Nurunnesa Jappie (Head of Legal Administration ) and Tjaart van der Walt (Associate)
Here is the guide for you to take reasonable and constructive steps to protect your personal information in a cost effective way, while gaining business value.
What is POPI?
We live in an age where it has become the norm to divulge personal information and in many instances we won’t give it a second thought. If for example, you apply for a job you are required to share an incredible amount of information with strangers. In most cases, when completing the application form you will be required to provide information from your age to your race and from your marital status to even your medical records. All of the these are examples of personal information. If this information falls into the wrong hands, the parties involved could suffer financial and reputational loss and can be exposed to fines or imprisonment, hence the need for protection through POPI (Protection of Personal Information) Act. Just to recap, POPI protects people from harm by requiring those who process our personal information to protect it. Personal Information is any information that relates to an identifiable natural or juristic person. POPI however, does not apply to household or personal activity, sufficiently de-identifiable information that cannot be re-identified, and some state functions including criminal prosecution, journalism under a code of ethics and judiciary functions.
Processing of personal information
The term ‘processing’ refers to the usage, storage and distribution, modification or destruction of personal information. It includes eight information protection conditions subject to exclusions and processing of information is prohibited in certain instances. The conditions, which will be analyzed in greater detail in subsequent posts are:
- Accountability
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Openness
- Security safeguards
- Data subject participation
Compliance strategy
It is estimated that the Act will commence mid-2016 and whilst the Act provides for a one-year implementation timeframe from the commencement date, many companies will struggle to comply with the requirements because they will have to develop or review and implement their information management policies. As a global legal services provider with experience in implementation of global data protection laws such as the UK Data Protection Act, Exigent can assist in ensuring compliance with the POPI Act by focusing on the following key steps:
- POPI Practical Guidance –Define what POPI means to you. The first step in achieving this is through defining and providing clarity on what POPI is. Then, together with the responsible parties and operators, create awareness and understanding why the protection of personal information is necessary.
- Gap Analysis – Assess the current level of compliance and identify vulnerabilities and risks in respect of POPI.
- Policy Review and Drafting – Through the drafting or review of privacy policies, information security procedure policies, incidence response policies and access to information manuals, you create a structure in which compliance can be managed, monitored and maintained.
- Third Party Reviews – Conduct reviews of customer-facing documents and service provider agreements to ensure compliance, following a detailed written report setting out what information is processed, details of the third parties processing the personal information and make recommendations in respect of:
- The adequacy of cover provided within the contracts in respect of the protection of personal information, and
- Compliance with POPI and how the cover could be improved to ensure adequate control in respect of the POPI Act.
- Compliance Management Plan – Create and implement a compliance management plan to actively manage compliance with POPI.
Conclusion
POPI compliance is not a one-off process and institutions will always have to be aware of how they protect personal information whenever they process it. Ensuring compliance with POPI is more than just making certain that all processing standards are followed and checkboxes ticked. It is ultimately aimed at maintaining a relationship of trust between the data subject and the receiving party. It provides data subjects with peace of mind in knowing that sanctions are in place when compliance is not adhered to and places a burden on the data subject as well as the receiving party to be more cautious about how data is collected, processed, used, stored, checked and ultimately disposed of.
