If you operate in South Africa or have customers in the country, you are subject to the Protection of Personal Information (POPI) Act. Until now, the law has not been enforced but that is likely to change in the foreseeable future.
- 1. POPI's Background
- 2. POPI's Scope
- 2.1. Terminology
- 3. POPI Requirements
- 3.1. Accountability
- 3.2. Processing Limitation
- 3.3. Purpose Specification
- 3.4. Further Processing Limitation
- 3.5. Information Quality
- 3.6. Openness
- 3.7. Security Safeguards
- 3.8. Data Subject Participation
- 4. What is "Special Personal Information"
- 6. Official Forms For Exercising Data Subject Rights
- 7. Penalties For Violating POPI
- 8. POPI vs GDPR
- 9. Summary
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
The POPI Act was signed into law in 2013 but enforcement has, to say the least, been a slow process. This is largely because of delays in setting up a body called the Information Regulator to oversee regulation and enforcement. The body is now in place and has published some details of its specific regulations. This makes it likely that full enforcement will begin soon, meaning businesses need to be prepared to start fully complying with the law.
The POPI Act covers personal information, which means any information that relates to a specific person. The law notes that this isn't limited to a "natural person" (that is, a human being) but also a "juristic person" which means an independent legal entity such as a company.
The law gives a non-exhaustive list of examples of personal information. Some that might not seem obvious include the person's own views and opinions, and the opinions of others about the person. Any information about the person's criminal, education, employment, financial or medical history is also covered.
The law applies to any data processor that is domiciled (legally based) in South Africa. It also applies if the data processor is outside of South Africa "but makes use of automated or non-automated means in the [country]."
While some data privacy laws distinguish between the location of the data subject and the physical location of any data processing, this section of the law is widely interpreted as covering online activity where the data subject is in South Africa, even if the website's servers are outside the country. This is consistent with the law's stated intent of protecting the constitutional right to privacy of South African citizens.
Although the law does allow for some exclusions (such as national security and journalism), these generally won't apply to businesses processing personal information.
The POPI Act defines the person or organization that decides what personal information is processed and why as the "responsible party." This is roughly equivalent to the "data controller" in the European Union's General Data Protection Regulation.
The Act refers to the person (or other legal entity) that the personal information is about as the "data subject."
The POPI Act is based around meeting eight conditions to make processing of personal information lawful. We'll run down the key points here and then cover what this means in detail for Privacy Policies later in this guide.
In simple terms, this condition says that you must make sure to comply with all eight conditions, not only when processing personal information but when deciding what data to process and why.
Basically, accountability is important through all stages of interaction with personal information.
This condition sets out a principle of minimality, meaning only processing personal information that is relevant and only to the point needed for the stated purpose.
It also says you must get prior consent to process personal information unless doing so is a legal requirement. The burden of proof is on you to demonstrate the consent. The data subject can withdraw consent at any time.
Typically, personal information can only be collected directly from the data subject or from public records. The key exceptions (avoiding prejudicing criminal investigations) won't usually apply to businesses.
You must give a specific, lawful purpose for collecting personal information. You must make the data subject aware of this reason and must only retain the personal information for as long as needed to meet this purpose.
This example from Interchange explains why it will collect and use different information depending on the purpose:
Further Processing Limitation
After collecting the personal information, you can only process it in a way that's necessary for, and relevant to, the original stated purpose.
You must make sure the personal information is "complete, accurate, not misleading and updated where necessary."
You must make sure data isn't lost, damaged, destroyed or accessed without authorization. Complying with this rule will involve auditing security, putting safeguards in place and then maintaining and updating those safeguards. If you use a third party to process personal information, you must make sure the third party follows this rule.
If a data breach happens, you must inform the Information Regulator and, if known, the relevant data subjects as soon as possible unless law enforcement officials ask you to delay doing so.
Data Subject Participation
Data subjects have the right to ask whether you store data about them. If so, the data subject has the right to either the details or a description of the personal information along with details of any third party who has had access to it.
You must provide these details in a reasonable time and any access fee must be reasonable.
The data subject then has the right to ask for any errors in the data to be corrected or, if relevant, destroyed. They can also object to you processing data for a specific purpose or for direct marketing.
What is "Special Personal Information"
The POPI Act classes some data as "special personal information," namely:
"the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject"
This category also covers alleged criminal offenses and related court proceedings.
As a general rule, you must get consent from the individual to process "special personal information." To avoid doubt, this should be specific consent that explicitly covers this particular information.
Some key exceptions to this rule that are relevant to business include the following:
- You have to process the data to comply with the law
- The Information Regulator has given specific permission for you to do so
- You are processing race or ethnic origin data to comply with anti-discrimination or positive discrimination laws
The POPI Act also says you cannot process personal information about a child unless it's a legal requirement or you have the consent of a competent person (such as a parent or guardian.) Again, this should be specific and explicit consent to avoid legal doubt.
The principle is that any consent a data subject gives is "voluntary, specific and informed." This means the data subject must know exactly what they are consenting to, including the details of what data you use, how and why.
The specific requirements are that you must make the data subject aware of the following points as soon as practical, which usually means before collecting the data:
- The information you are collecting
- Where you got the information (if not directly from the data subject)
- Your contact details
- Why you are collecting the information
- Whether or not the data subject has a choice whether to supply the information
- What happens if the data subject doesn't collect the information
- Which (if any) laws say you can or must collect the data
- Whether you plan to transfer the data outside the country and if so what safeguards will apply
This example from Ecommerce Forum Africa covers potential transfers of data:
You should also make sure the data subject knows about the following rights:
- To access the information and correct it
- To object to you processing the information
- To complain to the Information Regulator
This example from Novartis explains these privacy rights:
This example from Zambia Tourism covers similar points and provides clear contact details:
This example from Maitland highlights a key difference that applies in South Africa and actually states the difference in the definition of "personal information" in this clause:
Official Forms For Exercising Data Subject Rights
The precise way in which you inform data subjects about the information you collect and their rights is up to you. However, the Information Regulator has produced several standard forms for data subjects who want to exercise their rights. The forms are as follows, with their noted pages where they can be found in the linked PDF above:
- Form 1 (page 12 of 144): Objecting to processing of personal information
- Form 2 (page 14 of 144): Requesting that you correct or delete personal information
- Form 5 (page 20 of 144): Complaining to the Information Regulator
You could either make these forms available on your site or link to the Information Regulator.
Another document, Form 4 (page 18 of 144), is for you to use when asking a data subject for consent to direct marketing by electronic communication (such as email newsletters.) This is the only situation where you must use a prescribed form to get consent.
Penalties For Violating POPI
The Information Regulator has the power to:
- Issue an enforcement notice that legally requires a business to change its operations to comply with the POPI Act
- Take civil action in the courts to claim for damages caused by a breach of the law, even if it was unintentional or did not involve neglect. This can cover patrimonial (directly measurable financial) loss, non-patrimonial loss (such as emotional harm from a breach of privacy) and aggravated damages (a term not fully defined in South African law and thus untested in POPI Act cases).
The Act also creates several criminal offenses which can lead to prison sentences including:
- Failing to comply with an enforcement notice (maximum penalty of 10 years)
- Obstructing or hindering the Information Regulator's activities (maximum penalty of 10 years)
- Breaching the Act's requirements when handling an account number (maximum penalty of 10 years)
- Making a false statement to the Information Regulation in response to an information request (maximum penalty of 1 year)
POPI vs GDPR
If you operate in, serve customers in, or process data in the European Union you should already comply with the General Data Protection Regulation (GDPR).
The good news is that the required measures you must take to comply are broadly the same and in some cases are more stringent for the GDPR. You must always take responsibility for checking that you comply with applicable laws, including the POPI Act, but if you've already taken steps to comply with the GDPR the changes to your procedures will often be minimal.
Instead the big difference is scope, specifically that unlike the GDPR, the POPI Act covers "juristic persons." This means that businesses have the same privacy rights (where applicable) as individuals. While this may seem unintuitive and confusing, the key is that any data that applies to a specific, identifiable business must be treated in the same way as personal data about individuals.
Here's what you need to know and do to comply with the POPI Act:
- The Act is already law but enforcement and regulation has not yet started. This may happen relatively soon so you need to prepare.
- The law covers both information about humans and, in some cases, businesses in South Africa. It applies even if the "responsible party" (data processor) is located outside of South Africa
You must meet eight conditions to lawfully process personal information:
- Comply fully with the Act
- Get prior consent to collect and process personal information
- Give a specific, lawful purpose for collecting the data
- Only process the data to serve the stated purpose
- Keep the information accurate and up to date
- Make sure the data subject is fully informed about your data use before they consent to collection and processing
- Keep the data secure
- Respond to data access requests in a reasonable time and without charging an unreasonable access fee
- Some types of data are classed as "special personal information." You should normally get specific and clear consent to collect this information. To avoid doubt, don't assume general consent covers this.
- The Information Regulator has produced several official forms for data subjects to make requests and objections. Point data subjects towards these forms or put them on your site.
- The Information Regulator can order you to change your practices to comply with the POPI Act. Failing to comply with this order can lead to a maximum prison sentence of 10 years.
- The Information Regulator can take civil action for a breach. This could mean you have to pay financial damages that go beyond covering direct financial losses.
- If you already comply with the GDPR, it shouldn't take too much extra work to comply with the POPI Act. The biggest change is that POPI Act covers data about juristic persons (such as companies) rather than just humans.