The Protection of Personal Information act, otherwise known as POPI, is a piece of legislation designed to protect any private information of a data subject which is collected, processed, stored or shared by a responsible party by holding said responsible parties accountable if they abuse or compromise the data subject's private information in any way (for all you nitwits that means you and me). The Act is It is meant to to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed.
POPI marks your information to be ‘precious goods’ and therefore aims to bestow upon you as the owner of your personal information, certain rights of protection and the ability to exercise control over the following:
- when and how you choose to share your personal information (requires your consent)
- the type and extent of information you choose to share (must be collected for valid reasons)
- transparency and accountability on how your data will be used (limited to the purpose) and notification if/when the data is compromised
- providing you with acc ess to your own information as well as the right to have your data removed and/or destroyed should you so wish
- who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same company, from accessing your information
- how and where your information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised)
- the integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it) ‘Information’ in this context is any information related to a data subject that can be used directly or indirectly to identify that person.
- Identity and/or passport number
- Date of birth and age
- Phone number/s (including mobile phone number)
- Email address/es
- Online/Instant messaging identifiers
- Physical address
- Gender, Race and Ethnic origin
- Photos, voice recordings, video footage (also CCTV), biometric data
- Marital/Relationship status and Family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs including personal and political opinions
- Employment history and salary information
- Financial information
- Education information
- Physical and mental health information including medical history, blood type, details on your sex life
- Membership to organisations/unions
It must however be noted that some personal information, on its own, does not necessarily allow a third party to confirm or infer someone’s identity to the extent that this information can be used for other purposes. The Act defines a ‘unique identifier’ as data that “uniquely identifies that data subject in relation to that responsible party. As such the combination of someone’s name and phone number and/or email address for example is a lot more damaging than just a name or phone number on its own. It is important to note, that the law not only covers people, but also any legal entity, including companies and also communities or other legally recognised organisations. All of these entities are considered to be ‘data subjects’ and afforded the same right to protection of their information.
The Act applies to all organizations that store, collect or process personal information, unless those records are subject to other legislation which protects such information more stringently. As a company this would include protecting information about your employees, suppliers, vendors, service providers, business partners, etc.
The POPI ACt is not unique to south African law, but borrows from the best of similar international laws, learning from their mistakes and shortcomings, many countries have similar legislation to protect the personal information of data subjects.
Although POPI was signed into law on 26 November 2013, and in April 2014 certain sections of the Act came into force (sections dealing with the appointment of the administrative body, the Information Regulator and the sections empowering the Minister and the Information Regulator to make regulations as regards the implementation of the Act), it is not yet effective as a commencement date has not yet been established. Once a commencement date has been established companies will have 12 months to comply.
Incorporating PoPI into the day-to-day operations of a business will most likely require a significant amount of time and effort, including: educating and training staff, updating business processes and implementing or updating technology solutions but it is critical for organisations that process personal information of employees, customers or other juristic persons (companies, trusts and so on) to implement organisation-wide privacy initiatives in order to comply with the conditions of the Act because not only do we now live in an information age where along with the progress comes the responsibility and accountability in the way each person and entity handles data, but also consider that you could be breaking the law by doing something as simple as synchronising your contacts on your phone, sending an email with sensitive content, taking/sharing a video or photo or using an international mail provider, and ignorance of the law will be no excuse.
We are the responsible party regarding the client’s personal information, such as email addresses, phone numbers, billing details, and other information used to do business with clients.
We are the service provider, or operator regarding the personal information that the client provides in the form of a database, distribution list, or the like
This policy applies to the sole proprietor or key individuals, subsidiaries, business units and representatives and staff of Intoweb and all the above mentioned are responsible for adhering to this policy and for reporting any security breaches or incidents to the Information Officer. The external individual(s) who is (are) contracted to handle the information technology of Intoweb, must adhere to the same information security as that of Intoweb, and will confirm by separate agreement that they have such security measures in place in respect of processing of personal information.
The development and upkeep of this policy
Ensuring this policy is supported by appropriate documentation
Ensuring that documentation is relevant and kept up to date
Ensuring this policy and subsequent updates are communicated to relevant managers, representatives, staff and associates, where applicable.
Intoweb is compliant with the following:
Protection of Personal Information Act(POPI)
CPA Section 11
Electronic Communications Act of 2002 (ECT)
Accountability and Security - Intoweb takes steps to ensure data collected is treated with the highest care according to regulation and see to it that technical and organisational measures are put into place to keep your personal information safe against risks such as loss, unauthorized access, destruction, use, amendment or disclosure of personal information.
Processing Limitation - Intoweb will collect personal information only by lawful and fair means. Once in our possession we will only process or release data subject information with their consent, except where we are required to do so by law. In the latter case we will always inform the data subject.
Purpose - Intoweb will only collect personal information in a manner compatible with the purpose for which it was collected
Limit on Further Processing - Intoweb will only process information in a way that is compatible with the purpose for which the information was collected initially
Information Quality - Intoweb strives to keep personal information accurate, complete, up to date and reliable for its intended use, this means that it may be necessary for us to request data subjects, from time to time, to update their information and confirm that it is still relevant
Transparency - Intoweb will be transparent with regards to the standard operating procedures governing the collection and processing of personal information. Where personal information is collected from a source other than directly from a data subject ie Social media, portals, we will inform you that your information is collected and why your information is being collected. If you cancel your services with us we will delete your personal information, except for statistics which we store in a de-identified and aggregated manner.
Choice and Consent - Intoweb will not contact/solicit you unless you have given us your consent to do so
Access - Intoweb give you access to any of your personal information that you request relating to you, where applicable, except where unlawful.
Participation of data Subjects and Information Requests.
Candidates are entitled to know particulars of their personal information held by us, as well as the identity of any authorised employees of our agency that had access thereto. They are also entitled to correct any information held by us. If their personal information changes or they no longer desire to use or access our services, Intoweb encourages them to correct, update, or remove their personal information they provided. This can be done by contacting us. In the event that a data subject would like access to their data, requests should be submitted to us in writing. Requests for personal information will be handled in accordance with the POPI Act.
The management and Information Officer of Intoweb, are responsible for administering and overseeing the implementation of this policy and, as applicable, supporting guidelines, standard operating procedures, notices, consents and appropriate related documents and processes. The company and key individuals, representatives and staff of Intoweb are to be trained according to their functions in regulatory requirements, policies and guidelines that govern the protection of personal information Intoweb, will conduct periodic reviews and audits, where appropriate, to demonstrate compliance with privacy regulation, policy and guidelines.
Intoweb, shall establish appropriate privacy standard operating controls that are consistent with this policy and regulatory requirements. This will include:
Allocation of information security responsibilities.
Incident reporting and management.
User ID addition or removal.
Information security training and education.
Changes to This Policy
This policy is implemented by Intoweb, and will be adhered to by the company and all key individuals, representatives and staff who are tasked with collecting and processing of personal information. Any breach of this policy may result in disciplinary action and possible termination of employment.