Although the actual commencement date of the Protection of Personal Information Act No. 4 of 2013 (POPI) is yet to be determined by the President, it has been made very clear that when this date is confirmed, organisations will have one year to demonstrate compliance with this legislation.
Enacted on 26 November 2013, POPI is intended to bring South Africa in line with international data protection laws. To avoid non-compliance, organisations should immediately assess the impact of POPI on their organisation, and begin to mitigate their risks by compiling and implementing an appropriate plan of action which will see the organisation comply with all the inherent requirements of the Act.
Improving the landscape
Section 14 of the Constitution of the Republic of South Africa 1996 provides that everyone has the right to privacy, which includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.
POPI will promote the protection of personal information processed by public and private bodies by introducing certain conditions in order to establish minimum requirements for the processing of personal information of individuals or of juristic persons.
Furthermore, the Act provides for the establishment of an Information Regulator to exercise certain powers and to perform particular duties in terms of the Act. The Act extends to the provision of the rights of persons regarding unsolicited electronic communications and automated decision making. It also seeks to regulate the flow of personal information across the borders of the Republic of South Africa.
Taking King III into account
While POPI is the latest and most comprehensive piece of South African legislation to govern personal information, it should be noted that King Code III deals extensively with the issue of information technology governance.
King III notes that information technology is an integral part of the business and it is fundamental to support, sustain and grow a business.
The reliance on information technology systems, the emergence and evolution of the internet, ecommerce, online trading and electronic communication allows companies to conduct business electronically and perform transactions instantly. These developments bring about significant risks and should be well governed and controlled. Thus, King III notes that, in directors’ exercise of duty of care, they should ensure that prudent and reasonable steps have been taken in regard to information technology governance.
Further hereto, King III puts forward the following principles pertaining to information technology:
- The board should be responsible for information technology governance.
- IT should be aligned with the performance and sustainability objectives of the company.
- The board should delegate the responsibility for the implementation of an IT governance framework to management.
- The board should monitor and evaluate significant IT investments and expenditure.
- IT should form an integral part of the company’s risk management.
- The board should ensure that information assets are managed effectively.
- A risk committee and audit committee should assist the board in carrying out its IT responsibilities.
Applications of the principles
POPI sets out eight conditions that responsible parties will need to take into consideration for the processing of personal information to be lawful.
Condition seven of POPI deals with security safeguards and states that a responsible party must secure the integrity and confidentiality of any personal information in its possession by implementing appropriate, reasonable technical and organisational measures to prevent loss, damage and unauthorised and unlawful access to the personal information in its possession. Furthermore, the Regulator and the data subject are to be notified when there are reasonable grounds to believe that the personal information of that data subject has been accessed or acquired by an unauthorised person.
Non-compliance may result in administrative fines, maximum R10 million, or imprisonment for a maximum period ten years. Companies are encouraged to pre-empt the implementation of this Bill by adopting compliance measures as this Act will have a significant impact on the industry.