“POPI” The Protection of Personal Information Act 4 of 2013 is nearing its long awaited implementation. It looks like POPI is back on track and Parliament is proceeding to appoint the Information Regulator who should be in place by July 2016. Regulations and dates of actual implementation will have to then be published. The Act was in the pipeline for several years and is one of the longest pieces of legislation with 115 clauses. It was signed by the President on the 19th of November 2013 for general information.
It is important to note that lists compilation and usage is not outlawed- but regulated.
It is now time to review your practical proactive engagement to comply with not just the letter of the law, but also to its spirit as POPI is Principle based and NOT Rule based.
Accountability, purpose driven, openness, transparency under strict safeguards for integrity and security of processing
The Act applies to most of us on a very wide scale.
- It applies to all personal information of identifiable living persons or entities natural and juristic persons, private and public bodies
- All companies, in general, and also several of their divisions holding personal information- natural or juristic
- The 3 tiers of government: municipalities, provincial and national, all parastatals and Service providers
- And covers the full life cycle of the processing of personal information including all suppliers
At this stage here are some initial practical steps, which you could implement now to help you down the line
- Appoint an Information Officer in your organization to take responsibility to drive and oversee the implementation of POPI.
- Review, understand and document your company’s processes, using the requirements of the conditions of POPI and tick off what you are already doing and itemize the gaps
- Review your guidelines for best practices to underpin POPI conditions to ensure that the purposes for which for which the data has been collected, processed and used is clear and reasonable to comply with and is kept under strict security.
- Review contracts with suppliers/ clients/storage of data.
- Include internal policies on the use of social media to ensure confidentiality and reputation of the company.
- Test against a risk management policy
- Involve the staff for suggestions, train and share.
- Keep consumers updated on your openness and transparency and respect their request on how, and MAYBE NOT use their information.
This is a brief overview and the beginning of a conversation; share your good ideas or your concerns to unpack in future blogs.
Written by Effective Intelligence Ombudsperson, Christiane Duval