POPI Do it yourself
Protection of Personal Information Act
Recent media has been flooded with POPI advertisements, warnings and updates. Large organisations have embarked on comprehensive plans to review their protection of Personal Information policies and procedures and are most likely investing enormous funds in ensuring their compliance obligations. Where does this leave the smaller practice who is concerned about POPI, but doesn't know where to start in addressing its obligations?
This article is the first in a set of articles aimed at starting or reviewing your organisation's POPI Roadmap. It will certainly not guarantee compliance nor completely prevent any cost to get mitigation help, but will at least assist the organization to get a better understanding of the POPI outcomes and to get a feel for where the organization may be exposed to risk.
STEP 1: Who are the POPI stakeholders in my organisation?
When clients approach us for a POPI plan, they will often say "I don't hold client personal information on record". Unfortunately, POPI doesn’t only protect a customer's personal information. POPI protects the personal data of any person whom the organization comes into contact with. The definition "Person" includes means a natural person or a juristic person. Whenever information is held for a Person and the organisation deals with such data, the Act refers to such a person as the "data subject". Data subjects in an organisation typically include:
The organisation itself, its employees, directors and shareholders
Service providers and third parties and their employees and representatives
Special caution should be taken when any of these stakeholders are children, as there are specific limitations to personal information of minors.
STEP 2: What is the information I hold for each of these data subjects?
The POPI Act defines Personal Information as information relating to an identifiable, living, natural person, and where it is applicable, an existing juristic person, including, but not limited to:
information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
information relating to the education or the medical, financial, criminal or employment history of the person;
any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignments to the person;
the biometric information of the person;
the personal opinions, views or preferences of the person;
correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
the views or opinions of another individual about the person; and
the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
If the definition of personal information is applied to the stakeholders in step 1, you may be surprised that not only private identifying information such as client or personnel records are the subject of POPI, but also inherent knowledge about the person and correspondence with or about such a person. The organisation should also be especially careful when it holds "special information" of a stakeholder as this information receives special protection under POPI.
Special Information is defined as:
the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
the criminal behaviour of a data subject to the extent that such information relates to
the alleged commission by a data subject of any offence; or
any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
Understandably this class of information is typically relevant to employee records. Join us next month for the next POPI DIY article