Protection of Personal Information Act, 2013

Last updated
Protection of Personal Information Act, 2013
Coat of arms of South Africa (heraldic).svg
Parliament of South Africa
  • Act to promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.
CitationAct No. 4 of 2013
Territorial extent Republic of South Africa
Enacted by Parliament of South Africa
Assented to19 November 2013
Commenced1 July 2020
Keywords
Status: In force

The Protection of Personal Information Act (PoPIA or the PoPI Act) is a piece of legislation which governs the law of data protection and privacy in South Africa. [1] The act was passed to regulate the right to privacy, as enshrined by section 14 of the Constitution of South Africa, and would work in conjunction with the Promotion of Access to Information Act. The President of South Africa assented to the Act on 19 November 2013. As part of the regulation a new government agency was created, the Information Regulator, [2] an independent body which is empowered to monitor and enforce compliance of the PoPI Act within the public and private sector. The act came into force 1 July 2020, which commenced a one-year grace period during which all South African entities were expected to become compliant. The grace period ended 30 June 2021, with the commencement of the act on the 1 July 2021. [3] [4] [5]

Contents

Core Obligations

The PoPI Act sets out several core obligations. [6] Some of the key requirements include:

  1. Personal information can only be processed:
    • with the consent of the data subject; or
    • if it is necessary for the conclusion or performance of a contract that a data subject is a party to; or
    • it is required by law; or
    • it protects a legitimate interest of a data subject; or
    • if processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
  2. Private and public entities must report data leaks to the affected people and the Information Regulator.
  3. Organisations must appoint a responsible person who must ensure compliance to the PoPI Act.
  4. Cross-border transfers of personal data are restricted.
  5. Organisations that process personal information must ensure they satisfy minimum security obligations.
  6. Direct marketing, the sale and use of electronic directories and automated decision making are also severely curtailed.
  7. The act elevates the obligations placed on entities that process information regarding children, religious beliefs, race, ethnic origin, trade union membership, health, sex life, criminal behaviour and biometric information.

Jurisdiction

The PoPI Act applies to all persons and organisations within the borders of South Africa, and extends to visitors and illegal immigrants. [7]

Penalties

Penalties under the Act include fines of up to R10 million and a jail sentence of up to 10 years. [8] In July 2023, The Information Regulator fined the Department of Justice and Constitutional Development R5 million rand. [9] [10]

Information Regulator
Information Regulator logo.svg
Agency overview
Formed1 July 2020 (2020-07-01)
JurisdictionSouth Africa
HeadquartersJD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Agency executives
  • Adv. Pansy Tlakula, Chairperson
  • Mosalanyane Mosala, CEO
Website inforegulator.org.za

Information Regulator

The Information Regulator is an independent body created in response to the PoPI and PAIA acts. It is empowered to monitor and enforce compliance of the acts within the public and private sector. It functions in terms of the two acts and is accountable to the National Assembly of South Africa.

Cybercrimes Act

South Africa does not yet have a formal cohesive piece of legislation in force which governs cybercrimes in South Africa. The Cybercrimes Act has been signed by the President of South Africa, and will come into force on a date to be proclaimed in the Government Gazette. The period between assent and commencement will be spent developing operating procedures and other documented processes for the implementation of provisions of the Act. [11]

Related Research Articles

The role of information commissioner differs from nation to nation. Most commonly it is a title given to a government regulator in the fields of freedom of information and the protection of personal data in the widest sense. The office often functions as a specialist ombudsman service.

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

<span class="mw-page-title-main">Data Protection Directive</span> European Union directive which regulates the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive is an important component of EU privacy and human rights law.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015 by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handing sensitive information.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Privacy law in Denmark is supervised and enforced by the independent agency Datatilsynet based mainly upon the Act on Processing of Personal Data.

Internet censorship in South Africa is a developing topic.

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.

Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.

<span class="mw-page-title-main">General Data Protection Regulation</span> European Union regulation on personal data

The General Data Protection Regulation is a Regulation in EU law on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals, formally called "data subjects", who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.

The Office of the Privacy Commissioner administers the Privacy Act 2020. The Privacy Commissioner is entrusted to protect personal information of New Zealanders in accordance with the Privacy Act. Current Privacy Commissioner, Michael Webster, began his role in July 2022.

<span class="mw-page-title-main">Data Protection Act, 2012</span> Legislation enacted by the Parliament of the Republic of Ghana

The Data Protection Act, 2012 is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

The National Privacy Commission, or NPC, is an independent body created under Republic Act No. 10173 or the Data Privacy Act of 2012, mandated to administer and implement the provisions of the Act, and to monitor and ensure compliance of the country with international standards set for data protection. It is attached to the Philippines' Department of Information and Communications Technology (DICT) for purposes of policy coordination, but remains independent in the performance of its functions. The Commission safeguards the fundamental human right of every individual to privacy, particularly Information privacy while ensuring the free flow of information for innovation, growth, and national development.

Information officer is the title of the role defined in South Africa's Protection of Personal Information Act (POPIA) to the person responsible for encouraging responsible persons to comply with the principles and conditions for the lawful processing of personal information and assisting data subjects make requests and lodge complaints. The title information officer is synonymous with that of data protection officer established in the General Data Protection Regulation (GDPR). The data protection officer is not the same as that of chief privacy officer in the United States.

The Campus Privacy Officer (CPO) is a position within a post-secondary university that ensures that student, faculty, and parent privacy is maintained. The CPO role was created because of growing privacy concerns across college campuses. The responsibilities of the CPO vary depending on the specific needs of the campus community. Their daily tasks may include drafting new privacy policies for their respective college campus, creating a curriculum that informs teachers and students about privacy, helping to investigate any privacy breaches within the university, and ensuring that the university is abiding by current state and federal privacy laws. CPOs are also responsible for connecting with student and faculty groups across the entire campus in order to understand the privacy concerns of the campus. The role of CPO is an expanding profession within the United States and other countries, such as Canada and South Africa. There are numerous organizations that exist to provide training for CPOs and support them.

<span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

References

  1. "Protection of Personal Information Act 4 of 2013". South African Government website. Retrieved 4 May 2022.
  2. "Welcome to Information Regulator South Africa". Information Regulator. 20 August 2020. Retrieved 4 May 2022.
  3. Moyo, Admire (22 June 2021). "POPIA prior authorisation commencement date set for 2022". ITweb. Retrieved 4 May 2022.
  4. "Protection of Personal Information Act: Commencement of certain sections" (PDF).
  5. "Protection of Personal Information Act: Commencement of section 58(2)" (PDF).
  6. "Acts - Information Regulator". Information Regulator. 3 March 2022. Retrieved 4 May 2022.
  7. "POPI and the transfer of personal information outside of South Africa". Tonkin Clacey Inc. Retrieved 4 May 2022.
  8. Ramalepe, Phumi. "SA's new privacy laws are in effect – companies that fail to comply can be fined up to R10m". Business Insider. Retrieved 4 May 2022.
  9. "Information regulator fines justice department R5 million".
  10. "Information Regulator - Infringement notice and R5 Million administrative fine issued to the Department of Justice and constitutional Development for contravention of POPIA" (PDF).
  11. Williams, Grant (26 July 2021). "The newly enacted Cybercrimes Act and what it means for South Africans". Golegal. Retrieved 4 May 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.