Protection of Personal Information Act (South Africa)

What is South Africa’s POPIA?

South Africa leads the continent on data privacy with POPIA which is similar in scope to GDPR and a plethora of other national privacy regulations described on this web page.

South Africa passed the Protection of Personal Information Act in 2013. The Act included a timeline for establishing government oversight of compliance and time for organizations to comply (until 2020) which was extended another year.

The one-year extended grace period to fully comply with the POPI Act ended on 30 June 2021. POPIA was originally passed on 19 November 2013. Compliance with Section 1, Part A of Chapter 5, section 112, and section 113 was required as of 11 April 2014. Chapter 5 focused on establishing the government regulatory organization (Information Regulator) and apparatus. The Information Regulator provides enforcement and oversight of POPIA and holds wide-ranging powers including:

Education, Awareness and Training on Data Protection
Monitoring and Enforcement of compliance with POPIA
Consulting on data protection
Receiving & processing complaints from Data Subjects or other parties regarding data protection
Research regarding privacy and data protection
Issuing and enforcing a Code of Conduct
Facilitating cross border cooperation in the enforcement of privacy laws

The commencement date of the other sections was 1 July 2020, except for sections 110, 114. POPIA compliance was further extended until 1 July 2021, but full compliance is now mandatory for all companies doing business in South Africa or processing personal data within South Africa’s borders.

Your business may be global, but data privacy regulations are local

Much like GDPR, some of the more challenging privacy compliance requirements involving Personally Identifiable Information (PII) include, but are not limited to the following:

Limiting access to PII on a “Need to Know” or “Least Privilege” basis
Restrictions on Collection, Processing and Sharing
Maintaining accurate Records of Processing of PII
Right to Data Portability
Cross-Border Data Flows, Geo-Fencing, Geo-Location controls
Right To Be Forgotten (RTBF)
Special Restrictions on Processing of PII on Children
Data Breach Notification
Consent and Preference Management
Protecting PII from Unauthorized Access
Data retention Requirements and Limits

POPIA, like other national data privacy regulations, is converging on an internationally accepted set of privacy principles. Any organization will benefit from following a Privacy by Design approach to all collection, processing and sharing of PII that aligns with these privacy principles. This will ensure compliance with the vast majority of specific national or geographic compliance requirements. This lowers the initial implementation and ongoing operating cost of privacy compliance and data protection while simultaneously reducing risk.

Generally Accepted Privacy Principles (GAPP)

These fundamental or Generally Accepted Privacy Principles (GAPP) incorporate the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information. They include:

Privacy Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
Choice and Consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
Collection. The entity collects personal information only for the purposes identified in the notice.
Use, retention, and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
Access. The entity provides individuals with access to their personal information for review and update.
Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
Security and Privacy. The entity protects personal information against unauthorized access (both physical and logical).
Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.

What Constitutes PII Under POPIA

PII is broadly defined under POPIA to include information relating to both a living person (Data Subject), but also to other legal entities. The scope of what is considered PII arguably exceeds GDPR. Under POPIA, PII includes:

Name of the Data Subject if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment of an identifier to a specific person
Information about a person’s race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, skin color, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth
Information relating to education, medical, financial, criminal, or employment history
Biometric information
Personal opinions, views, or preferences
Correspondence sent by the person that is implicitly or explicitly private or confidential in nature
Views or opinions of another individual about the Data Subject

Sensitive Data: POPIA also provides for a separate category of information called ‘Special Personal Information’ which includes all information relating to a person’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric, or criminal record(s). POPIA also specifically regulates personal information of a child or minor under the age of 18.

Other Relevant Privacy Regulations besides POPIA in South Africa

There are other relevant South African laws and regulations that involve or impact data privacy and the collection, processing, sharing and use of PII. The most relevant are listed below.

South African Constitution

The Constitution of the Republic of South Africa guarantees the right to privacy. The CPA and until now ECTA also impact how PII can be collected, processed and used.

CPA

The Consumer Protection Act (CPA) 2008, which was enacted in 2011 applies to the direct marketing of goods as well as services to consumers. Some provisions under the CPA on direct marketing and unsolicited communications overlap with the provisions under POPIA in certain circumstances. This will depend on whether the CPA is applicable to any scenario where relevant provisions of POPIA also apply.
Under the CPA, consumers have the right to pre-emptively block any direct marketing. Consent and Preference (Opt-In/Opt-Out) Management under POPIA. The processing of a Data Subject’s PII for the purposes of direct marketing is prohibited unless the Data Subject consented and/or is a current customer of the responsible party.

ECTA

Provisions within the Electronic Communications and Transactions Act, 2002 (ECTA) regulate the electronic collection of personal information. Compliance with these provisions was voluntary. These provisions of the ECTA pertaining to the protection of personal information will be repealed and superseded by POPIA on 30 June 2021 when POPIA compliance becomes mandatory.

Penalties for Non-Compliance

Fines and/or imprisonment for a period of no longer than ten years for knowingly and recklessly selling, disclosing, procuring, or offering for sale PII such as account numbers or particularly sensitive PII. Fines or imprisonment for a period not exceeding 12 months (or both) in respect of the other offences created by POPIA.

Currently, the maximum fine which may be imposed is ZAR 10m (approx. €500,000) but is subject to change. Responsible parties Can appeal against decisions of the Information Regulator. Data Subjects have the right to institute a civil action in court for damages against a responsible party for breach of any provision of POPIA.

Case Law

There is currently no case law or legal precedents established since POPIA has only now (July 2021) come into full effect. This is likely to change rapidly after July 2021.

How SecuPi Can Help?

SecuPi empowers organizations to use data in a secure, compliant and responsible way. SecuPi’s award-winning solution and methodology deliver next generation, data security, privacy compliance and consent optimization from legacy on-prem to hybrid cloud environments.

SecuPi delivers centrally managed, consistently applied, transparent, data-centric security with Purpose Based Access Control (PBAC), monitoring, User Behavior Analytics (UBA), and privacy enforcement.

SecuPi partners with leading technology vendors to seamlessly integrate market-leading data discovery, data governance, data protection and authentication solutions with innovative, cost-effective authorization and compliance. Join SecuPi customers in leveraging valuable information assets to improve business outcomes while improving customer trust and privacy compliance.

SecuPi features and functionality help to address many of the more challenging technical controls requirements listed above, and POPIA specific compliance requirements below. The following diagram provides a high-level mapping of SecuPi Capabilities to specific Section numbers in POPIA.