Providing information for entities to assist them comply with the legislative framework for personal information protection.

1. Protection of Personal Information Act,
No 4 of 2013
(POPI ACT)
1

2. Purpose
To give effect to the
Constitutional (S.14) right to
privacy, by safeguarding personal
information when processed by a
private party subject to justifiable
limitation.
2

3. Purpose
 To safeguard personal information.
 To regulate the manner in which personal
information is processed.
 Give effect to rights and remedies regarding
protection of personal information.
 To establish information protection Regulator.
3

4. Application
The Act applies to processing of information
entered as a record, by a responsible party
manually or electronically.
Responsible parties must be RSA residents
If not it only applies if information passes
through RSA.
4

5. Lawful processing of personal
information
Minimality: Consent, Justification, and
objection.
Data processing is necessary for
performance or conclusion of a contract.
5

6. Lawful processing of personal
information
The data subject may withdraw consent or
object to processing of personal information
in a prescribed manner, unless in keeping
with a law:
on reasonable grounds.
for purposes of direct marketing, by means
of unsolicited electronic communication.
(read with S.69)s
6

7. Collection directly from data subject
 Personal information must be collected directly
from the data subject.
 Unless the information is already in the public
domain.
 Has been so made by the data subject.
 Or data subject (competent person) has
consented to information derived elsewhere.
7

8. Collection for a specific purpose
 Personal information must be collected for a
specific and lawful purpose.
 The data subject must be aware of the data
collection in keeping with S.18 (1).
 Unless there are acceptable and legal grounds
for non-compliance. (S.18.4)
8

9. Retention and restriction of records
 Records of data subject must not be kept
longer than necessary for achieving the
purpose of collection.
 Unless required by law
 Or contract between the parties
 Or for purposes of historical, statistical or
research.
 But must be safeguarded from abuse.
9

10. Retention and restriction of records
 A responsible party must decide on the
retention of the record as prescribed by law,
 or for such a period to allow the data subject
opportunity of access to the record,
 The record must destroyed or de-identify
within a reasonable time allowed by law.
10

11. Further processing limitation
 Further processing of personal data must be done
in keeping with the initial purpose of its
collection.
 To assess if the further processing is in line with
the initially intended purpose, the following must
be satisfied:
 Initial purpose of data collected, nature of
information, consequences of further processing.
11

12. Further processing limitation
 Contractual rights and obligations of parties.
 The further processing is permissible if:
 consent has been obtained
 the information is already a public record,
 ensure law and order maintenance by a public body,
including SARS enforcements,
 & prevention of imminent public health or safety
threat, or arrest of a person.
12

13. Information quality
 A responsible party must ensure that the
personal information, is complete, accurate, up
to date and not misleading.
 Must also keep in mind the purpose for which
the data was collected and further processed.
13

14. Openness
 Documentation: A responsible party must
maintain documentation relating to processing
of data.
 This is also in compliance with the s14 and s
51 Promotion of Access to Information Act
(PAIA), referring to records and a manual
facilitating access categories of information.
14

15. Openness
 Notification of data subject: Data collectors
must ensure that the data subject is aware of
the information collected, the purpose of
collection the other sources where it is
collected as well as the details of the collector.
15

16. Security Safeguards
 A responsible party must ensure the integrity
and confidentiality of personal information.
 Should also take technical and institutional
measures to prevent:
 Loss, damage, unlawful destruction and access
and processing
16

17. Security Safeguards
 Establish and maintain risk mitigating
measures to safeguard personal information.
 Must adhere to the generally accepted
information security practices.
 Must also adhere to applicable industry
specific codes and regulatory tenets.
17

18. Data subject participation
 A data subject has the right of access to all
personal information held by a responsible
party.
 A data subject may request corrections or
deletion of personal information held by a
responsible party, in keeping with this section
and s14 of the Act.
18

19. Processing of special personal
information
 Except with necessary consent and adherence
to applicable laws and public interest (see s27-
33), the following is prohibited:
 Processing of religious or philosophical beliefs,
race or ethnicity, trade union membership,
political views, health or sex life, or biometric
information and criminality related
information.
19

20. Exception from conditions for
processing of personal information
 The Regulator may grant permission for
interested parties to process personal
information, that is normally prohibited, for
reasons pertaining public interest issues
detailed in s37.
 Exception also subsists for processing of
information “Relevant function” purposes, by
an entity granted by a law. See s38.
20

21. Information Regulator
 This Act further establishes an independent
Information Regulator, only subject to the
Constitution, & accountable to National
Assembly.
 The Regulator enforces and monitors
compliance with this Act, by public and private
bodies;
 raises awareness and facilitates training about
this Act.
21