Nov 9, 2019
South Africa, has its own data protection act, which predates the EU-GDPR. It passed the Protection of Personal Information Act in November 2013. Popularly referred to as the POPI Act or POPIA, this legislation highlights eight essential conditions that data handlers must comply with in order to protect "Personal Information (PI)". Before we see what these conditions are, let’s understand the key objectives, important definitions, and other aspects of the POPIA.
As per the official document released by the government, the purpose of the POPI Act is to:
As mentioned earlier, the law relates to the collection and processing of PI. The following sections define and expand on the critical aspects of POPIA.
Page 14 of the document containing the entire text of POPIA defines PI as any information that makes it possible to identify a natural person. In specific cases, it also implies a juristic person.
A juristic person means an organization recognized by law to have rights and responsibilities like a human individual. For example, a university can be a juristic person, since it has the right to own property, etc.
As per the POPI Act, personal data includes, without being limited to, the following:
Medical history, including mental and physical health & wellbeing
"Processing" of PI means collecting, storing, using, modifying, or destroying PI. The processing may happen manually or in an automated manner.
The "data subject" is the person whose information is collected and processed. De-identification of the data subject implies that any information that can identify the person gets irretrievably removed.
Another essential term in this context is "Unique Identifier". That is an identifier that a responsible party assigns to a data subject.
A "Responsible party" is any private or public authority that determines how and why any PI needs to be processed. Whether it’s an individual or a company, or some governmental outfit - they qualify as a "responsible party" when handling PI. A responsible party may function independently or in collaboration with others. However, the legal responsibilities for PI compliance remain unaltered.
It is vital to clearly understand the eight foundational principles of the Act to attain compliance with POPIA. These principles determine when the processing of PI is within legal parameters.
The individuals or organizations handling PI are accountable for ensuring compliance with the POPI provisions. This condition applies both to the decision to process the PI and to the process of doing so.
Note: There is no need to observe this condition for handling PI that the data subject has willingly made available on public platforms. This condition also does not apply when collecting PI from a third-party is necessary for court proceedings or executing a public duty.
You can collect PI only for an expressly stated purpose. All data subjects must be aware of that purpose and agree with it. Time limit is another vital feature to remember. You can hold PI for only as long as you need it for the stated purpose. You must delete, destroy, or de-identify the data after the required time in a manner that makes it irretrievable.
You cannot process PI except for the stated purpose for which you collect it, for which you have the data subject’s consent. Processing for any additional purpose needs consent from the data subject.
The only exceptions are:
The PI you collect and process with the data subject’s consent must be accurate, complete, up-to-date, and not misleading.
This condition relates to the processing of the PI collected with the consent of the data subject. A data handler must maintain robust documentation of the data processing. The data handler is also responsible for informing the data subject about:
This condition details the necessary measures to protect the safety and security of the PI. To comply, you must:
Any third party handling PI for the responsible party needs to have a contractual obligation to notify the responsible party if any data breach happens immediately. If there is a data breach, real or suspected, the responsible party should immediately:
"Residual data" inside a used storage device poses a significant risk of sensitive data leakage. Residual data is the information that remains inside the storage media after deletion, formatting, or factory reset actions.
This residual information, often comprising sensitive data, is at constant risk of a breach; threat vectors like data brokers and illegal data miners can retrieve sensitive data using common recovery techniques, making you liable for the POPI Act violation.
This data breach risk can materialize when a used device changes the primary custody through events like resale, return of leased hardware, internal reallocation, exchange, donation, or disposal, etc.
Systematic data erasure is an effective solution to mitigate this data breach risk through the permanent destruction of sensitive and redundant personal information in line with regulations like the POPI Act, GDPR, etc.
Related read: Meet GDPR Compliance with Secure Data Erasure
This condition details the rights of the persons whose information gets collected. A data subject has the right to access the collected PI. A data subject can also request correction, completion, or updating of collected information.
Part B of Condition 8 prohibits the processing and using special personal information such as philosophical & political beliefs, race, ethnicity, medical records, etc. Part C relates to the PI of children.
As already explained, POPIA applies to all individuals and organizations collecting and using data, especially for commercial purposes.
The exemptions mentioned in the law relate to four areas:
Failure to comply with the Act can have severe consequences. The following are the critical offenses outlined in Sections 100 – 106 of the POPI Act:
Violation of the Act can lead to a penalty of up to ZAR10 million in fines or ten years imprisonment, or both.
Sections 39-54 of the POPIA deal with the appointment of the Information Regulator. These became effective from April 2014.
The Information Regulator as a body takes the responsibility of:
On September 7, 2016, the National Assembly of South Africa approved the appointment of members to the Information Regulator. On December 1, 2016, the Information Regulator, along with two full-time and two part-time members, were appointed.
All the other sections related to the core provisions of the law, as detailed above, became effective from July 1, 2020. These sections are: 2-38, 55-109, 111, and 114(1), (2), and (3)
Section 114(1) of the POPIA stresses that all public and private bodies must comply with the law by July 1, 2021.
Sections 110 and 114 (4) will become effective from June 30, 2021. The enforcement of these sections involves amending the Promotion of Access to Information Act (PAIA) 2000. Such an amendment is necessary to transfer certain functions of the PAIA from the South African Human Rights Commission to the Information Regulator.
The POPI Act remains the final word for public and private entities operating and handling personal information in South Africa. The law has strict mandates for governing the processing of PI, including its collection, storage, use, modification, and destruction.
To attain POPI compliance, you - as an organization - need a 360-degree view of how data enters and leaves your custody. Meeting the eight conditions outlined in this article are crucial for attaining compliance with POPIA. In a nutshell, strong governance, from data acquisition, storage, & use to modification and de-identification, is the foundation for POPIA compliance.
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|