Despite a lot of early fanfare, little mention was recently made of this important piece of legislation which is bound to impact on each FSP. This overview is, by its nature, very brief and covers very high level views only. More detailed information will be shared in our follow-up workshops once we have the final regulations in place.
The Protection of Personal Information Act 4 of 2013 (“POPI” or “the Act”) was signed into law on 19 November 2013, but the commencement date of the Act has not been announced yet. It is important to note that once the effective date is finalized, FSPs will have one year before the Information Regulator will start enforcing the provisions of the Act. The Regulator is still to be appointed, with 16 August 2016 being the anticipated date.
POPI is not ground breaking stuff – FSPs are already bound by the provisions of S 3(2) of the General Code of Conduct. In terms of that requirement, FSPs may not disclose any confidential information acquired from a client, unless written consent was obtained beforehand, or disclosure of the information is required in the public interest, or under any law.
The Act was introduced in response to the perceived threat posed by the unregulated processing of personal information. It aims to regulate the processing of personal information, and to give effect to the constitutional right to privacy by introducing measures to ensure that organisations use (“process” is the word used in the Act) personal information in a fair, reasonable, responsible and secure manner. The introduction of a data protection law in South Africa is in line with other jurisdictions such as the UK, where legislation that regulates the processing of personal information has been in place for several years.
All FSPs are bound by this piece of legislation which applies to personal information of clients, prospects, employees, product suppliers or any other party.
The following definitions are useful in understanding POPI:
- “Personal information” means information relating to an identifiable, living natural person or juristic person and includes, amongst others, the following: ID number, email address, physical address, telephone number, information relating to health, criminal behaviour, views of the person, views about the person and many more.
- “Data subject” means the person (natural or juristic) to whom the personal information relates. This would normally be the client of the FSP.
- “Processing” means any operation or activity, whether or not by automatic means, concerning personal information, and includes the collection, receipt, recording, organisation, collation, storage, updating or modification, destruction, etc. of personal information. In short, if a person or organisation is in possession of (retains) personal information, they are “processing” personal information. Processing really comes down to any use of personal information.
The information officer of a private body is defined as the head of that private body as defined by PAIA. The information officer is responsible for implementation of and compliance with the Act and his or her statutory duties are many and varied. (S55 POPI). However, this function may be formally delegated to a deputy information officer. Many businesses will choose this option and appoint, for example, a compliance officer to act as the designated information officer of the business.
The FSP, as a private body, must register its information officer with the Information Regulator.