THE PROTECTION OF PERSONAL INFORMATION ACT, 4 OF 2013


       The Protection of Personal Information Act (POPIA), is aimed at bringing SA in line
       with international standards of protection of personal data. It applies to any person
       or organisation who keeps any type of records relating to the personal information
       of anyone, (unless those records are subject to other legislation which protects such
       information more stringently). It regulates the “processing” of personal information.
       “Processing” includes collecting, receiving, recording, organising, retrieving, or using
       such information; or disseminating, distributing or making such personal information
       of the data subject, available.
       “Personal information” includes a wide range of information that can be used to
       identify a data subject. It relates to information pertaining to an identifiable, living
       natural person, and where it is applicable, an identifiable existing juristic person,
       including and not limited to information relating to race, gender, marital status,
       pregnancy, ethnic or social origin, colour, sexual orientation, age, physical or mental
       health, well-being, disability, religion, conscience, belief, culture, language and birth.
       In order to comply with POPIA, public and private bodies or ‘organisations’ are
       required to implement a ‘POPI’ programme to ensure that the safety and privacy of
       the personal information for their ‘data subjects’ is protected. This applies to their
       information capturing, storage and usage systems. The Act requires that businesses
       in SA identify and appoint an Information Officer within their organisation. He is
       responsible for encouraging compliance to the conditions for the lawful processing of
       personal information as set out in POPIA, within the organisation, and is also required
       to work with the Information Regulator, with regards to any investigations it may
       conduct in terms of the Act.
       The Information Regulator (IR) is responsible for the enforcement of POPIA’s
       provisions, as well as handling of complaints, performing research and facilitating
       cross-border co-operation. Should a business be in violation of any of POPIA’s
       provisions, the IR may issue an enforcement notice. If the enforcement notice is not
       complied with, the penalty that may be imposed is a fine or imprisonment, or both.
       Up to twelve months imprisonment may be imposed for lesser offences, and up to
       ten years for more serious offences. The maximum fine that may be imposed is R10-
       million.
       A company may transfer personal information to recipients in locations outside SA if
       the recipient country has data protection laws similar to POPIA.
                              52