An update on the POPI Act
Protection of Personal Information Act
The Protection of Personal Information Act (POPI) is South Africa's Privacy law and introduces requirements for the processing of Personal Information. The Protection of Personal Information Act (POPI) gives effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifable limitations.
POPI includes provision for justifiable limitations including:
balancing the right to privacy against other rights, particularly the right of access to information; and
protecting important interests, including the free flow of information within the Republic and across international borders.
The Chairperson of the Information Regulator, Adv Pansy Tlakula, recently made a statement in the Annual performance plan for 2020/21 financial year that a request was submitted to the President to sign the remaining sections of POPI into effect during the 2020/21 financial year. the Chairperson further emphasised the need for POPI to come into full effect: "until all the sections of POPIA are brought into effect the Regulator is unable to enforce compliance and victims are deprived of an appropriate remedy." This being said the commencement date of the remaining sections of POPIA has to date not been published.
Which sections of the POPI Act are effective?
The POPI Act was signed into law in 2013 and a few sections of the Act came into operation on the 11th of April 2014. The sections which came into operation are the definitions of the Act, the establishment and the structure of the Information Regulator and the provisions relating to the regulations and the procedure to be followed by the Minister to make regulations.
The sections relating to responsible parties compliance obligations have not yet commenced.
What is the importance of the commencement date of the remaining sections of POPIA?
Responsible parties will be required to comply with the obligations of the act once the commencement date is published, but in terms of the transitional arrangements of the Act will be granted a grace period of one year to ensure that all processing of personal information conforms with the provisions of the Act.
How does the Act define a responsible party?
In terms of the Act a "responsible party" means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
What should parties do in the interim?
Although sections in relation to compliance obligations have not come into effect the Regulator encourages parties to act responsibly when processing personal information and data and to proactively comply with the Act. The Information Regulator recently issued a Guidance Note on the processing of personal information in the management and containment of COVID-19 pandemic. The guidance note provides insight into the effect on the right to privacy and the limitation of constitutional rights of data subjects.
Should you require further assistance with the implementation of POPI do not hesitate to contact our office.