Conrad Dormehl
24 June 2020

The Protection of Personal Information Act, 2013 (Act 4 of 2013) (“POPIA”) has been with us for some time, in its current form, now.  It is common cause that the provisions therein contained place a number of onerous obligations on so-called “responsible parties” in relation to the processing of “personal information”.

What exactly is meant by “personal information” is a vitally important aspect which must be understood when considering the impact of POPIA.  Without providing any form of overly elaborate explanation, we merely highlight the three following pertinent examples which (in terms of POPIA) are construed to be “personal information”:

  1. Information relating to a person’s race, gender or sex;
  2. ID numbers;
  3. The blood type or any biometric information of a person; and
  4. Information relating to a person’s financial, criminal or employment history.

When one considers the fact that employers, doctors, lawyers, schools, universities, homeowners associations, insurance agencies, call centres, banks and numerous other governmental institutions (to name but a few) process such information on a daily basis, it is evident that POPIA has far reaching consequences and its application is possibly wider than one many may care to think.

For some time, a large portion of those who stood to be affected by the provisions of POPIA, have thought “That’s all good and well, I will cross that bridge when I get there”. Following the proclamation in Government Gazette No 43461 on the 22nd of June 2020, it appears as if those affected by the Act are now well and truly confronted with this proverbial “bridge”.

This article seeks to caution and forewarn those affected by the provisions contained in the Gazette referred to above (which quite frankly, constitute almost everybody) as to the obligations which have been thrust upon them to get their houses in order for purposes of complying with the peremptory requirements for the lawful processing of information set out in POPIA.

POPIA essentially seeks to give effect to Section 14 of the Constitution which entrenches everyone’s right to privacy. POPIA promotes the protection of personal information processed by public and private bodies and seeks to strike a balance between individuals and entities’ rights to privacy against reciprocal rights of access to information. POPIA was already promulgated into law during the course of April 2014. Following such date, the legislature has adopted a system of incremental implementation of the Act by way of the proclamation of certain sections into operation over a period of time.

Following the notice in the Gazette, the President has now proclaimed the following sections into law:

  1. Sections 2 to 38, Sections 54 to 109, Section 111 and Section 114 (1), (2) and (3); and
  2. Section 110 and 114 (4).

The Sections mentioned in the first numbered paragraph will take effect on the 1st of July 2020 and the Sections mentioned in the second paragraph will take operation on the 30th of June 2021.

The importance of the promulgation of the abovementioned Sections into law is that they, amongst other things, impose the conditions and prerequisites for the lawful processing of personal information.

Of particular importance, are the provisions contained in Section 114 (1) of the Act which state that all forms of processing of personal information must, within one year after the commencement of the particular Section, conform with the requisites set out in the Act. This effectively means that compliance with the Act will be compulsory from the 1st of July 2021.

When one has regard to the onerous obligations which are set out in POPIA and the fact that responsible parties (in particular, organizations which process large amounts of personal information) will have to put in place systems and develop procedures so as to ensure that they prevent falling foul of the provisions of POPIA, a period of just beyond 12 months to get one’s house in order is not as long as it may seem at first blush.

POPIA creates a number of different criminal offences relating to failure to comply with items such as regulatory enforcement notices or the breach of a person’s confidentiality.  These offences attract penalties which may result in a fine or even imprisonment of a period of up to 10 years. In addition thereto, (and perhaps even more significantly) remedies are created for individuals whose personal rights to privacy are infringed. These include the right to claim compensatory damages for financial and non-financial loss.

Now that the 10 years’ imprisonment, protentional statutory fines and law suits have grabbed your attention, we would strongly suggest that you take careful cognizance of developments relating to the impending operation of POPIA as well as measures which are to be put in place to ensure compliance therewith so as to ensure your business steers well clear of the pitfalls that non-compliance poses.   Given the state of the economy and the financial turmoil suffered by businesses at large, the reputational and financial loss stood to be suffered in relation to non-compliance with the provisions of POPIA would be ill-afforded by businesses.