The FAQs below are aimed at supporting POPI Act compliance and effective Data Privacy Management. The questions address certain general practical questions that may arise in the compliance management process. It is not meant to convey or duplicate general information or Guidance Notes regarding the POPI Act, which can be accessed on the Regulator’s website: https://www.justice.gov.za/inforeg/. It is also not meant to address how specific compliance activities need to be implemented.
These FAQs are a guideline reference tool with standardised answers and do not address technical queries or fulfil the function of, or replace, formal professional advice on any matter. Where sections in the POPI Act are self-explanatory and/or extensive, the sections are only referred to and not copied.
Section 2 of the POPI Act specifies its purpose:
2. The purpose of this Act is to—
(a) give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—
(i) balancing the right to privacy against other rights, particularly the right of access to information; and
(ii) protecting important interests, including the free flow of information within the Republic and across international borders;
(b) regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
(c) provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and
(d) establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.
Sections 6 and 7 of the POPI Act specifies when the Act is not applicable. Sections such as 11(1), 12(2), 15(3), 18(4), 27, 28(2) and 35 also address conditional exclusions from specific provisions of the Act. These exclusions should however not be seen as opportunities not to comply to the Act and will probably be interpreted and considered limitedly by the Regulator and courts, given the objectives of the Act.
The term “legitimate interest” is not defined on the POPI Act, but the Regulator indicated that it is planning to issue a guidance note in this regard. The term will most probably be very limitedly and conservatively interpreted and applied by the Regulator and courts, given the objectives of the Act and the Constitutional right to privacy. Legitimate interest should not be confused with the term or concept of ‘convenience’. Clear and objective proof will probably have to be provided that a processing activity is in the legitimate interest of data subject (if the term is to be used as an exemption motivation) and the legitimate interest or the data subject will probably outweigh the legitimate interest of a responsible party or an operator given the objectives of the Act and the Constitutional right to privacy.
‘Legitimate interest’ of the responsible party or its operators should hence not be seen as opportunity not to comply with the POPI Act and will probably be interpreted and treated limitedly by the Regulator and courts. This considered opinion by attorneys Cliffe Dekker Hofmeyr is a good reference in this regard:
Until the Regulator issues a guidance note in this regard, international best practice and examples can be considered. Refer to the UK ICO’s advisory note in this regard: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/#:~:text=The%20legitimate%20interests%20can%20be,The%20processing%20must%20be%20necessary.
A great part of breach risk reduction is to ‘think privacy’ on a constant basis and be aware of possible risks and gaps. Capacitating the mind to do so greatly enhances risk reduction.
Not on its own. Implementing all compliance activities and requirements effectively and continuously is the only way to ensure compliance and breach risk reduction.
Report the breach to the Regulator and data subject as quickly as possible and immediately implement effective communication and mitigation mechanisms.
Section 22 of the POPI Act provides details in this regard. Also refer to the Masthead guideline document (available as part of the Masthead POPI Act Compliance solutions) for more detail in this regard.
Notify the sender that the personal information was received but should not have been shared or received since there is no requirement or justifiable reason to have received or process the personal information. Then completely and safely delete the personal information so received. If less personal information is received than was required or justifiable according to the minimality principle, communicate this to the sender, delete the unnecessary personal information, or, if it is not possible to only delete the unnecessary personal information, delete all the personal information received and request the sender to resend only the personal information required.
The Information Officer is a function as defined by the POPI Act read with PAIA. For private bodies, the ‘head’ of each legal entity as defined by PAIA or is normally the Information Officer.
PAIA defines the ‘head’ of a juristic person as:
(i) the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or
(ii) the person who is acting as such or any person duly authorised by such acting person.
Since each of the company’s entities are separate registered companies, the each legal entity has and need to register an Information Officer. If all the entities have the same CEO, then that CEO would be the Information Officer for all entities. The CEO can however duly authorise others to be the Information Officer and/or appoint various different Deputy Information Officers. Please refer to the Regulator’s Guidance Note on Information Officers for more details.
If the Information Officer is the responsible party (in the case of a sole proprietor, for example), then yes. If the Information Officer is an employee of a responsible party then the responsible party will be liable and the Regulator and courts will eventually decide who in the responsible party need to be held accountable. Employees who do not comply to the POPI Act can however be held responsible by their employers and if an employee commits a criminal offence (for example to steal and sell account numbers of clients), he/she can be personally prosecuted.
The POPI Act defines electronic communications as:
“… any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient”
Although the POPI Act does not require prior consent for unsolicited non-electronic communication marketing (such as telephone calls), section 11(3)(b) of the POPI Act specifies that a data subject may object to unsolicited non-electronic communication marketing as well. Once the data subject objected he/ she may not be marketed to anymore.
The Consumer Protection Act also stipulates specific requirements in this regard.
Existing customers must be given the opportunity to object to the processing of personal information for the purpose of direct marketing (right to opt-out) and other specific requirements, listed in section 69 of the POPI Act, must be met.
The Consumer Protection Act also stipulates specific requirements in this regard.
The POPI Act defines direct marketing as:
“to approach a data subject, either in person or by mail
or electronic communication, for the direct or indirect purpose of—
(a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
(b) requesting the data subject to make a donation of any kind for any reason”.
Non-existing customers must as a general rule provide prior consent before marketed to.
The Consumer Protection Act also stipulates specific requirements in this regard.
Convenience is not a POPI Act compliance measurement, but the aim of the POPI Act is also not to hinder business unnecessarily and the best way to address this is to contribute and help motivate a specific Regulatory approved Code of Conduct for the industry, as made provision for in Chapter 7 of the POPI Act.
Only in instances provided for in section 14 of the POPI Act, but also only for as long as the requirement or allowance is stipulated or valid and always in a secure and protected manner.
Sections 14(1,2,4,5 and 6) of the POPI Act apply. Authorisation by law is not the only basis for legal retention and some of the allowances could even be considered as quite general and vague, like the provisions of sections 14(1)(b) and 14(2)”. In the example in the question, retention authorised by law (section 14(1)(a)) is no longer applicable (“longer than 5 years”) and it is mentioned that the client ended the relationship, so retention is no longer required by a contract between the parties, as allowed for in section 14(1)(c). Retention in terms of a contract between the parties will in any event have to be specific and limited. Unless the client of the FSP consents to retention beyond the 5 years (section 14(1)(d)), which may be unlikely if the relationship ends, it leaves sections 14(1)(b) and 14(2) and the allowances in those clauses are quite general and vague, as mentioned. It should however be stressed that given the Constitutional foundation and the purpose of the POPI Act, general and vague elements in the act will probably be conservatively interpreted by the Regulator and the courts and a responsible party will have to prove why retention for such purposes were indeed necessary and how the personal information thus retained were secured, restricted or de-identified and if not, why not. This would be in line with good Data Privacy Management practice. Also note section 14(6)(b) that specifies that the responsible party “no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof”, it must restrict its processing and restriction is defined in the act.
It is good to highlight the limitations / specific purposes for the 5 year retention requirement in the FAIS Act.
Section 18 of the FAIS Act: “Maintenance of records
18. An authorised financial services provider must, except to the extent exempted by the registrar, maintain records for a minimum period of five years regarding
(a) known premature cancellations of transactions or financial products by clients of the provider;
(b) complaints received together with an indication whether or not any such complaint has been resolved;
(c) the continued compliance with the requirements referred to in section 8;
(d) cases of non-compliance with this Act, and the reasons for such non – compliance; and
(e) the continued compliance by representatives with the requirements referred to in section 13(1) and (2).”
The principle of minimality always applies. Only request the information necessary for the assessment or advice and no more. Also be transparent and communicate with the client why all the information is a necessity and, in the process, obtain the client’s well-informed consent.
Yes, but it is recommended to be confirmed in writing.
Yes, but only if all the requirements of section 72 of the POPI Act are met.
Yes, the third party is known as an operator, will act under the authority and specific instructions of the responsible party, and must be appointed in terms of a written contract that ensures that the operator is bound by the POPI Act.
However, the Responsible Party cannot outsource its POPI Act compliance accountability and responsibilities.
It is a statistical model or tool built into an electronic system to enable an automated/electronic decision, in other words the decision is made in a purely automated way without human intervention.
CCTV cameras captures possible biometric personal information and as such, special personal information as well. Section 27 specifies when special personal information may be processed. CCTV video footage is normally used for security and crime prevention purposes. Sections 27(1)(a) or (b) will be applicable in such cases.
Although section 27(1)(b) can be relied upon to indicate that CCTV surveyance is required for purposes of protection of persons on the premises, including the data subjects, it is advisable that the following is clearly and visibly stated in notices for persons entering and using the premises:
The company needs to ensure that the above is in fact security and protection measures are in place and being maintained before the notices are displayed. Note that section 33(2) of the POPI Act is relevant when processing personal information (including biometrics) of employees and relevant labour legislation need to be adhered to in this regard.
‘Cloud storage’ involves the uploading and storage of data on one or (often) more servers of a ‘cloud storage’ service provider (operator). These servers are located inside one or more specific countries and managed by companies registered in a variety of countries, with varying levels of maturity regarding data privacy and information security management policies and legislation.
A responsible party must adhere to the requirements of sections 21 and 72 of the POPI Act when contracting and using ‘cloud storage’ providers, which means they must ensure the security of the data by means of a formal contract with the service provider and when the service provider and/or their servers are located outside of South Africa, that the requirements of section 72 of the POPI Act are met.
Section 20 of the POPI Act places specific onuses of transparency and confidentiality on operators, but an operator will most probably be held accountable by responsible parties when a breach occurs and damages are suffered by data subjects and/or the responsible party as a result of a breach under control of an operator. Keep an eye on the Regulator’s website for a Guidance Note in this regard.
In the absence of such guidance by the Regulator it is advised that responsible parties and Masthead clients consider their ‘cloud storage’ service providers very carefully and ensure that sufficient due diligences, safeguards and assurances are done, in place and contained in an agreement with such providers.
It means that data privacy and security is considered when any new process or system is developed and compliance and breach risk reduction is taken into account in the design of the new process or system.
Depending on the size of the business, Data Privacy Management and Information Security is normally addressed as a component of the overall business risk management system.
Although such an agreement is a minimum requirement of the POPI Act, it’s advisable to do a proper due diligence and as far as possibly responsibly ensure that operators and Third Parties are indeed compliant and secure. This is applicable to the use of information systems or information technology support provided by operators or third parties as well.
It is very difficult to know or advise how much cover for data breaches would be sufficient. Financial losses relating to data breaches can include:
Cyber security policies may not cover operational processing breaches, not related to cyber security. FSPs or Product Suppliers specialising in the fields of Professional Indemnity and Cyber Security-related insurance cover will have to advise in this regard.
The ideal would be to de-identify the personal information before it is provided to the auditors, especially external auditors. If this is not possible given the requirement of the audit or otherwise reasonably implementable, the following example exemption considerations will guide the compliance requirements in this regard:
The POPI Act makes provision for the exclusions of judicial functions of a court or for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated. Only if and when the attorneys can clearly and formally prove that the request is for such purposes, should the information be shared. It is however advised that the data subject(s) be immediately contacted and advised that the information has been requested for such proven purposes.
No, not certified, unless corporate rules or policy, a specific contract or business relationship requires it. But procuring, reading and implementing the principles and guidelines in such international standards and guidelines is advisable and can greatly contribute to breach risk reduction.