Despite a lot of early fanfare, little mention was recently made of this important piece of legislation which is bound to impact on each FSP. This overview is, by its nature, very brief and covers very high level views only. More detailed information will be shared in our follow-up workshops once we have the final regulations in place.
The Protection of Personal Information Act 4 of 2013 (“POPI” or “the Act”) was signed into law on 19 November 2013, but the commencement date of the Act has not been announced yet. It is important to note that once the effective date is finalized, FSPs will have one year before the Information Regulator will start enforcing the provisions of the Act.
POPI is not ground breaking stuff – FSPs are already bound by the provisions of S 3(2) of the General Code of Conduct. In terms of that requirement, FSPs may not disclose any confidential information acquired from a client, unless written consent was obtained beforehand, or disclosure of the information is required in the public interest, or under any law.
The Act was introduced in response to the perceived threat posed by the unregulated processing of personal information. It aims to regulate the processing of personal information, and to give effect to the constitutional right to privacy by introducing measures to ensure that organisations use (“process” is the word used in the Act) personal information in a fair, reasonable, responsible and secure manner. The introduction of a data protection law in South Africa is in line with other jurisdictions such as the UK, where legislation that regulates the processing of personal information has been in place for several years.
All FSPs are bound by this piece of legislation which applies to personal information of clients, prospects, employees, product suppliers or any other party.
The following definitions are useful in understanding POPI:
- “Personal information” means information relating to an identifiable, living natural person or juristic person and includes, amongst others, the following: ID number, email address, physical address, telephone number, information relating to health, criminal behaviour, views of the person, views about the person and many more.
- “Data subject” means the person (natural or juristic) to whom the personal information relates. This would normally be the client of the FSP.
- “Processing” means any operation or activity, whether or not by automatic means, concerning personal information, and includes the collection, receipt, recording, organisation, collation, storage, updating or modification, destruction, etc. of personal information. In short, if a person or organisation is in possession of (retains) personal information, they are “processing” personal information. Processing really comes down to any use of personal information.
The information officer of a private body is defined as the head of that private body as defined by PAIA. The information officer is responsible for implementation of and compliance with the Act and his or her statutory duties are many and varied. (S55 POPI). However, this function may be formally delegated to a deputy information officer. Many businesses will choose this option and appoint, for example, a compliance officer to act as the designated information officer of the business.
The FSP, as a private body, must register its information officer with the Information Regulator.
Collection of Personal Information
Generally speaking, personal information must be collected directly from the client and must be collected for a specific, explicitly defined, lawful purpose. An FSP must therefore be sure to define and know why it is collecting (and processing) personal information. The FSP must also ensure that the client is explicitly informed of the personal information that will be processed. This must be done in writing and a record of the notification must be retained.
The FSP should only process personal information which is “adequate”, “relevant” and “not excessive” for the purpose of processing; in other words, only process what is necessary.
There is a duty on the FSP to take reasonable steps to ensure that personal information records are complete, accurate, not misleading and updated. This includes the obligation to ensure that reasonable steps are taken to update client information from time to time.
Records may not be retained for longer than is necessary in order to achieve the purpose for which they were collected and must be destroyed after that period. Retention policies should therefore be implemented to ensure compliance with this requirement.
Security of Personal Information
Section 19 of the Act provides that the FSP (‘responsible party’) must ensure the integrity and confidentiality of the personal information in its possession by putting the ‘appropriate’ and ‘reasonable’ technical and organisational measures in place to prevent the loss of, damage to, unauthorised destruction of, unlawful access to, or unlawful processing of the personal information.
Every FSP should implement very specific and realistic procedures to ensure compliance with this particular requirement. It may also be prudent to consider some form of indemnity insurance that covers this risk.
If clients’ personal information is compromised in any manner, the consequences can be serious. Clients could be severely prejudiced by, for example, identity theft or details of bank accounts being compromised and this information landing in the hands of criminals. Obviously, this would also result in reputational and financial harm for the FSP in question.
In addition, it is important to note that the Information Regulator will have to be notified of any security breach or compromise.
If the FSP outsources any part of the processing activities to a third party, then a written outsource agreement must be concluded. The outsourced party is referred to in the Act as an operator and specific requirements are laid down for these types of arrangements. The outsource agreement must be in writing and must ensure that the operator establishes and maintains the security measures required by the Act.
Outsourcing could include, for example, the storage, administration of cleaning of databases, premium collection in respect of clients of the FSP and the sending of bulk communications.
POPI imposes various offences, penalties and administrative fines for non-compliance with its provisions. Administrative fines could potentially be imposed and certain prohibited actions may constitute offences. Furthermore, a civil action for damages may be instituted against the FSP for a breach of any provision of POPI.
The POPI Act will require some adjustments to current procedures. Even though the date of commencement of the Act has not been determined, there is no doubt this will happen, sooner or later. The provisions of the Act and the Regulations will not change much – if at all. Prudent FSPs won’t wait for the Act’s commencement before beginning the implementation of the requirements – they will have begun to incorporate these requirements into normal business procedures already.
There is no dearth of cybersecurity hacks, breaches, malware (including ransomware) and, quite frankly, just plain stupidity on the part of some Internet users. As they said in Hill Street Blues – be careful out there.
Moonstone will be conducting follow-up workshops on POPI once we are satisfied that we can add value by relating facts, rather than conjecture.