Poppy Seed Pie for Breakfast....? - YES, Please!
by Amanda Roothman on 1 June 2021
Never work before breakfast.... If you MUST work before breakfast, eat your breakfast first.
GOOD MORNING!
Poppy Seed Pie, you ask? - well, yes.
While you pour yourself a great cup of coffee, let me explain...
Each and every business entity in South Africa must comply with the PoPI- and PAIA Acts...absolutely no pun intended!
PAIA & PoPIA are designed to promote the protection of personal information and to bring South Africa's privacy laws in line with international standards. It limits the rights of businesses to collect, process, store and share personal information. It also makes businesses accountable for protecting the privacy of this information.
On the one end, PAIA is an "Access" law, all about Freedom of Information. PoPIA on the other end, is about privacy - prevention of exposure of information.
- Who must comply with PoPIA and PAIA?
- The Act applies to any person or organisation who keeps any type of record relating to the personal information of anyone. This means all entities, such as Private Companies, Sole Traders and Partnerships.
- Every entity must have a Designated Information Officer. This will typically be the CEO of the company. This individual must be registered as such with the Department of Justice by no later than 30 June 2021.
- What is PAIA?
- The purpose of the Promotion of Access to Information Act (PAIA) is to promote the right of access to information, to foster a culture of transparency and accountability in SA.
- The PAIA manual, essentially explaining to others how they can get access to the records held by your company, must be submitted to the Department of Justice, also no later than this date. Remember, this is not access to the actual information, so by submitting this mandatory manual, you are neither disclosing your information, nor those of your clients, employees, service providers etcetera. Rest assured.
- What is PoPIA?
- The Protection of Personal Information Act (PoPIA) is essentially the data privacy law of SA, and aims to protect personal information. It enables businesses to regulate how information is organised, stored, secured and discarded.
- The PoPIA manual is an internal compulsory manual, in which the rules and procedures relating to the processing of personal information in your business are set out.
There are essentially 8 PoPIA conditions. I have simplified these conditions here:
- Accountability
The Designated Information Officer must ensure that the Personal Information data held within the company is safe, and policies and procedures are in place to secure this data. - Processing Limitation
Personal Information may only be processed in a fair and lawful manner, and only with the consent of the data subject. - Purpose Specific
Only information that is required for the specific purpose for which it is gathered may be stored. - Further Processing Limitation
Personal Information may not be processed for a secondary purpose unless that processing is compatible with the original purpose. Should you want to use existing personal information for any other purpose than what the information was gathered for, confirmation will be required from the data subject again. - Information Quality
The responsible party must take reasonable steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary. - Openness
The data subject whose information you are collecting must be aware that you are collecting such personal information and for what purpose the information will be used. - Security Safeguards
Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction and disclosure. - Data Subject Participation
Data subjects may request whether their personal information is held, as well as the correction and / or deletion of any information held about them.
Offences, Penalties and Administrative Fines
The most relevant offences to the PoPI Act, are:
- Any person who hinders, obstruct or unlawfully influences the Regulator;
- A responsible party which fails to comply with an enforcement notice;
- Offences by witnesses, for example, lying under oath or failing to attend hearings;
- Unlawful acts by responsible party in connection with personal data; and
- Unlawful acts by third parties in connection with personal data.
Failure to comply with the requirements of the PoPI Act, could have dire consequences, such as fines ranging up to R 10 million, and / or imprisonment for up to 10 years for serious offences.