Legal Update - What is the Protection of Personal Information Act... POPI?
What is POPI?
The Protection of Personal Information Act (‘POPI’), is South Africa’s first piece of comprehensive data privacy legislation. POPI regulates, amongst many other aspects, how information is collected, processed, stored and destroyed. Importantly, it also creates very strong rights, duties and obligations for persons and companies with respect to the information that they deal with and in respect of information held by others in respect of their own Personal Information. The scope of POPI is very wide and will affect all businesses holding or dealing with information in any form as defined in POPI.
While no clear date has been announced at this stage, it is expected that POPI will become fully effective in the first half of 2017. Due to the vast amounts of information that even the smallest company deals with, the one year grace period provided for in POPI from the effective date to achieve POPI compliance is often not enough time for a POPI compliance project to finalise. POPI compliance is thus an urgent and imperative focus area in 2017 for all businesses.
From a practical perspective for the Security Industry, the necessity of ensuring security in our public and private spaces requires that systems are put in place to control the access, movement and identities of persons and provide alerts to security managers in the event that a breach of any of the security protocols occurs. In order to do this, a large amount of information is collected. This information can be in the form of a physical recording and signing in of persons at a main entry gate in scruffy visitor log books, or where vehicle registrations and names are recorded. More modern systems scan and record drivers’ licenses, can include extensive video surveillance throughout the property and even biometric access controls which require that a person’s fingerprint or retina is scanned. All of these forms of information are protected by the provisions of POPI.
Through the securing of their premises, owners and managers or security providers of buildings inevitably become holders of vast amounts of information which, in terms of POPI, they are responsible for. Building owners and managers working alone or in conjunction with their security companies, are thus considered to be ‘Responsible Parties’ through the lens of POPI.
POPI places various obligations on Responsible Parties in respect of the collection, storage and destruction of Personal Information, often requiring the consent of the person to whom the Personal Information pertains. Failure to comply with the requirements of POPI may result in fines of up to R10 million, up to ten years imprisonment and/or claims for civil damages.
A key assessment that the building owners, managers and/or their security companies need to perform is whether they collect any personal information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person as defined in POPI. The most typical information collected by buildings or security companies are set out below.
From a human resources viewpoint all companies in this industry collect at least some of the following types of identifiable Personal Information relating to their employees:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person.
From a service delivery viewpoint, companies in this industry collect the following types of personally identifiable Personal Information relating to persons entering or working in the premises for which they are responsible:
- any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person.
The manner in which any of the information above is collected can be in any medium, be it in writing, electronically, a drawing or plan, or a photograph or video.
Any company in the building management, development or private security industry must be aware of the information they collect, and ultimately become responsible for, through the delivery of their services to their clients, customers and service providers.
To assess whether you are at risk of fines or even imprisonment, your company needs to ask the following questions:
- Do you know the full extent of your organisation’s collection of Personal Information?
- Do you provide adequate protections for the information?
- Do you have a system in place which regulates the entire data life cycle of the Personal Information in you business?
If you answered ‘no’ to any of the above questions, contact Futcher & Poppesqou Attorneys on [email protected] for assistance with your Information Privacy requirements.
Courtesy: IDME Consulting
Disclaimer: This article is a general summary of certain legal issues.
This article does not constitute legal advice and does not purport to be a detailed or complete explanation of the subject matter.