Everything you need to know about the POPI Act
What is PoPI?
PoPI is an abbreviation for “The Protection of Personal Information”.
Simply put, the PoPI Act is there to make sure that all South African institutions conduct themselves in a responsible manner when working with another entity’s personal information. It does this by holding these institutions accountable should personal information be abused or compromised in any way. Personal information is classified as “precious goods”. This then gives you as the owner of said “goods” certain rights of protection and control over this information.
What rights does the PoPI give me?
- when and how you choose to share your information (requires your consent)
- the type and extent of information you choose to share (must be collected for valid reasons)
- transparency and accountability on how your data will be used (limited to the purpose) and notification/when the data is compromised
- providing you with access to your own information as well as the right to have your data removed and/or destroyed should you so wish
- who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same company, from accessing your information
- how and where your information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised)
- the integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it)
What information is regarded as personal?
- Identity and/or passport number
- Date of birth and age
- Phone number/s (including mobile phone number)
- Email address/es
- Online/Instant messaging identifiers
- Physical address
- Gender, Race, and Ethnic Origin
- Photos, voice recordings, video footage (also CCTV), biometric data
- Marital/Relationship status and Family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs including personal and political opinions
- Employment history and salary information
- Financial information
- Education information
- Physical and mental health information including medical history, blood type, details on your sex life
- Membership in organisations/unions
Not all of the above would qualify on its own as personal information. In combination with other information, it becomes “unique” and thus very personal. The combination of someone’s name and phone number is a lot more significant than just a name or phone number on its own. As such the Act defines a unique identifier to be data that uniquely identifies that data subject in relation to that responsible party.
Why is this information so important?
Information can now be traded or sold as a commodity. Identity theft and credit fraud are some of the criminal uses for personal data. At a less malicious level, you may become the target of marketing campaigns. The PoPI Act attempts to curb these activities. Thus regulations around the use of this information can be stricter and more enforceable.
Remember, no Act can protect you if you do not take care of this “personal precious commodity”.
It is important to note though that this right to protection of personal information is not just applicable to a natural person (i.e. an individual) but any legal entity. This includes companies and communities or other legally recognised organisations. All of these entities are considered to be data subjects and afforded the same right to protection of their information.
There is also a website for more information about how the act impacts our lives and business. Visit the POPIA website.
We take the utmost care to protect our client information and will never share this with any third party unless explicitly instructed to do so by either the information owner or lawful court order.