The purpose of the PoPI Act is to make sure that all South African institutions conduct themselves in a responsible and reliable manner when collecting, processing, storing and sharing another entity’s personal information. This is ensured by holding them accountable should they abuse or compromise your personal information in any way.
(credit of this image goes to Miltons Laws)
The PoPI legislation considers your personal information to be “precious goods” and, therefore, aims to grant you, as the owner of your personal information, certain rights of protection and the ability to exercise control over. These rights include:
- when and how you choose to share your information (this, importantly, requires your consent)
- the type and extent of information you choose to share (must be collected for valid reasons)
- transparency and accountability on how your data will be used (limited to the purpose) and notification if/when the data is compromised, should it be compromised at any stage
- providing you with access to your own information as well as the right to have your data removed and/or destroyed should you so wish
- who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same company, from accessing your information
- how and where your information is stored (there must be sufficient measures and controls in place to safeguard your information to protect it from theft, or compromisation)
- the integrity and continued accuracy of your information (i.e. your information must be captured correctly and, once collected, the institution has the responsibility to maintain it)
(credit of this image goes to Metrofile)
Examples of “personal information” for an individual would include:
- Passport and/or identity number
- Age and date of birth.
- Phone number/s (including mobile phone number)
- Email address/es
- Online/Instant messaging identifiers
- Physical address
- Gender, Race and Ethnic origin
- Photos, voice recordings, video footage (also CCTV), biometric data
- Marital/Relationship status and Family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs including personal and political opinions
- Salary information and employment history
- Financial information
- Education information
- Physical and mental health information including medical history, blood type, details on your sex life
- Membership to organisations/unions
It must be noted, however, that some personal information, on its own, does not allow a third party to confirm or surmise someone’s identity to the extent that this information can be used/abused for other purposes. For example, the combination of someone’s name and phone number and/or email address is a lot more significant than just a name or phone number on its own. As such the Act defines a “unique identifier” to be data that “uniquely identifies that data subject in relation to that responsible party”.
We have to acknowledge and accept that we live in an information age and along with this progress comes the responsibility for each person to take care of and protect their own information. Do not accuse someone else of sharing or compromising your personal information when you publish the very same information on public services like Facebook, LinkedIn, Google+ or public directories.
It is easy to access, collect and process high volumes of data at high speeds because of modern technology. This information can then be sold, used for further processing and/or applied towards other ends. In the wrong hands the ability to do such things can cause irremediable harm to individuals and companies. To protect your right to privacy and prevent the abuse of your information, data protection legislations are necessary even if it means imposing some social limits on society to balance the technological progress. Therefore, it is important to remember: The PoPI Act cannot protect you if you do not take care to protect yourself.
(credit of this image goes to TechReport)
It is important to note though that this right to protection of “personal information” is not just applicable to a natural person (i.e. an individual such as you or me) but any legal entity, including companies and also communities or other legally recognised organisations. All of these entities are considered to be “data subjects” and are afforded the same right to protection of their information. This means that, while you as a consumer now have more rights and protection, you and your company/organisation are considered “responsible parties” and have the same obligation to protect other parties personal information. As a company this would include protecting information about your employees, suppliers, vendors, service providers, business partners, etc.
The PoPI legislation is not a rare or unique phenomenon to South African law. Many countries have similar legislations in place to protect the personal information of their “data subjects”, including rules and regulations for international (cross-border) transfer and sharing of data. The general agreement seems to be that, apart from an unrealistic implementation period of one year and some practical implementation challenges, the PoPI Act is well thought out and it implements the “best of” other similar international laws, learning from their mistakes and shortcomings.
As usual, ignorance of the law is no excuse. Incorporating the PoPI Act into the day-to-day operations of a business will most likely require a significant amount of time and effort, including: educating and training your staff, updating business processes and implementing or updating technology solutions. If you do not have a business nervous system (BNS/ENS) to facilitate this then early action is essential.
Here at Artibeus IT Support, we recognize the importance of the PoPI Act and we ensure that we respect and protect the information of our clients and make sure that our staff are not ignorant regarding the subject.