THE PROTECTION OF PERSONAL INFORMATION
ACT (PoPI)
IMFO
Institute of Municipal Finance Officers & Related Professions
AGENDA
� PoPI status
� Overview of PoPI – Why do we have PoPI;
Who/What is affected?
� PoPI conditions & special requirements;
definitions and penalties
� Top 6 things to do
Institute of Municipal Finance Officers & Related Professions
PoPI Status
� The Parliament’s Portfolio Committee for Justice and Constitutional
Development voted positively on 24 July 2013, on the changes brought on by
the National Council of Provinces
� It was passed by the House of Assembly on 22 August 2013
� It was signed into law by the President on 26 November 2013
� 11 April 2014: President proclaimed the commencement date of selected
sections (re appointment of Regulator)
� 19 May 2015: Treasury agreed and endorsed the grading of the Regulator
� 14 August 2015: Candidates were nominated
� 11 November 2015: Parliament asked for a meeting to discuss the role of the
Information Regulator. The outcome of the meeting is that Parliament has
asked for another workshop to be set up in 2016 for all relevant stakeholders
� The President is yet to appoint a Regulator and announce the commencement
date of the remainder of the Act (expected in 2016)
Institute of Municipal Finance Officers & Related Professions
Why do we have PoPI?
Overview of PoPI
� PoPI gives effect to the constitutional right to privacy in Section 14
of the Bill of Rights of the Constitution of South Africa
� Alignment of legislation with other countries (more than 100 other
countries already have Privacy legislation)
� Poorly protected personal information has led to:
� Rising levels of identity theft and associated fraud
� Intrusions on the privacy of individuals
� Fines imposed by Regulators
Institute of Municipal Finance Officers & Related Professions
Who/What is affected?
Overview of PoPI
Institute of Municipal Finance Officers & Related Professions
Applies to:
• Public and private sector
• Natural and juristic persons
• Paper and electronic records
Affects all areas of business:
• Employees
• Customers
• Suppliers
• Information held on behalf of third
parties
Covers:
• Eight information processing
conditions
• Direct marketing by electronic
communication and automated
decision-making
• Trans-border information flows
• Rights of data subjects
• Establishment of Regulator
• Enforcement provisions
8 Conditions
PoPI conditions & special requirements
Institute of Municipal Finance Officers & Related Professions
1. Accountability– Responsible party ensures compliance
2. Processing limitation– Lawfulness, Minimality
– Consent, justification and objection
– Collection directly from the data subject
3. Purpose specification– Collection for a specific purpose
– Retention of records
4. Further processing limitation– Further processing compatible with purpose of
collection
5. Information quality– Quality of information
6. Openness– Documentation of processing operations
– Notification to data subject when collecting personal
information
7. Security safeguards– Integrity and confidentiality
– Information processed by Operator
– Notification of security compromises
8. Data subject participation– Access to and correction of personal information
– Direct marketing – electronic and unsolicited: Consent, opt-in and opt-out
– Cross border transfers: No transfer outside RSA unless conditions are met
– Special Personal Information: Children, race, gender, health, etc.
Personal Information
PoPI definitions
Institute of Municipal Finance Officers & Related Professions
‘‘personal information’’ means information relating to an identifiable, living,
natural person, and where it is applicable, an identifiable, existing juristic person,
including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin,
colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief,
culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the
person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location
information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or
further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the
disclosure of the name itself would reveal information about the person;”
Processing
PoPI definitions
Institute of Municipal Finance Officers & Related Professions
‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic
means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval,
alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
Record
PoPI definitions
Institute of Municipal Finance Officers & Related Professions
‘‘record’’ means any recorded information—
(a) regardless of form or medium, including any of the following:
(i) Writing on any material;
(ii) information produced, recorded or stored by means of any tape-recorder, computer
equipment, whether hardware or software or both, or other device, and any material subsequently
derived from information so produced, recorded or stored;
(iii) label, marking or other writing that identifies or describes any thing of which it forms part,
or to which it is attached by any means;
(iv) book, map, plan, graph or drawing;
(v) photograph, film, negative, tape or other device in which one or more visual images are
embodied so as to be capable, with or without the aid of some other equipment, of being
reproduced;
(b) in the possession or under the control of a responsible party;
(c) whether or not it was created by a responsible party; and
(d) regardless of when it came into existence;”
PoPI penalties
Institute of Municipal Finance Officers & Related Professions
‘‘Any person convicted of an offence in terms of this Act, is liable, in the case of
a contravention of—
(a) section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for a
period not exceeding 10 years, or to both a fine and such imprisonment; or
(b) section 59, 101, 102, 103(2) or 104(1), to a fine or to imprisonment for a period not
exceeding 12 months, or to both a fine and such imprisonment.”
Administrative fine – may not exceed R10,000,000
Put privacy governance in place
Top 6 things to do
Institute of Municipal Finance Officers & Related Professions
Support and commit to privacy
● Accountability ● Privacy governance charter ● Privacy steering committee
Guide and direct privacy
● Privacy policy ● Minimum control standards ● Regulatory response guidelines ●
Contract provisions ● Pre-contract assessments
Inform and educate the organisation about privacy
● Training ● Awareness
Focus on data elements
Top 6 things to do
Institute of Municipal Finance Officers & Related Professions
212121
2222
2323
242525
2626
2730
0 5 10 15 20 25 30 35
Income/Salary/etc.
Passport number
Business registration number
Postal address
Financial institution account number
National Identity / Social Security Number
Customer Number
Number of occurrences of data elements in surveyed applications
Personal data
elements
Conduct and learn from gap assessments
Top 6 things to do
Institute of Municipal Finance Officers & Related Professions
PoPICompliance Readiness
Understand data flows
Top 6 things to do
Institute of Municipal Finance Officers & Related Professions
Instill an information protection culture
Top 6 things to do
Institute of Municipal Finance Officers & Related Professions
Training
Top 6 things to do
Institute of Municipal Finance Officers & Related Professions
Executives
Management
All Employees
- Presentations- Regulatory Dialogue Sessions
- Classroom Based Training
- General Awareness Activities
- Online Training- Webinars
Thank You!
Institute of Municipal Finance Officers & Related Professions
Busisiwe Mathe
PwC Director
+27 (82) 210 3121
+27 (11) 797 4875