Please click on the questions below to view their answers
‘Personal Information’’ means any information relating to an identifiable, living, natural or juristic person
- Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- Information relating to the education or the medical, financial, criminal or employment history of the person;
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- Biometric information of the person;
- The personal opinions, views or preferences of the person;
- Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- The views or opinions of another individual about the person; and
- The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
Source: Protection of Personal Information Act 2013 (1)
Some examples of Personal Information are:
- Names
- ID Numbers
- Email Address
- Telephone Numbers
- Address/Location
- Gender
- Education
- Maritial Status
High Risk / Special Personal Information:
- Race/Ethnic origin
- Political affiliation
- Medical/Health/Sexual Records
- Biometric Data
- Trade Union Membership
- Financial Records
- Employment History
- Criminal History
- Religious/Philosophical Beliefs
- Information of Children
These have special requirements if you handle/process such information
The Protection of Personal Information Act 2013 is the Act that specifies what actions/procedures need to be in place in order to prevent Personal Information from being misused.
Effective from 1 July 2021.
Data Processing refers to any activity performed on or involving Personal Information
Examples:
- Saving clients details in a database
- Receiving clients details to complete an order
- Transferring employee information to a Payrol service provider
- Deleting existing Personal Information stored in a database
- Saving a spreadsheet of users information to an external device
- Emailing a client details about their order
- Sending a statement in a email
All Private and Public Entities that handle or process any Personal Information
- Sole Propriators
- Partnerships
- Companies
- Closed Corporations
- Trusts
- Body Corporates
- Non Profit Company
The PoPI Act is effective from 1 July 2021
Information Officers need to be registered with the regulator as soon as possible.
If applicable, PAIA manuals need to be submitted to the Regulator. (PAIA regulations are often changing)
Being PoPI compliant is an ongoing process.
- Procedures can always be improved
- Technology changes
- Laws changes
- Unforseen events can occur
The onlinePoPI tool helps you to ensure ongoing PoPI Act compliance
First you need to register your Information Officer with the Regulator
onlinePoPI can then guide you through the PoPI act ensuring that you are compliant with the relevant sections to your entity
onlinePoPI will produce the required declarations, documentation, policies and forms your entity requires
For serious offences a maximum of a R10 million fine or imprisonment for a period not exceeding 10 years or both.
For less serious offences a maximum of a R1 million fine or imprisonment for a period not exceeding 12 months or both.
onlinePoPI will help you to be compliant with the PoPI Act and be well prepared to mitigate these risks.
You need to have assigned an Information Officer to the applicable Entity
The Information Officer needs to be registered with the Regulator
The Information Officer needs to develop and maintain a compliance framework to ensure the entity Protects all the Personal Information it processes
The Information Officer needs to provide training to other employees/members/providers of the entity
Policies and Procedures need to be put in place to ensure
- Data Subjects know how their Personal Information is being used,
- How they can access the Personal Information the entity has of them,
- Inform the Data Subject if there are any breaches
onlinePoPI will help you with this process
The quick and simple answer:
- If the Data subject has given their consent
- It is required to fulfill a contract to which the data subject is a party to
- It is a requirement by a law
- The Regulator has approved the required data processing
The onlinePoPI tool will guide you through all the other applicable scenarios for your entity
The 8 Protection Principles of Lawful Processing:
- Accountability - see PoPI section 4
The Responsible Party’s needs to ensure that the conditions imposed by the Government have been properly complied with. - Processing Limitation - see PoPI sections 4, 5, 6
Personal Information must be processed for the purpose for which it was obtained. - Purpose Specification - See PoPI section 7
Information is only collected, used and stored for carefully defined purposes and time. - Further Processing Limitation - see PoPI section 9
Personal Information can only be reused if this usage aligns with the original purpose of collection. - Information Quality - see PoPI section 10
Personal Information usage must be guided by ‘quality over quantity’ and therefore a Responsible Party needs to ensure that the Information it manages is complete, accurate, not misleading in nature and updated wherever necessary. - Openness - see PoPI section 11
The Responsible Party should be fully compliant with PAIA - Promotion of Access to Information Act (2002), and ensure that no Information is collected unless the data subject fully understands and appreciates the implications of sharing their Information. - Security Safeguards - see PoPI sections 13, 14, 15, 16
The Responsible Party needs to ensure all Personal Information is securely and safely stored and processed. - Data Subject Participation - see PoPI section 17, 18, 19, 20
The Responsible Party should have measures in place to answer any questions about or update any data subjects Personal Information.
Entities that do not process any Personal Information
Every entity PoPI applies to is required to have an Information Officer.
The Information Officer is assigned by the entity to be the contact point for Personal Information issues.
The role of the Information Officer is to ensure that the entity is doing as much as they can to be compliant with the PoPI Act, this involves developing a framework for the entity and constantly improving compliance and providing training to other team members. The onlinePoPI Tool provides the Information Officer and entity with this framework, documentations and support.
The Information Offficer needs to be registered with the Regulator
PAIA is the legislation to the right of access to information.
A PAIA Manual is a document that describes how a Requester can access to Records of the Entity, if the Record is required for the exercise or protection of any Rights.
The Information Officer needs to email the PAIA manual to the Information Regulator at: inforeg@justice.gov.za
Your Entity needs to assign it's Information Officer.
Then you need to register your Information Officer with the Regulator at: https://www.justice.gov.za/inforeg/portal.html