will make the final “judgement” on the complaint. The guilty party will be advised of their appeal rights. The enforcement notice may not require the responsible party to take any remedial action until the period for an appeal has passed, and if such appeal is lodged, until it has been determined. The Information Regulator does however have the power to enforce immediate compliance if the matter is viewed as urgent.
A guilty party has a right of appeal of to the High Court and such a party has 180 days to appeal.
A subject who has suffered damages as a result of the responsible party failing to comply with this Act can institute a civil action to recover these damages whether or not there has been any intention or negligence on the part of the responsible party. This creates a strict liability on the part of the responsible party. The Act sets out a fixed number of defences that can be raised against an action for damages. These are:
- superior force;
- consent of the plaintiff;
- fault on the part of the plaintiff (contributory negligence, I presume);
- that compliance was not reasonably practicable in the circumstances; or
- that the regulator had granted an exemption in respect of compliance.
If the responsible party is found to be guilty the court has the jurisdiction to award damages as compensation for patrimonial and non-patrimonial loss suffered by the subject and for aggravated damages, in a sum determined in the discretion of the court. This latter category would appear to be a type of punitive damages which is a new concept in our law. The court can also order the payment of interest on damages and costs of suit on a scale as to be determined by the court.
Any amount awarded to the subject by the court must be paid to the Information Regulator and used first to defray expenses incurred by the Information Regulator in the case. Any available balance will then be paid to the subject. It would appear that the Information Regulator will therefore be able to fund some of its operation with the damages awarded by the court to a subject.
Any court issuing an order of this nature must publish such an order in the Government Gazette or by such other appropriate public media announcement as the court might consider appropriate.
OFFENCES, PENALTIES AND ADMINISTRATIVE FINES
Sections 100 – 106 deal with instances where parties would find themselves “guilty of an offense”. The most relevant of these are:
- Any person who hinders, obstructs or unlawfully influences the Regulator;
- A responsible party which fails to comply with an enforcement notice;
- Offences by witnesses, for example, lying under oath or failing to attend hearings;
- Unlawful Acts by responsible party in connection with account numbers;
- Unlawful Acts by third parties in connection with account number.
Section 107 of the Act details which penalties apply to respective offenses. For the abovementioned offences the maximum penalties are a fine or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment. For the less serious offences, for example, hindering an official in the execution of a search and seizure warrant the maximum penalty would be a fine or imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.
CONCLUSION
In closing I must mention that we do not have Regulations to the Act yet and I think these will be quite voluminous. It would be short sighted to consider the Act in the absence of these Regulations. In addition, we are yet to see the types of codes of conduct that are to be published. I am confident these will be industry specific and could be quite helpful in implementing the provisions of the Act in your specific business. Watch this space for further developments.
Deon Welz
November 2016