Commencement of the Protection of Personal Information Act

The Protection of Personal Information Act (POPI) is South Africa’s legislation for the protection of individuals’ personal information against unethical use.

Despite being passed into law back in 2013, most of POPI has been waiting in the wings to be commenced. At the end of June 2020, the President announced that  1 July 2020 is the commencement date for the majority of the remaining POPI sections, with the exception of sections 110 and 114(4), which are to commence on 30 June 2021. 

This starts a one year grace period for businesses to ensure they are fully compliant. In this blog we will outline how SimplePay fits into the equation of POPI and our compliance with its requirements.

Overview of Organisations’ Responsibilities under POPI

POPI lists eight key principles with respect to the lawful processing of personal information, most of which can be grouped  into three broader categories. The first category relates to the collection of information, where the purpose for the collection should be clear and the accuracy of information ensured. The second category relates to the processing of information, where it can only be processed for the purpose it was collected, not for an expanded or additional purpose. The third category relates to security, where the information needs to have sufficient security measures to reduce the risk of data breaches.

The final principle that does not fit into the three above categories is accountability. POPI states that the responsible party needs to ensure that the conditions for lawful processing are met. 

Responsible Parties and Operators

The responsible party with respect to POPI is the public or private body or any other person which determines the purpose of and means for the processing of information.

An operator is a person or entity who processes information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

Putting this into context, you, the client are the responsible party for your employees’ (data subjects) personal information. SimplePay is acting as an operator for your benefit, processing your employees’ personal information in order to assist you in your payroll obligations. The relevance of this is that a party’s role determines their rights, obligations and liabilities.

An example of this is shown above, where the responsible party is obliged to ensure the conditions for lawful processing are met when determining the purpose of the processing.

SimplePay’s POPI Compliance

Even before it was required by law, SImplePay was already largely compliant with all our operational regions’ data protection laws, due to our underlying commitment to strict privacy and data handling practices. Since 2018, SimplePay has been fully compliant with GDPR, the EU’s equivalent data protection legislation, with which POPI shares many principles. This has resulted in SimplePay being compliant with POPI even before the official commencement of the Act.  

This means you can have peace of mind that the rights of you and your employees have always been, and will continue to be safeguarded by us. 

For greater detail on SimplePay’s compliance with POPI, you can visit the dedicated page on our website: www.simplepay.co.za/popi.

We hope that this information has proved useful to you. If you have any questions on how the information above relates to SimplePay, please feel free to contact us at [email protected]. Equally, if you are not yet a client of SimplePay but would like to be, or if you’d like to know how we can take the effort out of filing and calculating payroll, get in contact with us or visit our website at simplepay.co.za.

Keep well and stay safe.

Team SimplePay