POPI – Protection of personal information

Have you ever wondered why, if you conduct a search on Google for flight tickets to Paris, within a day – if not a matter of hours - you will see ads popping up on your screen for holiday packages in France? Has it occurred to you that every time you swipe your credit card at a till point it is possible for a computer somewhere to capture how much you spend on exactly what, and to compile a database of this information? Will you get targeted emails advertising specials on the things you buy frequently? What does Facebook do with all the information you post on your page, and others, about your likes, your school, who your friends are, who you chat with most, what music you like, what clothes you wear, what clubs you went to? Somewhere, there are computers big enough to fill rugby fields compiling all of this information. Big data it is called.

There are good uses for this ever-increasing body of information. Analytics can spot not only business trends, but also predict disease-spread, be used to combat crime, and there are myriad other beneficial outcomes. However, as has been seen in the furore about the use of big data in manipulating voters in President Trump’s victory in the last US election, big data is also put to questionable uses.

In May 2018, the European Union implemented the General Data Protection Regulation of 2016. It protects data, and privacy, and the transfer of personal data in and out of the European Union. Its effect has not been conclusively measured yet, but effective it certainly is.

In South Africa, we have something similar in POPI, as it is popularly known - the Protection of Personal Information Act 2013. Given that the Constitution enshrines our right to privacy, and this includes protection against the unlawful collection, use and dissemination of personal information, the Act mirrors this aim. Its provisions seek to promote the protection of personal information processed by both private and public bodies, to set minimum requirements for processing such information, codes of conduct, to provide for the rights of citizens receiving unsolicited electronic communications, and much more.

Much of POPI relates to the ‘processing’ of personal information. What is personal information? It is just about anything concerning a person: his race, gender, sexual orientation, beliefs, medical history, addresses, telephone numbers, biometrics, private communications, views and opinions, and – in certain cases – even his name. Please note: this list gives just a few ideas as to what is considered to be ‘personal information’.1

To process personal information means any operation or activity, automated or manual, to collect, record, organise, update, modify, use, disseminate, merge, link, and even erase or destroy the information. So it is, again, just about anything that you can do with information.2

There are several aspects of POPI to watch out for, and which came into effect on 1 July 2020. A lot of the provisions concern enforcement, but this relates to complaints to the ‘Information Regulator’ and his powers of investigation and functions. These are not the subject of criminal prohibitions, although there are some, to be sure.

A. The Information Regulator

This is a body established by the Act. It has a variety of functions, including to provide education concerning the protection and lawful processing of personal information; to consult with and mediate between interested parties; to conduct research, and issue codes of conduct.

We are concerned with two of its other important powers: compliance enforcement, and dealing with complaints, including complaints about violations of the rights of protection. It is to be appreciated that the Regulator is in reality a large department, staffed by a Board and with many members performing the functions and tasks of the Regulator. They have wide powers of search and seizure, interrogation, and the like.

  1. You commit an offence if you hinder, obstruct, or unlawfully influence the Regulator (including any of the officials) in performing any duty or function under the Act.3

  2. Any person who serves a function under the Act must keep strictly confidential any information which he learns of during the exercise of functions and duties. He will be guilty of an offence if he does not do this – whether during his service or at any time afterwards.4

B. Assessments and Complaints

  1. The Regulator itself, or at the request of anyone, can initiate an assessment as to whether some particular method or instance of processing personal information is in compliance with the Act. To this end, he can issue what is called an ‘information notice’ which specifies the kind of information that is sought from a particular responsible party. It is an offence knowingly to make a statement in response to such a notice which is false, or even if the false statement is made recklessly. 5

  2. When a complaint has been lodged with the Regulator concerning the alleged interference with the protection of personal information, officials will investigate the complaint, and it might be further referred to an ‘Enforcement Committee’ for consideration and recommendations. Having considered such recommendations, the Regulator might issue an ‘enforcement notice’ and it will be served in the responsible party in question. If the responsible party fails to comply with the notice, it commits an offence.6

If there are reasonable grounds to suspect that:

  1. any public or private body (which is responsible for determining the purpose and means of processing personal information - referred to in the Act as a ‘responsible party’) is interfering with the protection of someone’s personal information; or

  2. an offence under the Act has been or is being committed,

    a Judge or a Magistrate can issue a warrant authorising any official of the Regulator to enter premises and search them, inspect and operate any equipment, and seize it and any records as evidence.

  1. It is a crime to obstruct any person in the execution of such a warrant.7

  2. It is also a crime to fail to give that person such assistance as he may reasonably require in order to execute the warrant.8

D. Proceedings of the Regulator

For the purposes of investigating a complaint, the Regulator may hold proceedings at which evidence is lead, interviews are held, and so forth.

  1. It is a criminal offence for any person who is summoned to attend and give evidence, or to produce any document or object at the proceedings, who:
    • fails to attend at the time and place specified in the summons;
    • fails to remain in attendance until conclusion of the proceedings or until he is excused by the Chairperson;
    • refuses to be sworn or to make an affirmation as witness;
    • fails to answer fully and satisfactorily any question lawfully put to him; or
    • fails to produce any book, document or object which he was summoned to produce.9
  2. Any person who knowingly gives false evidence is guilty of an offence.10

E. Account Numbers

These are obviously sensitive bits of information. POPI defines an account number as any unique identifier assigned by a financial or other institution to a particular person (ie, a legal person: a human being or a corporate entity) or to more than one such persons jointly (man and wife, for example) and which enables that person or persons to access their own funds, or to access credit facilities.

  1. The responsible party commits a criminal offence11 if it processes personal information in a way that does not comply with certain conditions. These deal with:
    • processing limitations;
    • purpose specifications;
    • information quality;
    • openness;
    • security safeguards; and
    • participation by the data subject, and authorization (including when it comes to children).

    Note: these conditions are comprehensively detailed, and the Act should be consulted for specifics.

  2. Any third party who obtains or discloses an account number without the consent of the responsible party commits an offence.12

  3. It is also an offence to procure the disclosure of an account number without the responsible party’s consent.13

  4. Anyone who sells an account number which he has obtained in contravention of these provisions is guilty of an offence.14

  5. It is even an offence to offer for sale such an account number. An advertisement indicating that an account number is for sale is deemed to be such an offer.
  1. See the definition in the Act for the complete array. 

  2. See the definition in the Act for the full description. 

  3. Section 100. 

  4. Section 101 read with section 54. 

  5. Section 103(2) read with section 90. 

  6. Section 103(1) read with section 95(1). 

  7. Section 102(a) read with section 82. 

  8. Section 102(b) read with section 82. 

  9. Section 104(1) read with section 81. 

  10. Section 104(2). 

  11. Section 105(1) read with section 8. There are exceptions and savings – see section 105(2) and 105(3). 

  12. Section 106(1). 

  13. Section 106(2). 

  14. Section 106(3).