In keeping with our March theme of human rights, today’s touch-point is the subject of data rights.
If you live or operate a business in South Africa, you will soon have POPIA (Protection of Personal Information Act) to comply with.
The Act is aimed at providing rights to people when it comes to unsolicited electronic communications, basically, it is a code of conduct that all businesses must comply with.
What is the purpose of “POPIA”?
The Act aims to give effect to the constitutional “Right to Privacy” (Section 14 of the Constitution of the Republic of South Africa) by giving individuals and organizations specific requirements to process, retain, transfer, and destroy personal information in a manner that is fair, secure, and responsible.
To regulate the way personal information may be processed, by establishing conditions, in harmony with international standards that prescribe the minimum threshold requirements for the lawful processing of personal information.
To provide persons with rights and remedies to protect their personal information from processing that is not in accordance with the Act; and
To establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfill the rights protected by the Act.
What is “personal information”?
Information relating to an identifiable person (living natural person/ existing juristic person as far as applicable):
race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, color, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, and birth
education or medical, financial, criminal or employment history
any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other assigned to the person.
bio-metric information.
personal opinions, views, or preferences.
the views or opinions of another individual about the person.
correspondence sent by the person that is implicitly or explicitly of a private/confidential nature.
the name of the person if it appears with other personal information relating to the person, or if the disclosure of the name itself would reveal information about the person.
How compliant is your company?
Have you appointed an Information Officer?
Have you reviewed your PAIA policy?
Have you reviewed / created a privacy policy referencing the act?
Have you reviewed all third-party contracts and determined their operator compliance for the processing of personal information?
Are all your processes properly documented?
Is all client documentation updated in line with the latest POPIA policies and standards?
Have you created a data inventory of all fields of personal data across all systems?
Have you determined the retention requirements which govern the personal information in your environment?
Are your IT security standards up to date with all POPI policy changes?
Do you have a breach response policy?
Below are a couple of takeaways, courtesy of ENS Africa with 5 easy steps towards POPI compliance:
Appoint or reassess the role of the information officer.
Create awareness: In order, to ensure effective compliance, buy-in from senior management all the way down the chain of command is needed. Make sure employees understand what data privacy legislation entails and what is required of them. This can be achieved through interactive awareness training.
Personal information impact assessment. Once all employees are informed, it is of paramount importance that audits take place within the company. It is imperative that employees understand what information is collected, how it is collected, by whom it is collected, what it is used for, how it is stored and processed, how it is retained and destroyed and whether it was collected with the necessary consent. The company will also be in position to identify gaps and produce a clear gap analysis and risk assessment report now.
Develop a compliance framework, which can include processes and policies. A proper gap analysis will help identify which processes and policies have, to be put in place:
updates to employment contracts
updates to supplier agreements
changes to marketing practices (opt-in and opt-out best practice)
implementation of policies like- personal information sharing policy, security compromises policy, subject access request policy, CCTV camera policy, bring your own device policy, data Retention policy, cookie policy, password policy, social media policy, cloud computing policy, compliance tracker policy and Promotion of Access to Information Act, 2000 ("PAIA") manual, to mention a few.
Implementation. The compliance framework should be implemented, monitored, and maintained. Policies and procedures do nothing to aid compliance if they not properly implemented.
Whilst the focus of POPIA is on compliance, the suggested approach is to implement compliance in such a way that it delivers business value. Alongside creating a company culture of privacy protection & awareness that becomes embedded for improvements in the company efficiencies and effectiveness, done in such a way as to meet the compliance requirements.
(This article has been distributed for information purposes only and may it be construed as legal advice)
Article By:
Tiffany Reed: HR & EE Consultant - Compliance Hub