The Protection of Personal Information act 4 of 2013
When Did the POPI Act commence? And how long do responsible parties have to
comply with its provisions?
The South African Financial Intelligence centre’s purpose is to establish and maintain an effective policy and compliance framework and operational capacity to oversee compliance and to:
- Certain sections of POPI commenced in April 2014,
- The Remaining sections of POPI commenced on 1July 2020, but responsible parties have been given 12 months to achieve compliance with POPI’s Obligations.
Dealer Financial Services cc endeavours to ensure that the information contained herein is correct at the time of publication but makes no guarantee as to the accuracy and completeness of the training material after publication. This module is provided for overview training purposes only.
Purpose
- POPI introduced to enforce certain conditions and minimum requirements for the processing of personal information;
- Establishment of an “Information Regulator;
- Provide for the issuing of codes of conduct.
- To regulate the flow of personal information,
including across borders of the Republic.
Definitions
Subject) in the sense that the information has the person as it’s focus. Includes things like (not limited to)
- Names
- Id numbers and dates of birth
- Addresses, contact details (all and any)
- Bank details
- Personal records; biometrics
- Religion or beliefs
- Sex, ethnic origin, criminal behaviour
Definitions
Data Subjects: Refers to the person to whom the information relates, this includes:
- Clients
- Potential clients
- Applicants (Successful or unsuccessful)
- Staff, Casual Staff,
Processing or Further processing of information:
- Initial obtaining or collection of personal information,
- The retention and use thereof,
- Access and disclosure and
- Final Disposal of the data
Lawful Processing of
Information
------------------
Processing and further processing of personal information is only lawful if it complies with the 8 condition for Processing specified in the POPI.
1. Accountability
2. Processing Limitation
3. Purpose Specification
4. Further Processing limitation
5. Information Quality
6. Openness
7. Security Safeguards
8. Data SubjectParticipation
1. Accountability
The responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions, are complied with at the time of the determining the purpose and means of the processing.
Appointing the Information Officer: by default is the CEO, who can appoint an information officer which has to be in writing, does not prohibit the person appointing the Information Officer from performing the duty him/herself.
DUTIES OF INFORMATION OFFICER:
- Develop a compliance framework , implement it and monitor and maintain it.
- A personal information impact assessment is done to ensure adequate measures and standards exist to comply with the act.
- Develop a manual to ensure; Information is not kept longer then necessary;
- Internal awareness sessions are conducted
- Dealing with request made to the business in respect of POPIA. And have records of all requests for information.
2.Processing Limitation
- Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
- Must be obtained directly from the data subject
- The Data subject must be aware and consent to you gathering and using the information.
- If you use a third party to gather information the data subject must consent to the information being shared with you.
- Only information that is required for the specific purpose for which it is gathered may be stored or used.
3. Purpose Specification
- The purpose must be documented and adhered to.
- Data subject has the right to know what information you have and for what purpose it was gathered.
- Once used for the specific purpose it must be destroyed.
- You will be required to account for what information you hold, for what purpose it was gathered and a date the information must be destroyed.
- The process of destruction of the personal information must prevent its reconstruction after you are no longer authorised to retain such records.
4. Further Processing limitation
- Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
- The data subject has to agree to their information used for any other purpose other than the original purpose.
- The data subject has to be aware of the purpose and period you will use their information.
5. Information Quality
- The responsible party must take reasonably steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary.
- Information directly from the data source is more likely to be accurate.
- Where possible it is advisable to validate the personal information as it is being captured.
- Data subjects must be advised on how they can update or withdraw consent for the use of their information.
6. Openness
- Proof of consent is essential.
- Proof that the data subject was informed of how the data will be used and for how long.
- The data subject must be given the contact details of the responsible person in the organisation.
- The data subject must be advised of his/her rights to complain to the information regulator in respect to misuse of the data.
- Advise the data subject of their right to access their information and object to the processing of the information.
7. Security Safeguards
- Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorized destruction and disclosure.
- A safety and security risk assessment is required
- The companies POPIA policies must cover this and enforce it.
- The policies and procedures must restrict access to ensure security.
- Process must be in place to alert the Information office of a breach.
- Documented process to be followed in the event of a breach, including informing the data source and Information regulator.
Data Subject Participation
- The Data Subject has the right to correct the personal information that you hold. They also have the right to withdraw consent at any time. This procedure should be covered in the POPIA policies and procedures manual..
The dealership’s role
- Appoint the information officer: https://justice.gov.za/inforeg/portal.html
- Implement training program, first the information officer and then all staff.
- Keep a record of all training done.
- Functionally describe the processing of personal information (collection, use and destruction)
- List the channels e.g. paper; portal; staff.
- List the reasons e.g. customer invoicing, marketing, finance applications, licensing.
- List the internal data processors and external. E.g. accounting, credit apps. (signio or seriti) insurance leads.
- List storage facilities. E.g. phones, computers, servers, cupboards.
- List individuals with access to the information.
- Ensure data subjects agree to the collection use and storage.
- Perform an impact study on personal information data. Information Officer must manage the risks.
- Update all contracts including employee contracts.
- Establish a Privacy Policy and procedures manual, Data protection policy, Incident management processes, Data access management registration and controls.
.