- June 25, 2022
- Posted by: admin
- Categories: Economics, Uncategorized
The protection of personal information act has been coming into effect on an incremental basis since 2014. In June 2020 the presidency proclaimed the commencement of the larger part of the act.
The act becomes operational where the processing of personal information is concerned. In a nutshell, the term processing includes the receipt, collection, management, and storage of personal information. Personal information refers to information that relates to an identifiable living natural person or an identifiable existing juristic person. The act provides more detailed definitions. It’s quite easy to disregard POPIA so it is worth emphasizing that the act also concerns itself with basics such as resumes, performance reviews and employment information.
The purpose of the act is as follows:
- protect the data subject by giving effect to the constitutional right to privacy. The act does this by safeguarding personal information when its being processed by responsible parties. However, this is subject to justifiable limitations such as:
-
-
- The right of access to information
- And the protection of interests such as the free flow of information within and across the borders.
-
-
- Regulate how personal information may be processed.
- provides data subjects with rights and remedies to protect their personal information from unlawful processing.
- provide for the establishment of an information regulator to promote, enforce and fulfil the rights protected by the act.
CONDITIONS FOR THE LAWFUL PROCESSING OF PERSONAL INFROMATION
CONDITIONS FOR THE LAWFUL PROCESSING OF PERSONAL INFROMATION
To give effect to its main purpose, POPIA lays down eight conditions with which responsible parties must comply with in the processing of data. In this context, the responsible party refers to the party that determines the purpose of the personal information and the means of processing it. Below are summaries, intended to overview these conditions, for detailed information consult https://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf .
1. ACCOUNTABILITY
This condition requires that the responsible party ensure that these 8 conditions and the measures that give effect to them are complied with in the processing of personal information.
2. PROCESSING LIMITATION
Condition 2 requires that personal information be processed lawfully and in a reasonable manner that does not infringe on the data subject’s privacy. A principal of minimality is laid down whereby only personal information that is relevant may be processed. Additionally, personal information may only be processed with the consent of the data subject and directly from the data subject.
3. PURPOSE SPECIFICATION
Personal information should only be only be collected for a “specific, explicitly defined and lawful purpose. This purpose must relate to a function or activity of the responsible party. Data subjects must be made aware of this specific purpose. This condition also requires that personal information be irretrievably deleted once it is no longer necessary for the purpose it was collected.
4. FURTHER PROCESSING LIMITATION
Should the need arise for personal information to be processed further, it must be compatible with the purpose for which the information was initially collected. This condition further stipulates when or when not, further processing is compatible with the original purpose of collection.
5. INFORMATION QUALITY
In terms of the 5th condition, the responsible party must take reasonably practicable steps to ensure the accuracy of the information. The reasonable party must also ensure that information is complete and updated when necessary.
6. OPENNESS
This condition requires that responsible parties keep in line with their obligation under the promotion of access to information act to maintain documentation of processing operations.
Openness requires that data subjects be notified when their personal information is being collected and processed.
7. SECURITY SAFEGUARDS
In terms of condition 7, responsibility parties are required to put in place safeguards or measures that ensure confidentiality of the personal information, prevent loss as well as prevent unauthorised destruction of the personal information.
8. DATA SUBJECT PARTICIPATION
the eighth condition emphasises on the data subjects right of access to the personal information. In terms of which, the data subject has a right to know whether the responsible party holds personal information as well as the contents of the personal information. If the information is inaccurate, incomplete or outdated the data subject may request for it to be corrected.
HOW TO GIVE EFFECT TO THESE EIGHT PRINCIPLES
To follow through with the eight conditions laid down by POPIA, businesses may have to take measures to ensure they comply with these principles. Some of these measures include:
- Understanding the information you collect and the purpose of it as well as how you currently process it.
- investing in document processing software that protects documents with sensitive and personal information.
- Nominating or appointing an information officer to ensure that the way your business processes personal information is in line with POPIA
- Conduct a gap analysis, this will involve comparing your current data processing methods to methods that are inline with POPIA. The deficiencies identified in the gap analysis will have to be rectified to ensure POPIA compliance.
- Updating or redrafting existing privacy policies
Businesses Must ensure compliance with POIPA by the 1st of July 2021. Failure to comply can result in a fine not exceeding R10 million or imprisonment not exceeding 10 years. Contravention of any of the provisions may also result in the business having to pay damages to the data subject.