Non-compliance with Popia can have dire consequences

Early this year, the information regulator (IR) announced that failure to comply with certain provisions of the Protection of Personal Information Act (Popia) may result in the IR imposing an administrative penalty of up to R10-million from July 1, 2021, or imprisonment for a period not exceeding ten years, or both, depending on the severity of the breach, writes NONTOBEKO AISHA MKHWANAZI

THIS is among the reasons that encouraged Awqaf SA, in conjunction with the Association of Muslim Lawyers and Accountants (Amal), the South African National Zakah Fund (Sanzaf) and the United Ulama Council of South Africa (Uucsa), to host a webinar on the impact of Popia on non-profit organisations (NPOs) as part of a series of workshops under the theme of corporate governance for Muslim NPOs in the country.

Guest speaker, Shenaaz Munga, who is a senior associate in ENSAfrica’s dispute resolution department and a specialist in commercial litigation with a focus on disputes arising in the financial services, broadcasting and media industries, said that Section 14 of the South African Constitution guarantees the rights of privacy, and Popia aims to ensure that parts of these rights are safeguarded.

‘Everyone has the right to privacy, which includes the right not to have their homes or property searched, their possessions seized or the privacy of their communications infringed. The right to privacy also includes the right to the protection against unlawful collection, retention, dissemination and use of personal information. Popia fleshes out the right of privacy and gives meaning to the broad right entrenched in the right to the privacy of communication without infringement.’ said Munga. It is also instrumental in decreasing crimes relating to identity theft, and murders or kidnappings as a result of spam messages.

Popia applies to any person or organisation keeping any type of records relating to the personal information of anyone, unless those records are subject to other legislations which protect such information more stringently. This means that whether an entity is private, public or an NPO, as long as it records anyone’s information, it needs to comply with the act. ‘The act requires NPOs to lawfully process personal information in accordance with the conditions set out in the act. Popia does not ban the processing of information but sets out minimum requirements that must be met to validly process information,’ added Munga.

She also outlined the eight conditions for lawful processing of personal information. The first of these is accountability. The NPO holds a responsibility for compliance and must prove it with requirements outlined by this act.

The second condition is processing limitation, which stipulates that all data must be obtained directly from the data subject with the required consent. The data subject should know what the data will be used for, and give consent. Only the most essential information should be obtained.

The third is that data must be purpose specific, requiring that the organisation must not obtain additional or irrelevant data. The purpose and reason for obtaining the information should be made explicit, and the processing of the data for its purpose must be well documented.

The fourth condition is the further processing limitation, which inhibits the organisation from processing the information for a secondary purpose. This can only be allowed when it can be proven that the secondary purpose is compatible with the original intent for the data.

Information quality is the fifth condition, and this pertains to ensuring that the information obtained is correct, complete and in no way misleading.

The sixth condition is openness. In addition to the data subject providing consent and being informed of the purpose of the data, the name and number of the responsible individual within the NPO must also be provided to the subject. The data subject must be informed that they have the right to complain to the information regulator if they suspect any misuse of their information.

The seventh concerns security safeguards, entailing the processes and strategies that must be put in place to ensure that data are kept private and secure. A risk assessment may be needed to evaluate processes and find suitable technological solutions and services that can assist in the storage and management of data.

The final condition is data subject participation. The data subject has the right to withdraw or change information at any time. They also have the right to request that the organisation shows them what personal information about them is being held. The organisation does not have the right to refuse.

Understanding these conditions and the further regulations as outlined by Popia will go a long way in ensuring that organisations can rectify their operations and strategies, and implement data solutions that ensure complete compliance.

Munga also highlighted that among the stakeholders, the information officer plays an important role because they ensure that the compliance framework is developed, implemented and maintained. She added that Popia provides a unique and possibly effective way of dealing with contraventions.

‘Should there be interference with a data subject’s protection of personal information, the aggrieved party may lodge a complaint with the information regulator. A negotiated settlement is one of the possible outcomes of the complaints procedure. The regulator does not require a court order to institute a fine for negligence or non-compliance in favour of the aggrieved party in terms of Popia,’ stated Munga.

She advised all NPOs that do not know where to start regarding Popia compliances to appoint a Popia team, conduct and initiate an assessment of the NPO, assess the personal information in the NPO’s possession and ensure continued compliance with Popia in order to avoid the dire consequences of non-compliance.