• Sharebar
Saturday, December 1, 2012
Data subject

The passage into law of the Protection of Personal Information Bill (POPI) is imminent and, when it does come into effect, it will have significant implications, both for the citizens whose information is processed by any number of companies and public bodies, and for the companies and public bodies that are doing the processing.

This is according to Zaid Gardner, Senior Associate at ENS (Edward Nathan Sonnenbergs) who says that one of the most significant effects will be the introduction of comprehensive and dedicated data protection legislation in South Africa. He says this is likely to impose significant compliance burdens on South African companies and public bodies. “Data protection has been around for some time in the developed world, but it’s a relatively new concept for us and will take some getting used to,” he says.
Gardner says the purpose of POPI is very clear: to promote the protection of personal information that’s processed by the private and public sectors. “The lawmaker has sought to balance the right of privacy that is recognised by the Constitution with various needs and interests, such as the need for economic and social progress within the context of the information society, and the interest in a free flow of information, both domestically and internationally,” he explains.
The POPI regulates the processing of personal information that is entered in a record, by a company or public body domiciled in South Africa, or one that is domiciled elsewhere but uses automated or non-automated means situated in South Africa. He says this covers a very broad range of activities.
The definition of ‘processing’ is very broad, and it seems to include every conceivable action: collecting information, receiving it, storing it, updating it, modifying it, disseminating it, even destroying it.
“The term ‘personal information’ is as broadly defined. It covers, for example, information relating to the race, sex, pregnancy, marital status, ethnicity, colour, sexual orientation, age, health, religion, language and education of a person. It covers medical, financial, criminal and employment histories. It covers ID numbers, addresses, telephone numbers and blood types. It covers personal opinions, the private correspondence of a person, and the views that other people have of a person. It even includes the mere name of a person, if the name appears together with other personal information. A ‘record’ is defined to include information in any form that is in the possession or control of a company or public body, irrespective of whether or not it created it,” he says.
However, there are some exclusions available, although these will have little effect in the corporate world.
POPI does not affect the processing of personal information:
• in the course of a purely personal or household activity;
• that has been deleted to the extent that it can’t be resurrected;
• by or for the State if it involves national security, defence, public safety, or the prevention of crime;
• for exclusively journalistic purposes, by media companies that are subject to a code of ethics that has safeguards for the protection of personal information;
• by Cabinet, Provincial Executive Councils and Municipal Councils;
• if it relates to the exercise of judicial functions;
• if it has been specifically exempted;
• in cases where other legislation regulates the processing of that information.”

Gardner explains that, in the slightly Orwellian language of POPI, the company or public body that is responsible for processing the information is referred to as the ‘Responsible Party’, whereas the individual, or indeed the company, whose information is being processed is the ‘Data Subject.’
“POPI provides that the information officer appointed by every company and public body in terms of the Promotion of Access to Information Act (PAIA) will be the ‘Information Protection Officer’ for the purposes of the new legislation, and that this person will ensure that the organisation complies with the Principles, and deals with requests made by outsiders,” says Gardner.
Furthermore, he says that once POPI becomes law, an ‘Information Protection Regulator’ - a supervisory body that will consist of a chairperson and four others members - will be set up.
“The Regulator, who will be independent and subject only to the Constitution, will be responsible for promoting and enforcing the Principles on a national level, and will have the power to investigate complaints. The Regulator will also have the power to draft or approve category-specific or industry-specific codes of conduct. Once a code of conduct has been created, it will also regulate the processing of information within that category or industry,” he says.
Note: this is the first in a three-part discussion of the POPI Act.

Copyright © Insurance Times and Investments® Vol:25.12 1st December, 2012
960 views, page last viewed on February 13, 2020