WHAT IS POPI?
The Protection of Personal Information Act No.4 of 2013 (POPI) is South Africa’s legislation for the protection of individuals’ personal information against unethical use. The preamble to the Act states the intention is to:
“Regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.”
Since its passing into law, the Government has taken an incremental approach to the commencement of different sections of the Act. Towards the end of June 2020, the President released a proclamation that the remainder of the Act’s sections would commence on 1 July 2020, except sections 110 and 114(4) which are to commence 30 June 2021.
The commencement date denotes the start of a one year grace period for businesses to ensure that they are fully compliant with POPI.
The purpose behind POPI can therefore be seen as the promotion of the constitutional right to privacy by ensuring that responsible parties and operators engage in lawful processing of personal information in accordance with, and with respect for, the rights of data subjects.
RESPONSIBLE PARTIES AND OPERATORS
The responsible party in respect of POPI is the public or private body or any other person which determines the purpose of and means for the processing of information.
An operator is a person or entity who processes information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
Putting this into context, you, the client are the responsible party for your employees’ (data subjects) personal information. SimplePay is acting as an operator for your benefit, processing your employees’ personal information in order to assist you in your payroll obligations. The relevance of this is that a party’s role determines their rights, obligations and liabilities.
LAWFUL PROCESSING OF PERSONAL INFORMATION
Personal information is information which can be used to identify a data subject – a definitive list can be found in Section 1 of the Act. The data subject is the person to whom the personal information relates and can be either a natural or juristic person. Almost any way that a company interacts with the personal information of a data subject constitutes processing – a definitive list is once again available in Section 1 of the Act.
Under POPI there are eight principles for the lawful processing of information, aimed at posing a balance between the necessary processing of data for business purposes and protecting the rights of individuals. These are:
More detailed information on each of these principles is provided in Chapter 3 of POPI.
Whose legal responsibility it is to ensure compliance with POPI depends on the relationship between the data subject and the organisation doing the processing.
RIGHTS OF DATA SUBJECTS
Under POPI, data subject rights include the right to access what information of theirs is held, the right to correct information, the right to be notified of collection and the purpose of the collection, the right to object to the processing of their information and, in certain circumstances, the right to erasure.
In the case of an alleged infringement of a data subject’s rights, any person has the right to lodge a formal complaint with the Regulator. Pursuant to section 74, complaints can be made to the Information Regulator, by completing and submitting the relevant form found on their website.
POPI AND SIMPLEPAY
Privacy and data protection are cornerstones of the culture at SimplePay, and, as such, we have for some time been largely compliant with the obligations that are now statutorily imposed by virtue of being an operator under POPI.
These obligations have been codified within POPI as follows:
The personal information provided to SimplePay by you includes information such as data subjects’ names, dates of birth, nationality, gender, physical address, email address and bank details. On signup and in order to make use of SimplePay, you are required to agree to our Terms of Service. These contain a clause consenting to the lawful collection and processing of personal information.
As was the case before POPI, SimplePay will continue to make reasonable efforts to assist you in the provision of personal information in line with your obligations to your employees’ (data subjects) rights under POPI, as laid out in sections 23 to 25 of the Act.
As well as complying with the principles of lawful processing, which for SimplePay includes meeting the three obligations covered above, the following are relevant: