Protection of Personal Information Act [B 9D – 2009]
Approved by the National Assembly on 20 August 2013, after minor amendments proposed by the National Council of Provinces in 2012, the president signed the Protection of Personal Information Act (PoPI) and it became law on 26 November 2013.
The Protection of Personal Information (PoPI) Act is born out of section 14 of the Constitution of the Republic of South Africa, 1996, which provides that everyone has the right to privacy. This right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information; and that the State must respect, protect, promote and fulfil the rights in the Bill of Rights.
The intention of PoPI, dubded an ‘information revolution’, is essentially to ensure that information is properly processed. Its purpose is to give effect to the constitutional right to privacy by safeguarding personal information when processed by a responsible party.
IQ Business harnessed its knowledge of PoPI to create a short survey gauging compliance, current priorities and attitudes among qualified individuals around the country, in partnership with the South African Institute of Chartered Accountants (SAICA).
The final sample achieved is 65 completed surveys from companies across different sectors, ranging from Health and Life Sciences, to Banking, Mining and Consulting.
The companies in the sample represent all sizes of organisations with 54% small (fewer than 50 employees), 20% medium (50–250), and 26% large (250+).
Currently, South African companies show only minimal compliance with PoPI principles and a small amount of effort dedicated to improving compliance. In part this may be due to the fact that at the time of the survey PoPI had not been signed into law yet.
However, now that the bill has been passed into law, South African companies would a lot of work to do in a short space of time.
Figure 1 Overall compliance indicator [CHANGES REQUIRED: Overall compliance indicator Current effort]
Verbatim comments suggested that while many were eager to comply there was a wait and see attitude as to whether the bill would ever become law. Infact, it was only a few months after respondents expressed this attitude, that the bill was indeed signed into law. Interestingly, it is especially the larger companies, often with many private records under management, that hold this view, while smaller companies tend rather to take PoPI more seriously, showing concern for what the legislation would do to their businesses and how it would impact cost.
Despite the overall low compliance, there are a few high performers in our sample. Approximately one in ten companies show good or excellent progress on most of the principles.
These high performers stand out, as they have employees tasked with taking privacy issues and compliance seriously. Even among these high performing companies, Openness and Data Subject participation remain the relative areas of weakness.
PoPI principles: summary
The IQ PoPI study included questions about all eight guiding principles. We calculated an overall score per principle, acting as an indication of compliance on each principle.Figure 2 Compliance indicator per principle
Figure 2 Compliance indicator per principle
[CHANGES REQUIRED: Accountability progress Process limitation Purpose specification Further processing Information quality Security safeguards Data subject participation]
Survey results per principle
Principle 1: Accountability
This principle outlines the corporation’s commitment to safeguarding a person’s constitutional right to privacy.
Accountability scores the lowest of all principles on the compliance indicator, in part perhaps because it refers to the compliance with all principles, which is still low overall. In addition, very few companies have a dedicated information officer to take responsibility of privacy issues (only 15%).
In response to the question: Does your company have an individual responsible for complying with the regulations around protection of personal information, such as a Information Officer?
Principle 2: Process limitation
Personal information may only be processed where, given the purpose(s) for which it is collected or subsequently processed, it is adequate, relevant and not excessive.
While few companies confess to ‘across the board’ collection of information without consent (9%), around one third (34%) do actually collect information without consent from time to time. Around one in every two do not take care to collect only the required information.
In response to the question: When you collect personal information from individuals, do you …
Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. 69% of companies do inform individual customer about the reasons for which personal information is required. However, only 40% have formal policies in place regulating the matter
In response to the question: How well do you think your company understands the requirements for the collection, retention and destruction of personal information?
Further processing limitation
When companies wish to do further information processing, the additional processing must be compatible with the purpose for which the information was originally collected. Six in ten companies are confident that they never use personal information collected for anything outside of the originally identified purpose.
However, very few (only two in ten) actually have a policy or procedure in place to govern the use of data. Perhaps then it is not surprising that most companies feel that they have not yet made any progress (51%) or very little progress (39%) on this principle.
In response to the question: Do you ever use personal information collected for anything outside of the originally identified purpose (known as further processing)?
This principle outlines the company’s responsibility to ensure that reasonable steps are taken ensure that personal information collected is complete, accurate and not misleading.
South African companies do not currently invest much in ensuring data quality. Only 17% have an employee with assigned responsibility for overseeing data quality. While a quarter admit to not having any processes in place to ensure accurate and updated personal information, the majority can only claim limited processes at best.
In response to the question: Do you have processes in place to verify that personal information is accurate, complete and current across all information sources?
This principle requires that companies be unambiguous and transparent when collecting personal information.
In response to the question: Is there a notification process in place to alert individuals in the event of a loss or disclosure of their personal information?
This principle requires that all personal information should be kept secure against the risk of loss, disclosure, unauthorised access, interference, modification or destruction.
In response to the question: Does your company …
Data subject participation
Principle 8 requires that companies allow individuals to access and/or request the modification or deletion of any personal information held about them, which may be inaccurate, misleading or outdated.
In response to the question: Customers sometimes want to know if a company holds information about them, or to find out the exact details on record. How does your company deal with these kinds of requests?
Individuals in South Africa cannot yet participate to the degree that they are allowed to enquire about their own information held by a company. Only three in ten companies would definitely provide an individual with information pertaining to his own personal information, and 23% actually have a policy not to share this information with a person.
Risks and benefits
PoPI will be mandatory for private and public bodies and the new legislation is unprecedented in South Africa. Much like its Payment Card Industry (PCI) parallel, PoPI compliance is likely to be considered a ‘grudge’ project and as such, an organisation’s goal will typically be compliance with minimal business and financial impact. However, underestimating the impact of PoPI is a real risk and non-compliance could result in companies and individuals facing penalties including fines and/or jail time (up to R10 million and/or ten years), which will be imposed by the regulator. The reputational risk will be far more significant and will in all likelihood have a financial, as well as a public confidence impact.There are a number of benefits to PoPI compliance, including transparency of what data and personal information (PI) organisations have, where it is located, its accuracy, who within the organisation has access to the PI (to view, create and update) as well as compliance with existing legislation, such as the Protection of Access to Information Act (PAIA). But, first and foremost, PoPI compliance presents a perfect opportunity for achieving customer trust.
Author: IQ Business Group.