The Protection of Personal Information Act - implications for South Africa

THE IMPORTANCE OF PERSONAL INFORMATION IMPACT ASSESSMENTS:

The Protection of Personal Information Act (Act No. 4 of 2014) (“POPIA”) commenced on 1 July 2020. All business and legal entities, whether owned by individuals, companies, partners, sole proprietors, close corporations, NGOs/PBOs, associations and business trusts, including dormant entities, are required to comply with POPIA.

Personal information is any information that relates to a living, identifiable natural person or an existing juristic person (like a company). POPIA provides certain compulsory conditions relating to the processing of personal information and establishes an enabling framework for persons and entities (data subjects) to exercise their related rights.

SAFEGUARDING OF PERSONAL INFORMATION:

POPIA gives effect to the constitutional right to privacy by safeguarding personal information when processed by a responsible party. This entails that a responsible party is required to maintain the confidentiality and integrity of personal information under its control by taking appropriate, reasonable technical and organizational measures to prevent:

• the loss of, damage to or unauthorized destruction of personal information; and
• unlawful access to or processing of personal information

POPIA requires that a responsible party must have regard to generally accepted information security practices and procedures when determining which measures to implement to safeguard personal information. These may be generally required in terms of specific industry or professional rules and regulations.

Responsible parties are further required to take reasonably practical steps to ensure that personal information processed by them is accurate, up to date, complete and not misleading.

PERSONAL INFORMATION IMPACT ASSESSMENTS:

This is where personal information impact assessments (“PIIAs”) come in. Regulation 4(1)(b) of the Regulations published in terms of POPIA (“the POPIA Regulations”) create a legal obligation on responsible parties to perform PIIAs to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.

Organisations and businesses can use PIIAs to assess and identify organisational risks for data subjects which exist due to certain technology or systems used by the organisation and determine the most appropriate measures and standards to remedy and prevent the risks.

Regulation 4(1)(b) of the POPIA Regulations requires such PIIAs to be carried out regardless of the level of risk that is likely to emanate from the nature, scope, context, or purpose of the data processing conducted for the rights of the affected data subjects.

THE STARTING POINT:

Businesses can easily feel overwhelmed with the myriad of obligations seemingly imposed by POPIA. The starting point for a PIIA entails a careful analysis and description of the data processing taking place in an organisation, including the purposes (and where applicable, legitimate interests) of the responsible party in terms of Section 11(1)(f) of POPIA.

In order to consider the nature and seriousness of the risk, the responsible party must involve data subjects in its analysis, and where appropriate give them a chance to express their views on the intended processing. This will enable the processing to take place proportionately (Section 10 of POPIA) and in relation to the risks, and the rights of data subjects can be sufficiently assessed for purposes of Section 11(1)(d) of POPIA.

Once the risks to an organisation have been identified and safeguards, security measures and protection mechanisms of personal information have been implemented, and an organisation can demonstrate overall compliance with POPIA as required by Section 8, an organisation’s PIIA is completed.

IS FAILURE TO COMPLY A BIG DEAL?:

If a responsible party fails to adequately protect personal information processed by it, such deviation from the required standard of foreseeable harm creates negligence on the part of the responsible party, regardless of whether the failure occurred as a result of an act or omission by the responsible party itself, the information officer, an employee or contractor or service provider. A responsible party can therefore be held liable for harm to data subjects that result from such deviation. The burden of proof in this instance is on the responsible party to show that it identified reasonably foreseeable risks and implemented measures to mitigate them. POPIA also imposes offences and severe penalties for non-compliance.

This is the first of a series of articles on PIIAs to help you understand your organisation's POPIA compliance framework. For more information and assistance contact Luïse Von Dürckheim-Botes from SST Attorneys at luise@sstlaw.co.za

About SST Attorneys:

Stroebel Singh Theunissen Incorporated (better known as SST Attorneys) is a South African law firm serving a wide geographic area from its established practices in Pretoria and Sasolburg. Although primarily serving the South African market, the firm frequently advises its clients on cross-border commercial transactions and is establishing an increasing international footprint.

We have been offering a comprehensive and diverse range of legal services since 1959 (previously under the name Molenaar and Griffiths Incorporated) and are tireless in our efforts to continue developing and offering expertise to new and existing clients.

Our key objective is to practice our profession with excellence by being current, innovative, informed and remain in touch with the needs of the clients we serve.