The FAQs below are aimed at supporting POPI Act compliance and effective Data Privacy Management. The questions address certain general practical questions that may arise in the compliance management process. It is not meant to convey or duplicate general information or Guidance Notes regarding the POPI Act, which can be accessed on the Regulator’s website: https://www.justice.gov.za/inforeg/. It is also not meant to address how specific compliance activities need to be implemented.
These FAQs are a guideline reference tool with standardised answers and do not address technical queries or fulfil the function of, or replace, formal professional advice on any matter. Where sections in the POPI Act are self-explanatory and/or extensive, the sections are only referred to and not copied.
POPI Act Compliance
What is the real purpose of the POPI Act?
Section 2 of the POPI Act specifies its purpose:
2. The purpose of this Act is to—
(a) give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—
(i) balancing the right to privacy against other rights, particularly the right of access to information; and
(ii) protecting important interests, including the free flow of information within the Republic and across international borders;
(b) regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
(c) provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and
(d) establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.
When does the POPI Act not apply and/or what are the exemptions?
Sections 6 and 7 of the POPI Act specifies when the Act is not applicable. Sections such as 11(1), 12(2), 15(3), 18(4), 27, 28(2) and 35 also address conditional exclusions from specific provisions of the Act. These exclusions should however not be seen as opportunities not to comply to the Act and will probably be interpreted and considered limitedly by the Regulator and courts, given the objectives of the Act.
How does one consider the term and exclusion: “legitimate interest” or the data subject, responsible party or operator?
The term “legitimate interest” is not defined on the POPI Act, but the Regulator indicated that it is planning to issue a guidance note in this regard. The term will most probably be very limitedly and conservatively interpreted and applied by the Regulator and courts, given the objectives of the Act and the Constitutional right to privacy. Legitimate interest should not be confused with the term or concept of ‘convenience’. Clear and objective proof will probably have to be provided that a processing activity is in the legitimate interest of data subject (if the term is to be used as an exemption motivation) and the legitimate interest or the data subject will probably outweigh the legitimate interest of a responsible party or an operator given the objectives of the Act and the Constitutional right to privacy.
‘Legitimate interest’ of the responsible party or its operators should hence not be seen as opportunity not to comply with the POPI Act and will probably be interpreted and treated limitedly by the Regulator and courts. This considered opinion by attorneys Cliffe Dekker Hofmeyr is a good reference in this regard:
POPI Bumper Special Alert
Until the Regulator issues a guidance note in this regard, international best practice and examples can be considered. Refer to the UK ICO’s advisory note in this regard: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/#:~:text=The%20legitimate%20interests%20can%20be,The%20processing%20must%20be%20necessary.
POPI Training
Why is awareness and training so important?
A great part of breach risk reduction is to ‘think privacy’ on a constant basis and be aware of possible risks and gaps. Capacitating the mind to do so greatly enhances risk reduction.
Will attending training on the POPI Act ensure compliance and reduce breach risks?
Not on its own. Implementing all compliance activities and requirements effectively and continuously is the only way to ensure compliance and breach risk reduction.
POPI Non-compliance
What is the most effective way of mitigating the risk of non-compliance with the POPI Act?
- Prioritise effective and ongoing awareness and training regarding the requirements and risks of the POPI Act and data or information security breaches.
- Effectively and continuously implement and review data privacy management and POPI Act compliance throughout the organisation.
- Entrench data privacy management and information security risk-based thinking into daily operations.
- Consider possible relevant insurance cover.
What should one do when a breach occurs?
Report the breach to the Regulator and data subject as quickly as possible and immediately implement effective communication and mitigation mechanisms.
Section 22 of the POPI Act provides details in this regard. Also refer to the Masthead guideline document (available as part of the Masthead POPI Act Compliance solutions) for more detail in this regard.
What to do if personal information is received from a source without requesting it and one is not supposed to have received the information?
Notify the sender that the personal information was received but should not have been shared or received since there is no requirement or justifiable reason to have received or process the personal information. Then completely and safely delete the personal information so received. If less personal information is received than was required or justifiable according to the minimality principle, communicate this to the sender, delete the unnecessary personal information, or, if it is not possible to only delete the unnecessary personal information, delete all the personal information received and request the sender to resend only the personal information required.
The appointment and responsibilities of an Information Officer
Is each legal entity within the company structure required to appoint an Information Officer or can this be an appointment spanning several entities within the same Group?
The Information Officer is a function as defined by the POPI Act read with PAIA. For private bodies, the ‘head’ of each legal entity as defined by PAIA or is normally the Information Officer.
PAIA defines the ‘head’ of a juristic person as:
(i) the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or
(ii) the person who is acting as such or any person duly authorised by such acting person.
Since each of the company’s entities are separate registered companies, the each legal entity has and need to register an Information Officer. If all the entities have the same CEO, then that CEO would be the Information Officer for all entities. The CEO can however duly authorise others to be the Information Officer and/or appoint various different Deputy Information Officers. Please refer to the Regulator’s Guidance Note on Information Officers for more details.
Can an Information Officer be personally liable for data breaches or non-compliance to the POPI Act?
If the Information Officer is the responsible party (in the case of a sole proprietor, for example), then yes. If the Information Officer is an employee of a responsible party then the responsible party will be liable and the Regulator and courts will eventually decide who in the responsible party need to be held accountable. Employees who do not comply to the POPI Act can however be held responsible by their employers and if an employee commits a criminal offence (for example to steal and sell account numbers of clients), he/she can be personally prosecuted.
Processing and Transferring Personal Information
What is the minimum requirement for processing personal information for the purpose of direct marketing via unsolicited non-electronic communication?
The POPI Act defines electronic communications as:
“… any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient”
Although the POPI Act does not require prior consent for unsolicited non-electronic communication marketing (such as telephone calls), section 11(3)(b) of the POPI Act specifies that a data subject may object to unsolicited non-electronic communication marketing as well. Once the data subject objected he/ she may not be marketed to anymore.
The Consumer Protection Act also stipulates specific requirements in this regard.
What is the requirement for processing personal information for the purpose of direct marketing via unsolicited electronic communication to an existing customer?
Existing customers must be given the opportunity to object to the processing of personal information for the purpose of direct marketing (right to opt-out) and other specific requirements, listed in section 69 of the POPI Act, must be met.
The Consumer Protection Act also stipulates specific requirements in this regard.
What is the requirement for processing personal information for the purpose of direct marketing via unsolicited electronic communication to a non-existing customer?
The POPI Act defines direct marketing as:
“to approach a data subject, either in person or by mail
or electronic communication, for the direct or indirect purpose of—
(a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
(b) requesting the data subject to make a donation of any kind for any reason”.
Non-existing customers must as a general rule provide prior consent before marketed to.
The Consumer Protection Act also stipulates specific requirements in this regard.
What if one needs to process personal information in a specific way in our industry and it seems impractical or almost impossible to adhere to all the processing requirements?
Convenience is not a POPI Act compliance measurement, but the aim of the POPI Act is also not to hinder business unnecessarily and the best way to address this is to contribute and help motivate a specific Regulatory approved Code of Conduct for the industry, as made provision for in Chapter 7 of the POPI Act.
Can one retain personal information after the purpose for its processing has expired?
Only in instances provided for in section 14 of the POPI Act, but also only for as long as the requirement or allowance is stipulated or valid and always in a secure and protected manner.
Section 18 of the FAIS Act states that FSPs must maintain records for a minimum of 5 years. If the client wishes to end the business relationship with an FSP, can the FSP keep the data subject's personal information for longer than 5 years?
Sections 14(1,2,4,5 and 6) of the POPI Act apply. Authorisation by law is not the only basis for legal retention and some of the allowances could even be considered as quite general and vague, like the provisions of sections 14(1)(b) and 14(2)”. In the example in the question, retention authorised by law (section 14(1)(a)) is no longer applicable (“longer than 5 years”) and it is mentioned that the client ended the relationship, so retention is no longer required by a contract between the parties, as allowed for in section 14(1)(c). Retention in terms of a contract between the parties will in any event have to be specific and limited. Unless the client of the FSP consents to retention beyond the 5 years (section 14(1)(d)), which may be unlikely if the relationship ends, it leaves sections 14(1)(b) and 14(2) and the allowances in those clauses are quite general and vague, as mentioned. It should however be stressed that given the Constitutional foundation and the purpose of the POPI Act, general and vague elements in the act will probably be conservatively interpreted by the Regulator and the courts and a responsible party will have to prove why retention for such purposes were indeed necessary and how the personal information thus retained were secured, restricted or de-identified and if not, why not. This would be in line with good Data Privacy Management practice. Also note section 14(6)(b) that specifies that the responsible party “no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof”, it must restrict its processing and restriction is defined in the act.
It is good to highlight the limitations / specific purposes for the 5 year retention requirement in the FAIS Act.
Section 18 of the FAIS Act: “Maintenance of records
18. An authorised financial services provider must, except to the extent exempted by the registrar, maintain records for a minimum period of five years regarding
(a) known premature cancellations of transactions or financial products by clients of the provider;
(b) complaints received together with an indication whether or not any such complaint has been resolved;
(c) the continued compliance with the requirements referred to in section 8;
(d) cases of non-compliance with this Act, and the reasons for such non – compliance; and
(e) the continued compliance by representatives with the requirements referred to in section 13(1) and (2).”
What if a wide variety of personal information is required from a customer to enable a comprehensive assessment and/or advice to the customer. Can one collect as much personal information as one deem potentially relevant and only use what is eventually required?
The principle of minimality always applies. Only request the information necessary for the assessment or advice and no more. Also be transparent and communicate with the client why all the information is a necessity and, in the process, obtain the client’s well-informed consent.
Can questions or information that has POPI Act implications be shared verbally with clients, operators or Third Parties?
Yes, but it is recommended to be confirmed in writing.
Can personal information be sent by a responsible party from South Africa to a third party in a foreign country?
Yes, but only if all the requirements of section 72 of the POPI Act are met.
Can the responsible party appoint a third party to process personal information on its behalf?
Yes, the third party is known as an operator, will act under the authority and specific instructions of the responsible party, and must be appointed in terms of a written contract that ensures that the operator is bound by the POPI Act.
However, the Responsible Party cannot outsource its POPI Act compliance accountability and responsibilities.
Systems used to manage Personal Information
What is an automated decision system?
It is a statistical model or tool built into an electronic system to enable an automated/electronic decision, in other words the decision is made in a purely automated way without human intervention.
Many businesses make use of CCTV for managing employees and building security surveillance. Should customers be notified that the building is being monitored by CCTV?
CCTV cameras captures possible biometric personal information and as such, special personal information as well. Section 27 specifies when special personal information may be processed. CCTV video footage is normally used for security and crime prevention purposes. Sections 27(1)(a) or (b) will be applicable in such cases.
Although section 27(1)(b) can be relied upon to indicate that CCTV surveyance is required for purposes of protection of persons on the premises, including the data subjects, it is advisable that the following is clearly and visibly stated in notices for persons entering and using the premises:
- The fact that CCTV cameras are operational and for what specific and legitimate purposes, such as security management and crime prevention;
- That the footage will not be further processed or used for any other purposes;
- Who is recording and storing the video footage, i.e. the company, property owners and or security companies;
- That the footage is recorded and securely stored under strict supervision, control and conditions.
The company needs to ensure that the above is in fact security and protection measures are in place and being maintained before the notices are displayed. Note that section 33(2) of the POPI Act is relevant when processing personal information (including biometrics) of employees and relevant labour legislation need to be adhered to in this regard.
What are the POPI Act-related risks and implications of using 'cloud storage' on servers based in countries with less extensive data privacy laws?
‘Cloud storage’ involves the uploading and storage of data on one or (often) more servers of a ‘cloud storage’ service provider (operator). These servers are located inside one or more specific countries and managed by companies registered in a variety of countries, with varying levels of maturity regarding data privacy and information security management policies and legislation.
A responsible party must adhere to the requirements of sections 21 and 72 of the POPI Act when contracting and using ‘cloud storage’ providers, which means they must ensure the security of the data by means of a formal contract with the service provider and when the service provider and/or their servers are located outside of South Africa, that the requirements of section 72 of the POPI Act are met.
Section 20 of the POPI Act places specific onuses of transparency and confidentiality on operators, but an operator will most probably be held accountable by responsible parties when a breach occurs and damages are suffered by data subjects and/or the responsible party as a result of a breach under control of an operator. Keep an eye on the Regulator’s website for a Guidance Note in this regard.
In the absence of such guidance by the Regulator it is advised that responsible parties and Masthead clients consider their ‘cloud storage’ service providers very carefully and ensure that sufficient due diligences, safeguards and assurances are done, in place and contained in an agreement with such providers.
Privacy of Personal Information
What is the need and purpose of the Privacy Policy?
The standard Privacy Policy statement conveys the commitment and principles regarding POPI Act compliance and good Data Privacy Management to clients, business partners, suppliers etc. It is aimed at building trust and showing commitment and transparency. It should not be confused with a website specific privacy policy or terms – which is focussed on information management through the use of the website. An example of such a website specific policy can be found here on the Regulator’s website: https://www.justice.gov.za/inforeg/terms.html
What is meant by Privacy by Design?
It means that data privacy and security is considered when any new process or system is developed and compliance and breach risk reduction is taken into account in the design of the new process or system.
Is it necessary to implement a separate Privacy Risk Management System?
Depending on the size of the business, Data Privacy Management and Information Security is normally addressed as a component of the overall business risk management system.
Is it sufficient just to have a data privacy and security agreement in place with operators or Third Parties?
Although such an agreement is a minimum requirement of the POPI Act, it’s advisable to do a proper due diligence and as far as possibly responsibly ensure that operators and Third Parties are indeed compliant and secure. This is applicable to the use of information systems or information technology support provided by operators or third parties as well.
When determining/investigating data privacy breach insurance cover, what considerations should one take into account to determine sufficient cover?
It is very difficult to know or advise how much cover for data breaches would be sufficient. Financial losses relating to data breaches can include:
- Legal and other costs involved in addressing breach investigations by the Regulator;
- Fines issued by the Regulator or Courts;
- Civil claims as a result of damages suffered by data subjects due to a breach.
Cyber security policies may not cover operational processing breaches, not related to cyber security. FSPs or Product Suppliers specialising in the fields of Professional Indemnity and Cyber Security-related insurance cover will have to advise in this regard.
May auditors see personal information of customers or third parties when conducting internal or external audits?
The ideal would be to de-identify the personal information before it is provided to the auditors, especially external auditors. If this is not possible given the requirement of the audit or otherwise reasonably implementable, the following example exemption considerations will guide the compliance requirements in this regard:
- If the data subject consents or if it can be proven that the audit is in the legitimate interest of the data subject or responsible party.
- If the audit is an obligation imposed by law.
If attorneys request personal information of data subjects in our possession, can or should one just provide it to them?
The POPI Act makes provision for the exclusions of judicial functions of a court or for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated. Only if and when the attorneys can clearly and formally prove that the request is for such purposes, should the information be shared. It is however advised that the data subject(s) be immediately contacted and advised that the information has been requested for such proven purposes.
When it comes to information security, is it critical to be ISO27001, 27002 and 27701 certified?
No, not certified, unless corporate rules or policy, a specific contract or business relationship requires it. But procuring, reading and implementing the principles and guidelines in such international standards and guidelines is advisable and can greatly contribute to breach risk reduction.
Disclaimer: While every reasonable effort has been taken to ensure the accuracy and soundness of this content, Masthead does not accept any responsibility for the consequences of any actions based on any information contained herein. The content of this material does not constitute advice.