POPI Act – compliance is important.
The PoPI Act, in simple terms, seeks to ensure that all South African organisations conduct themselves in a responsible waywhen collecting, processing, storing and sharing personal information which they do not own. The PoPI Act holds business accountable for any abuse or compromise of personal information.
In addition, all records of personal information must not be kept any longer than is necessary for achieving the purpose for which the information was collected [Section 14(1)]. Practically, however, this may be one of the most difficult provisions to comply with, as it requires:
- a very clear picture of all purposes for which a piece of information is kept, and
- a thorough understanding of business processes.
When gaining access to, or using personal information acquired through a transactional relationship with a customer or supplier, there is a process to be followed, which ends in the responsible destruction of data.
The POPI Act also defines responsible parties as being organisations and suppliers. So we are essentially all required to comply!
POPI Act PRINCIPLES relate to good governance.
The following points serve as a reminder when acquiring and holding onto personal information:
- PROCESSING LIMITATION – process only as much as you need and only for as long as necessary.
- PURPOSE – you need to have a strict purpose in mind. Consider this when re-purposing information or sharing it.
- QUALITY – ensure that all the info you have is kept up-to-date and is used in a relevant way.
- OPENNESS – when acquiring information, clearly communicate to the entity providing is, why it will be processed and how.
- PARTICIPATION – you need to allow the ‘owner’ of the information to be able to access it (this has rarely been a part of holding onto data).
- ACCOUNTABILITY – whoever acquires and uses the data, is ultimately responsible and accountable for its safe use.
- SECURITY – there needs to be reasonable protection of personal data by the responsible party.
What are the BENEFITS relating to POPI Act compliance?
- Customer confidence in you or your business’s integrity will be increased.
- If you ensure quality and security, your database will be reliable and not offend the original owner.
- Compliance to the POPI Act will result in reduced reputational risk for your business.
As with everything, there are some exceptions, including if the info is used purely for household or personal purposes, is used by journalists subscribing to a code of ethics and, of course, when used by the judiciary and/or Criminal & National Security organisations.