WHAT IS POPI?
The Protection of Personal Information Act No.4 of 2013 (POPI) is South Africa’s legislation for the protection of individuals’ personal information against unethical use. The preamble to the Act states the intention is to:
“Regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.”
Since its passing into law, the Government has taken an incremental approach to the commencement of different sections of the Act. In terms of a proclamation issued by the President, sections 110 and 114(4) of the Act commenced on 30 June 2020 and the remainder of the Act’s sections commenced on 1 July 2020.
The commencement date denoted the start of a one-year grace period for businesses to ensure that they fully comply with POPI, which in turn ended on 1 July 2021.
The purpose behind POPI can therefore be seen as the promotion of the constitutional right to privacy by ensuring that responsible parties and operators engage in the lawful processing of personal information by, and with respect for, the rights of data subjects.
RESPONSIBLE PARTIES AND OPERATORS
The responsible party in respect of POPI is the public or private body or any other person who determines the purpose of and means for processing information.
An operator is a person or entity who processes information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
Putting this into context, you, the client is the responsible party for your employees’ (data subjects) personal information. Domestic Pay is acting as an operator for your benefit, processing your employees’ information to assist you in your payroll obligation this is relevant because a party’s role determines their rights, obligations, and liabilities.
LAWFUL PROCESSING OF PERSONAL INFORMATION
Personal information is information which can be used to identify a data subject – a definitive list can be found in Section 1 of the Act. The data subject is the person to whom the personal information relates and can be either a natural or juristic person. Almost any way that a company interacts with the personal information of a data subject constitutes processing – a definitive list is once again available in Section 1 of the Act.
Under POPI there are eight principles for the lawful processing of information, aimed at posing a balance between the necessary processing of data for business purposes and protecting the rights of individuals. These are:
1. Accountability
2. Processing Limitation
3. Purpose Specification
4. Further Processing Limitations
5. Information Quality
6. Openness
7. Security Safeguards
8. Data Subject Participation
More detailed information on each of these principles is provided in Chapter 3 of POPI.
Whose legal responsibility it is to ensure compliance with POPI depends on the relationship between the data subject and the organisation doing the processing.
RIGHTS OF DATA SUBJECTS
Under POPI, data subject rights include the right to access what information of theirs is held, the right to correct information, the right to be notified of the collection and the purpose of the collection, the right to object to the processing of their information and, in certain circumstances, the right to erasure.
In the case of an alleged infringement of a data subject’s rights, any person has the right to lodge a formal complaint with the Regulator. Under section 74, complaints can be made to the Information Regulator, by completing and submitting the relevant form found on their website.
POPI AND DOMESTIC PAY
Domestic Pay has always been committed to the strictest levels of data protection and privacy. We treat the personal information of your company and employees with the utmost circumspection and respect for the rights of data subjects. More detailed information on how we do this can be found in our Privacy Policy and Security Statement.
Privacy and data protection are cornerstones of the culture at Domestic Pay, and, as such, we have for some time been largely compliant with the obligations that are now statutorily imposed by being an operator under POPI.
These obligations have been codified within POPI as follows:
• Processing – Only process information with the authorisation of the responsible party.
• Confidentiality – Treat personal information which comes to their knowledge as confidential.
• Security – Put in place technical and organisational measures to ensure that the confidentiality and integrity of personal information are protected, and immediately notify the responsible party where there are reasonable grounds to believe that personal information of a data subject has been accessed or acquired by an unauthorised person.
The personal information provided to Domestic Pay by you includes information such as data subjects’ names, dates of birth, nationality, gender, physical address, email address and bank details. On signup and to make use of Domestic Pay, you are required to agree to our Terms of Service. These contain a clause consenting to the lawful collection and processing of personal information.
As was the case before POPI, Domestic Pay will continue to make reasonable efforts to assist you in the provision of personal information in line with your obligations to your employee’s (data subjects) rights under POPI, as laid out in sections 23 to 25 of the Act.
As well as complying with the principles of lawful processing, which for Domestic Pay includes meeting the three obligations covered above, the following are relevant:
• Appointment and registration of a company Information Officer – Domestic Pay has completed the registration of our Information Officer and Deputy Information Officer.
• Processing of Special Personal Information – processing of certain data, such as race and philosophical beliefs, is prohibited except in certain circumstances, including where such processing is necessary to meet legal obligations. Under this exception, Domestic Pay is allowed to process special personal information with your (and by extension your employees’) consent.