As of 1 July 2020, the Protection of Personal Information Act 4 of 2013 (POPI) finally came into force. In simple terms, the aim of the is to POPI Act ensure that all public and private bodies in South Africa conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way.
The purpose of this Act is to ;
- give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—
- balancing the right to privacy against other rights, particularly the right of access to information; and
- protecting important interests, including the free flow of information within the Republic and across international borders;
- regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
- provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and
- establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.
Let us begin with understanding POPI, which is an act that was updated with the purpose of protecting people from harm by protecting their personal information. This act aims to protect people from crimes such as having their money or identity stole and to provide a general sense of protection to privacy, which as we know is a basic human right in South Africa.
The POPI Act defines personal information as “information relating to an identifiable, living, natural person and, where applicable, an identifiable, existing juristic person, including, but not limited to—
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identification number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person”.
This act is in place to ensure that businesses act responsibly when handling your private and personal information and it specifically holds them accountable should your privacy be compromised.
As the digital age continues all around the world, criminals have also advanced to keep up with the times and have taken their criminality online. This clamping down on the use and distribution of personal information means companies now have an obligation to disclose if their data or systems have been breached and if any of their customers information has been made vulnerable.
The Information Regulator now has the option of issuing a fine to any company found to be in violation and even have the right to have the details of their data breaches to be made known public. This would most likely have a negative effect on any offending companies as the reputation of the organisation will be tarnished and they may lose customers who will not be so trusting of them with their sensitive information. Companies have the responsibility to protect their clients and employee’s private information.
For companies to be compliant with these new regulations, they will be required to assess where people’s personal information is being used, they must also protect against any possible cyber threats as well as identify and fix any weaknesses in their systems that could compromise the data they have stored.
Businesses of all sizes are required to comply with this act, and for those who may worry about the additional cost they may insure to ensure that their cyber security is up to standard, there are affordable ways for smaller businesses to protect themselves and their clients by encrypting
- Sensitive data
- Customer databases
- Contact information for external people.
Companies are also advised to offer training to their employees to ensure that they know how to handle personal information as well as identifying and securing any breaches found.
To show the seriousness of this act and the information it protects, violators will find themselves facing hefty penalties of up to ten years in jail and fines of up to R10 million, but the worst punishment for most companies will be the publication of the breach and loss of customer confidence and a damaged reputation.
In the world we live in today, it’s almost scary to think that these regulations are only now being enacted. Cybercrime is just as devastating as if someone robs you on the side of the road, maybe even scarier as they could empty out your savings account from the comfort of their home. Cyber criminals are much harder to apprehend as they could literally be located anywhere in the world and their crimes are often unnoticed until long after they’ve taken place, by then the culprit may be long gone and untraceable.
We can all sleep a little safer knowing that companies that have access to our private and sensitive information are now required by the law to ensure that the data they have is protected.
Below are a few cybersecurity tips your organisation can follow;
- Implement Employee Training Programs
- Enable Two-Factor Authentication
- Make Sure Your Software Is up to Date
- Know Your Server Security Options
- Use SSL/TLS on Your Public Website
In the end, it comes down to having a well-established culture around cybersecurity. Everyone in your office should be trained, including attorneys, support staff, first-responders (IT personnel) and clients.