THE Protection of Personal Information (PoPI) Act will fundamentally alter how data must be managed in South Africa.
POPI will become a reality, and while South Africa’s public and private sectors still await the announcement of the year grace period for market compliance, it will be of benefit to them to start preparing for the legislation sooner rather than later.
The purpose of the Act is to ensure that all institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing a person’s or entity’s private information. It does this by holding institutions accountable if they abuse or compromise personal information, according to business management platform WorkPool.
The legislation regards your personal information as “precious goods”, and grants you certain rights of protection and the ability to control:
• When and how you share your personal information;
• The type and extent of the information you share;
• How your data is used (and to be notified if or when the data is compromised);
• How and where your information is stored; and
• Who can access your information.
You also have the right to have your personal data destroyed.
“Information” in this context is any information related to a data subject that can be used directly or indirectly to identify that person, according to Redstor, an international data management and security specialist firm.
However, some personal information on its own does not necessarily allow a third party to confirm or infer someone’s identity to the extent that this information can be used for other purposes. The combination of someone’s name and phone number and/or email address, for example, is far more significant than a name or phone number on its own. As such, the Act defines a “unique identifier” as data that “uniquely identifies that data subject in relation to that responsible party”.
Danie Marais, the founder and director of Redstor, says the law not only covers people, but also “data subjects”, or any legal entity that has the right to have its information protected.
The PoPI Act is not unique to South African law. Many countries have similar legislation to protect the personal information of data subjects. This legislation includes rules and regulations that govern the international transfer and sharing of data.
The consensus seems to be that, apart from the unrealistic implementation period of one year and some practical implementation challenges, the PoPI Act is well thought out and borrows from the “best of” similar foreign laws, learning from their mistakes and shortcomings.
Marais says there are similarities between PoPI and the European General Data Protection Regulation (GDPR).
The GDPR was implemented by the European Parliament in April last year, and will take full effect after a two-year transition period that ends on May 25, 2018.
The GDPR requires organisations to ensure that they have taken steps minimise the risk of data being leaked.
“In much the same way that the GDPR has established a framework for how organisations need to take technical and organisational measures to protect data, PoPI has been implemented to do precisely the same.
“From a South African perspective, amid ongoing cyber threats, the legislation forces organisations and businesses to take responsibility for the way they handle data, and this speaks to accountability, which is absolutely essential in today’s market,” Marais says.
WorkPool says we live in an information age, and this places a responsibility on each of us to take care of and protect our information. Do not accuse someone else of sharing or compromising your personal information when you publish the same information on public services such as Facebook, LinkedIn and Google+.
Technology makes it easy to access, collect and process high volumes of data at high speeds. This information can be sold or used for other purposes. Data-protection laws protect your right to privacy and prevent your information from being abused.