The protection of personal information Act or POPI is aimed at regulating the use of and the safeguarding of personal information.
It is a simple fact that every business in some way or form stores personal information, whether it be employment records for staff or client information needed to open an account. In some instances even suppliers are vetted by way of investigating certain types of personal information.
It is thus, a set of regulations that every business must consider seriously, become complaint before November 2014 and by so doing save themselves from a potential a R10 million fine or ten years imprisonment.
What should businesses know now?
1. What is personal information?
Personal information is any information which includes a person’s name (including a juristic person such as a company), contact details, religion, sexual orientation, personal views, private correspondence, health records, employment records, financial records, etc.
2. Lawful processing of information
In this context processing means any activity or operation relating to personal information of a data subject (natural or juristic person). Businesses must ensure that processing is done in a lawful manner, which means:
- Ensuring compliance with POPI
- Processing information in a reasonable manner not unlawfully infringing on the right to privacy;
- Purpose of collection of the information must be both lawful and related to a lawful function or activity;
- The information collected must be comparable with the purpose of its collection;
- The information provided must accurate, complete, updated and not misleading;
- The person to whom the information belongs must be aware of all matters pertaining to the information;
- Take certain steps to ensure that the integrity of the personal information is protected and not lost, destroyed or unlawfully acquired;
- The person whose information is being held may question any aspect of the information.
3. Policy Regulation
Policies regulating collection, storage of information and its release should be drafted for every business. Businesses should assess the degree to which they are processing personal information, whether it is necessary and if so, to put measures in place so as to guide all team members and ensure compliance.