Zeyn Bhyat of ENSafrica reports that on June 22, 2020, it was announced that South Africa’s comprehensive privacy law known as the Protection of Personal Information Act, 2013 (the “POPIA”) will become effective on July 1, 2020. POPIA acts as the more detailed framework legislation supporting South Africa’s constitutional right to privacy.
POPIA has been a work-in-progress since it was earmarked for implementation by the South African Law Reform Commission in 2005. The delay in its enactment was attributable, in part, to the publication of the draft EU General Data Protection Regulation (“GDPR”) in 2013, as the POPIA drafting committee paused to consider some of the proposed innovations in the GDPR and also to take steps to ensure that the South African privacy regulator (i.e., the Information Regulator (“SAIR”)) was given an opportunity to develop operational capabilities. In this respect, POPIA came into force over a period of time, with the initial provisions enabling, among other things, the establishment of the SAIR coming into effect on April 11, 2014. To date, the SAIR has taken steps to become fully operational, by, e.g., procuring the publication of regulations, establishing codes of conduct and raising public awareness.
The POPIA provides for a general information protection mechanism applicable to organizations in both the public and private sectors. Similar to the EU Data Protection Directive 95/46/EC, POPIA establishes eight conditions for lawful processing of data. These conditions are: (1) accountability; (2) processing limitation; (3) purpose specification; (4) further processing limitation; (5) information quality; (6) openness; (7) security safeguards; and (8) data subject participation.
The POPIA applies to the processing of personal information entered in a record by a responsible party who processes the information in South Africa and is domiciled in South Africa, or is domiciled elsewhere but uses automated or non-automated means in South Africa to process the personal information. The POPIA generally applies to “responsible parties” (i.e., the principal processors of personal data, who determine the purpose and means of processing), and limited obligations also extend to “operators” (i.e., data processors).
The POPIA contains an open-ended definition of “personal information,” which generally means information relating to an identifiable, living natural person and, where applicable, an identifiable company or other similar legal entity. The definition includes information relating to partnerships and unincorporated persons, and provides a significantly detailed list of examples of personal information. These examples range from private correspondence and information about age, gender, sex and race to identifiers such as identity numbers, telephone numbers, location information, online identifiers, and personal opinions and preferences.
Under the POPIA, a responsible party processing personal information must comply with all eight conditions and the measures necessary to give effect to those conditions. Compliance must be achieved not only when the actual processing of information takes place, but also when determining the purpose and means of processing the personal information.
- Accountability: This condition requires that all processing of data occurs in compliance with POPIA. Practically, this requires that a data protection policy is established and that an internal information officer champions the aims of and compliance with the legislation.
- Processing limitation: Personal data must be processed lawfully and in a reasonable manner that does not infringe on a data subject's privacy. A responsible party must develop procedures and policies to ensure that personal information is processed in a “reasonable manner.”
- Purpose specification: Among other things, this entails that personal information may only be collected for a lawful, specific and explicitly defined purpose related to the function or activity of the responsible party collecting the information. Data subjects must be informed of the purpose of the collection, except in exceptional circumstances, such as when the responsible party is required to comply with an obligation imposed by law.
- Further processing limitation: Once personal information has been collected and lawful processing has occurred, a responsible party may only further process that data in limited circumstances. These limited circumstances are determined based on whether the purpose of the further processing is “compatible” with the previously defined purpose.
- Information quality: A responsible party must ensure that any personal information in its possession is complete, accurate, not misleading and updated when necessary. In maintaining information quality, the responsible party must consider the purpose for which the personal information is collected or further processed.
- Openness: A responsible party must compile a manual that contains stipulated information as required by the South African Promotion of Access to Information Act, 2000, including details on the information that it holds. When personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of: (1) the information being collected and the source of the information; (2) the name and address of the responsible party; (3) the purpose for which the information is being collected; (4) whether the data subject is required to provide the requested information, or may do so voluntarily; (5) the consequences of failing to provide the information; (6) the legal basis for the collection of the information; (7) whether the responsible party intends to transfer the information to a third country and the level of protection afforded to the transferred information; and (8) any further information necessary for the processing to be reasonable under the circumstances.
- Security safeguards: A responsible party must secure the integrity and confidentiality of any personal information in its possession or under its control by taking appropriate and reasonable technical and organizational measures to prevent loss, damage, unauthorized destruction of, and unlawful access to the personal information in its possession.
- Data subject participation:
- The data subject has the right to request confirmation of whether a responsible party holds personal information about the data subject. The data subject also has the right to request a record or description of the personal information about the data subject being held by the responsible party, as well as information concerning the identity of all third parties who have had access to the data subject's personal information.
- The data subject may request that a responsible party:
- correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained; and
- delete or destroy personal information that the responsible party is no longer authorized to retain.
POPIA is not intended to prevent the processing of personal information but to ensure that it is done fairly and without adversely affecting the rights of data subjects. Given the wide-ranging impact of the POPIA, it is expressly provided that all processing of personal information must conform with the POPIA’s provisions within one year after its commencement – a 12-month grace period beginning July 1, 2020.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code