Gaining a proper understanding of the Act will assist with implementing the correct systems and procedures to handling personal information. The aim of the Act is to promote transparency about information collected and its processing. It is essential for you to understand the spirit and purpose of the Act in order to know how to start training and programmes for the implementation of the Act.
The key to start getting ready for implementing POPI is to start assessing current policies, procedures and systems in your business. This will form the base from which you can measure what extra steps need to be put in place. Document the process that you follow to record the information about your customers throughout the advice process, conclusion of a transaction and storage thereof. Is information stored in notebooks or paper files, on your computer or tablet or cell phone? Who has access to and/or handles this information? How is information disposed of? Follow the trail of a customer’s information through your business and keep a record of where it goes and the people who deal with it.
What is Personal Information?
- contact details: email, telephone, address
- demographic information: ID, sex, race, birth date, ethnicity
- biometric information: health, blood type, height, weight, fingerprints
- history: employment, financial, educational, criminal record, medical history
- private correspondence: Minutes, email, fax, notes
Unless specifically allowed, such personal information may not be processed. Businesses are not allowed to process personal information of children, i.e. – persons under the age of 18. Personal information must therefore be destroyed as soon as possible. It must not be possible to recover such information
How to Comply
- Information must be collected for a purpose and used for that specific purpose.
- Information collected must be relevant for its purpose.
- Information may not be shared with a third party without client consent.
- Information must be kept stored with proper security measures.
- Information must only be stored for the period for which it is needed.
- The subject of such information must have access to view their personal information upon request.
- A data security system must be implemented in each business. The system must prevent data loss or unlawful access of such information. Only authorised personnel may have access to the system storing such personal information.
- The data subject, the person who the information is about, must be able to see what information is being held by the business.
- The data subject must receive proof that his information has been deleted.
- Analyse your current processes of collecting and storing information. Then determine how that process will have to change to be compliant.
- Implement a notification process that will notify clients that you are capturing their data and how it is stored.
- Keep record of any action taken with the personal information.
- Implement a retention schedule for categories of personal information. Ensure that the accuracy of the information is reviewed in order to determine if such information must be updated or destroyed according to the retention schedule.
To comply with POPI will require understanding existing processes in the business and understanding the requirements so that the gap that requires attention can be identified. Once such gaps have been established you will know which areas need to be restructured and amended. Only then will you be able to create a tailor-made solution to become POPI compliant.