The Personal Information Protection Bill

Data Protection a big deal for businesses


The objective of the Protection of Personal Information Bill (POPI) will be a comprehensive protection of information relating to personal detail of an individual.

At present, South Africa does not have comprehensive privacy or data protection legislation. Some aspects are covered in various other statutes which are consumer protective such as the Consumer Protection Act, the National Credit Act and the Electronic Communications and Transactions Act.

In a move to give effect to the right to privacy which is entrenched in South Africa's constitution and in order to align South Africa with many other international jurisdictions that have privacy or data protection legislation in place, the Government introduced the Protection of Personal Information Bill in 2009 (POPI).

POPI has been in the pipelines for a number of years and with its draft stage having reached finality, it is anticipated to be passed by the end of this year. The objective of POPI will be a comprehensive protection of information relating to personal detail of an individual.

In POPI, personal information is defined as covering a very wide range of data pertaining to individuals and juristic persons. Furthermore, POPI differentiates between different types of personal information and the sensitivity thereof. The more sensitive information is defined as special information, which is information that relates to religious beliefs, health data, trade union membership, political persuasion or criminal behaviour of a data subject, and such information requires greater protection under the law.

The new law is intended to cover any person or entity that collects, uses or stores, (in any manner whatsoever) personal information and will therefore involve the majority of organisations conducting various types of businesses having to assess how they handle personal information.

POPI provides rights for individuals to:

  • know the reasons that their information is collected;
  • know the purposes for which it will be used;
  • have the right to object, on reasonable grounds, to use of their information; and
  • enquire whether an organisation holds information about the individual, view and correct that information, and ask that it be deleted.

POPI also requires organisations to only collect and use the minimum information necessary to accomplish their objectives, to maintain such information accurately, to safeguard personal information, and to delete or destroy information when it is no longer needed. Notably, organisations will be required to notify the individual(s) and the new Information Regulator (once appointed) of any compromises to their personal information, including loss, theft, unauthorised access or disclosure, hacking incidents, and so on.

From a practical point of view almost all businesses will need to:

  • ensure that standard terms and conditions cover the authority to use any information submitted to the organisation for purposes which such organisation requires to use that information;
  • be careful how the information is used and to whom the information is disclosed; and 
  •  devise proper secure storage of data.

Comprehensive data handling strategies, processes and procedures as well as systems will need to be devised and implemented in order to comply with the legislation.

POPI was passed by the National Assembly in August 2013, and is awaiting the President's assent.  Once POPI becomes law, it will place a notable onus on businesses that process any personal data in respect of any person. Failure to comply will in all probability result in an administrative fine of no less than R10 million for non-compliance, while offences may also result in criminal charges or lengthy prison sentences.   


comments powered by Disqus


This edition

Issue 83


BBQ_Magazine_SA BBQ Magazine sat down with Clinton Walker, the Director of e-learning for the Western Cape Education Department for… 5 months - reply - retweet - favorite

BBQ_Magazine_SA is a statutory regulator and manager of the .ZA namespace - the internet country code top-level domain fo… 5 months - reply - retweet - favorite

BBQ_Magazine_SA BBQ magazine sat down with self-made real estate entrepreneur, who aims to bring new blood into the o… 5 months - reply - retweet - favorite