The Protection of Personal Information Act (POPI) is South Africa’s first piece of legislation to solely address data privacy issues. The Act has been closely modelled on the European Union’s Data Protection Directive which will in turn make it easier for European companies to do business within the Republic. While POPI directly addresses data privacy and processing, previous legislation has helped to pave its way. The Electronic Communications and Transactions Act of 2002 contains two sections on the protection of personal information, namely the scope of protection of personal information (Section 50) and the principles for electronically collecting personal information (Section 51). These provisions, however, are only voluntary and relate to personal information that has been obtained through electronic transactions. These provisions will be repealed once POPI comes into effect
As with any piece of legislation, this Act has very specific purposes that its requirements aim to achieve. One such purpose is to uphold the constitutional right to privacy (which is enshrined in section 14 of the Constitution of South Africa 1996) by means of protecting an individual’s personal information.
This right to privacy must, however, be balanced against other rights such as the right to access to information and free flow of information. The Act will regulate every aspect of the processing of personal information, from its collection to its destruction and everything in between such as storage and safeguarding. It will also provide persons with recourse should their personal information not be processed in the prescribed manner. This recourse will be in the form of an Information Regulator to be established in accordance with the Act.
APPLICATION OF THE ACT
The Act will apply to the processing of personal information recorded by automated and non-automated means in order to form part of a filing system (i.e. POPI will apply whether the documents are in a digital format or paper documents in a filing cabinet). This includes all companies domiciled (having a principal place of business) within the Republic as well as those domiciled elsewhere that make use of automated or non-automated means of processing personal information within the Republic. Companies that are not domiciled within the Republic that use automated or non-automated means only to forward personal information through the Republic are excluded from compliance.
The Act does not apply to the processing of personal information in the course of a purely personal or household activity. Therefore, the manner in which you store and process your own personal information is entirely up to you. If you were to run a business from home, however, you would be deemed a data processor and would need to ensure complete compliance with the Act.
Personal data that has been de-identified so that it cannot be re-identified again is also not covered by the Act. To de-identify a data subject’s personal information means to delete any information that identifies the data subject, or which can be linked or manipulated to identify the data subject. Public bodies, or anyone working on their behalf, are exempt from the requirements of the Act when processing personal information that involves national security. This includes activities that aim at assisting in the identification of the financing of terrorists and related activities, defence or public safety as well as preventing, detecting and combating money laundering. However, safeguards still need to be in place to ensure the protection of such personal information.
TYPES OF PERSONAL INFORMATION The types of information that are classed as personal information are very broad and include:
▶ information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, color, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; ▶ information relating to the education or the medical, financial, criminal or employment history of the person; ▶ any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other Personal information is information relating to: An identifiable, living, natural person An identifiable, existing juristic person.
Particular assignment to the person such as a Twitter handle or Skype name;
▶ the biometric information of the person; ▶ the personal opinions, views or preferences of the person; ▶ correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; ▶ the views or opinions of another individual about the person; and
▶ the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person; With regards to the preceding example of the store that wants to establish a loyalty program, it is clear from the above definition that the majority of the information that the store wants to obtain from the prospective subscriber is in fact personal information. This means that most of the information that they obtain needs to be handled in terms of this Act and must be protected accordingly.
DATA SUBJECTS’ RIGHTS
Data subjects are granted certain rights under the Act that public and private bodies must uphold. These rights are summarized below and discussed in depth in the chapters that follow.
Data subjects have the right to:
▶ be notified that information about them is being collected or that their information has already been accessed or acquired by an unauthorized person;
▶ establish whether a responsible party holds their personal information and to request access to this personal information; ▶ request, where necessary, the correction, destruction or deletion of their personal information;
▶ object, on reasonable grounds, the processing of their personal information;
▶ object to the processing of personal information for direct marketing purposes;
▶ not have their personal information processed for the purposes of direct marketing by means of unwanted electronic communication;
▶ not be subject (under certain circumstances) to a decision based solely on the basis of the automated processing of their personal information intended to create a profile of such a person;
▶ submit a complaint to the Information Regulator regarding any alleged interference with the protection of any personal information of any data subject;
▶ Institute civil proceedings regarding alleged interference with the protection of their personal information.
Simply put, this condition states that a responsible party must ensure that all requirements and conditions of the Act are complied with at all times during data collecting, processing and storage as well as when determining the purpose and means of processing the personal information.
Cyber-crime refers to any illegal activities utilizing, or against, computer systems or networks, and the internet including criminal acts such as hacking, phishing, and denial or service attacks.
Forms of cyber-crime include:
Denial of Service (DOS) Attack - a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet. Malicious Software (Malware) - software designed specifically to damage or disrupt a system, such as a virus or a Trojan horse. This malicious software can enable cyber-criminals to invade a computer undetected, take control of it and extract sensitive documents. Industrial (Cyber) Espionage - the act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary or of classified nature), from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using methods on the Internet, networks or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware. Phishing - the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. South Africa is particularly prone to phishing schemes and is the second most targeted country globally according to information security and privacy practice 4Di Privacy claiming to be from an established organization. These emails are sent in an attempt to solicit personal information such as bank account details. The emails often contain a link to a fraudulent website where users are asked to update their personal information. Cyber-criminals then use this personal information to obtain funds or sell the data on to clearing houses. The South African Revenue Service (SARS) has been a favored front for cyber-criminals trying to obtain personal information. Over the last five years SARS has issued more than 50 warnings to consumers about scams being perpetuated under their name.
Any person convicted of an offence, in terms of the Act, is liable to a fine of up to R10 million or imprisonment depending on the offence. Prison sentences vary and are under 12 months for lesser offences and up to ten
years for gross offences.
Where a responsible party is alleged to have committed an offence in terms of this Act, the Regulator may issue an infringement notice. This notice must include the amount of the administrative fine that is payable by the responsible party (if any).
The Regulator must consider the following factors when determining an appropriate fine:
▶ The nature of the personal information involved; ▶ The duration and extent of the contravention; ▶ Number of data subjects affected or potentially affected (by the contravention);
▶ Whether or not the contravention raises an issue of public importance;
▶ The likelihood of substantial damage or distress, including injury to feelings or anxiety suffered by data subjects; ▶ Whether the responsible party or a third party could have prevented the contravention;
▶ Failure to carry out risk assessment or failure to operate good policies, procedures and practices (to protect personal information);
▶ Whether the responsible party has previously committed an offence in terms of this Act.
The infringement notice must also inform the infringer that they have 30 days in which to pay the administrative fine, make arrangements with the Regulator to pay the fine in instalments or elect to be tried in court. If an infringer elects to be tried in court on a charge of having committed the alleged offence in terms of this Act, the Regulator must hand the matter over to the South African Police Service and inform the infringer accordingly.