Home

POPI – CAN YOU AFFORD NOT TO COMPLY?

By Johan Botes, Director, Lauren Salt, Associate, and Tracy Robbins, Candidate Attorney, Employment practice, Cliffe Dekker Hofmeyr

 

Purpose and application of the Protection of Personal Information Act, No 4 of 2013 (Act)

 

The Act regulates how anyone who processes personal information must handle, keep and secure that information. If an individual or a company processes personal information relating to a person, that individual or company must comply with the Act. Failure to comply with the Act may lead to the imposition of certain penalties under the Act.

 

Punishable offences in terms of the Act The following offences are, if committed, punishable with either a fine (not exceeding R10 million), or imprisonment (for a period not exceeding 10 years), or both:

  • Obstruction of a Regulator - a person will  be guilty of an offence if they hinder, obstruct  or unlawfully influence the Regulator or any
  • Failure to comply with enforcement or  information notices - if a responsible party  fails to comply with an enforcement notice,  they will be guilty of an offence;
  • Offences by witnesses - a person will  be guilty of an offence where such a person  is summoned to give or produce evidence  before the Regulator and that person, after  being sworn in, gives false evidence before  the Regulator on any matter;
  • Unlawful acts by a responsible party in  connection with an account number - if a  responsible party contravenes s8 of the Act,  subject to certain exceptions, that responsible  party will be guilty of an offence. The  responsible party, in terms of s8 of the Act, must  ensure conditions for lawful processing; and
  • person acting on behalf of or under the  direction of the Regulator;
  • Unlawful acts by third parties in connection  with an account number - a person who  knowingly or recklessly obtains or discloses an account number of a data subject, or who  procures the disclosure of an account number  of a data subject to another person, is guilty of an offence. In addition, if that person sells  or offers to sell an account number obtained  illegally, they will be guilty of an offence.

 

The following offences are, if committed, punishable with either a fine (not exceeding R10 million), or imprisonment (for a period not exceeding 12 months),  or both:

  • Failure to notify the Regulator that processing  is subject to prior authorisation – if a  responsible party fails to notify the Regulator  that processing, which is about to be  embarked upon, is subject to prior  authorisation from the Regulator, that person  will be guilty of an offence;
  • Breach of confidentiality - any person who  breaches the provisions of s54 of the Act,  which states that a person acting on behalf  of or under the direction of the Regulator must  treat all personal information they come across  as confidential, will be guilty of an offence;
  • Obstruction of the execution of a warrant - a  person who obstructs or fails to give assistance  to a person executing a warrant in terms of the  Act will be guilty of an offence;
  • Failure to comply with enforcement or  information notices - if a responsible party in  purported compliance with an information notice served on it, makes a false statement,  it will be guilty of an offence; and
  • Offences by witnesses - a person will be guilty  of an offence where such a person is  summoned to give or produce evidence before the Regulator and that person either (i) does  not attend; (ii) fails to remain in attendance;  (iii) refuses to be sworn in or to make an affirmation; (iv) does not answer fully and  satisfactorily; or (v) does not produce any item  that they have been summoned to produce.

 

Conclusion

Despite the fact that the Act is quite onerous on Employers, there is a one year grace period from the date on which the Act commences to allow for compliance. If a responsible party acquaints itself with the provisions of the Act timeously and puts in place the necessary measures, the penalties mentioned can easily be avoided.

 

For more information kindly Contact Johan Botes  [email protected]; [email protected] or [email protected]

 

 

What does POPI compliance mean?

By Jan du Toit

 

Latest developments – Registration of Information Officers:

 

On 17 May 2021 the Information Regulator’s long awaited online portal went live for the registration of Information and Deputy Information Officers.

 

The Information Officer of a Responsible Party is the person at the head of your company (CEO or MD) or any person acting in such capacity, or specifically appointed by the MD or CEO to be the Information Officer. Registration must be completed before the end for June 2021.

 

The address for the portal is  https://justice.gov.za/inforeg/portal.html   

 

The following information is required to successfully register: 

  • Company name.

  • Company registration number.

  • Company type.

  • Company physical and postal addresses.

  • Company telephone and fax numbers.

  • Information Officer gender, nationality, full name and surname, ID or passport number.

  • Deputy Information Officers same details as per above.

 

POPIA Compliance – what must be done?

With a little more than a month left before POPI becomes fully effective, many employers may find themselves out of time to become fully compliant to amongst other considerations, the 8 processing conditions prescribed in the Protection of Personal Information Act.

 

To be considered compliant the following must be considered and applied in the business of a Responsible Party before 1 July 2021. 

  1. POPI training / awareness sessions for the CEO / MD, managers and others tasked with the company’s POPI compliance project. Have a look on our website for the next POPIA training dates.

  2. Compliance audit to be conducted company-wide per department / division to determine the current processing practices within the organization and to establish what needs to be done to be compliant.

  3. Correction of contraventions as identified, and to introduce reasonable technical and organizational measures to prevent the loss or unauthorized access of Personal Information.

  4. Introduction of Data Subject rights and consent in the business through policies and consent clauses / paragraphs / contracts.

  5. The introduction of a PAIA manual (Promotion of Access to Information Act) that incorporates data subject rights and participation in terms of POPIA. This manual must be published on one of the company’s websites. It is also important to note that the current exemption granted by the Minister of Justice for some business to not have such a manual in place currently, expires at the end of June 2021.

  6. General staff POPI policy and legislation awareness training.

  7. Registration of the company’s Information Officer (the CEO, MD or any person acting in such position).

  8. Follow-up assessment on compliance measures and adherence thereto.

 

It is important to note that no institution, not even the Information Regulator, can “accredit” any Responsible Party in South Africa to be compliant in terms of legislation. Compliance (or otherwise) will only be determined should an investigation be launched by the Information Regulator following a complaint. Should such an investigation confirm a lack of compliance, consequences such an administrative fine not exceeding R10m may follow (which one may luckily pay off in instalments). Further to this those whose rights are infringed upon by a Responsible Party not adhering to the requirements of POPIA, may also institute civil proceedings. Such  proceedings may result in compensation being awarded for loss, as well as aggravated damages determined at the discretion of the court.

 

In terms of section 19 of the Act, the Responsible Party (business owner / employer) is required to introduce reasonable organizational and technical measures to secure the integrity and confidentiality of Personal Information. The organizational measures referred  to above includes inter alia both internal and external policies to introduce the principle of protection of personal information in the workplace, as well as the rights of data subjects.

 

To allow you more time to focus on your business, the author of this article compiled a bundle of detailed policies for your business, ready to use. This includes all relevant forms to be used and a template document with draft consent clauses / paragraphs / rules  to be incorporated into service and employment contracts, job applications, credit and other applications forms, WhatsApp and Facebook groups / pages, and Independent Contractor agreements.

 

Also included is an Operator Agreement as required in terms of section 21 of the Act and a consent letter for existing clients / service providers, to agree to the continued processing of their Personal Information beyond June 2021.

 

The policies bundle includes: 

  • Privacy notice template to be published on your website.

  • Personal information protection policy.

  • Personal information retention policy.

  • Data breach policy.

  • Data breach register - form.

  • Data breach report - form.

  • Data security policy.

  • Data subject access request policy and procedures.

  • Data subject access request forms.

  • Processing agreement with third parties as Operators - contract.

  • Data subject participation - draft consent paragraphs / clauses to be incorporated into service and employment contracts, job applications, credit and other applications forms, WhatsApp and Facebook groups / pages and Independent Contractor agreements

  • Guidelines on the appointment of deputy information officers, inclusive of appointment letter.

 

For only R3750 you can now order you set of POPI policies, ready to use. Contact Jan du Toit for further assistance at [email protected]

 

 

 

 

 

 

 

 

Courses and Workshops

 

                   

Strategic Human Resources Management (HRM) and - Business Partnering

27, 28 & 29 October 2021 (08:30 - 16:00)

Interactive Online Course

Employment Equity Committee Training

27 October 2021 (09:00 - 16:00)

Interactive Online Course

Health and Safety Representative and Committee Training Course

28 October 2021 (08:30 - 16:00)

Interactive Online Course

Managing Day to Day Issues/ Problem Employees Full day workshop

28 October 2021 (09:00 - 16:00)

Interactive Online Course

Managing Poor Performance/ Incapacity

29 October 2021 (09:00 - 12:00) (Fully Booked)

Interactive Online Course

19 November 2021 (09:00 - 12:00)

Interactive Online Course

Management and Leadership Skills

10, 11 & 12 November 2021 (08:30 - 16:00)

Interactive Online Course

Basic Labour Relations

12 November 2021 (09:00 - 16:00)

Interactive Online Course

The OHS Act and the Responsibilities of Management

18 November 2021 (08:30 – 16:00)

Interactive Online Course

AARTO and the Impact on Your Business

19 November 2021 (09:00 - 12:00)

Interactive Online Course

Compensation for Occupational Injuries and Diseases Course

25 November 2021 (08:30 - 16:00)

Interactive Online Course

POPIA: Protection of Personal Information Act

26 November 2021 (09:00 - 12:00)

Interactive Online Course

 

 Our Clients 

 

Android App On Google Play

Android App On Google Play