The Protection of Private Information Act (POPIA) – first gazetted in 2013 and eventually signed into law by President Cyril Rampahosa on 1 July this year – is a long over-due piece of legislation.
While organisations have until 20 June next year to comply fully with all aspects of the Act, awareness of exactly what the legislation is designed to achieve has been around for long enough for there to be no excuse as to why it should not be strictly adhered to.
Designed to give full effect to the right to privacy for all individuals as enshrined in the Constitution that launched South Africa’s hard-fought freedom 26 years ago, POPIA promotes transparency with regard to what information is collected and how it is used or processed by those who indulge in so-called “database management”.
Compliance involves capturing the minimum required data for a specific and stated legal purpose, ensuring accuracy, and the deletion of all personal information when its retention can no longer be legally justified.
Even more critically, the Act provides for the right of the individual (the so-called “data subject”) to be given access on demand to what information is held related to them, to check it for accuracy, and to approve its use.
Overall, these compliance measures – which include the responsibility to take reasonable measures to protect and safeguard the data – should improve the overall efficiency and reliability of any and all databases used by companies in the running and management of their operations.
Theoretically, at least, less data also means less primary storage, reduced backup and archiving capacities and, therefore, less cost. Focused management of personal information held in any database also suggests a minimised risk in the event of a breach as it seems fairly obvious that the safest data is that which is deleted and not unnecessarily stored in the first place.
Non-compliance with the Act could result in a penalty or a fine and/or imprisonment of up to 12 months. In certain cases, the penalty for non-compliance could be a fine and/or imprisonment of up to 10 years. The Act provides for the Information Regulator to issue “administrative fines” not exceeding R10-million.
Unlike many other pieces of contemplated legislation designed to govern the flow or management of information or data in the digital age, POPIA does not incorporate sinister aspects such as clauses intended to censor or limit freedom of expression or the right to know.
The transfer of the right to protection of an individual’s privacy from a dictatorial state entity such as ICASA, or even a cabinet minister, directly to the person concerned must be applauded and supported by all involved in the management of personal information.
It’s a piece of legislation that appears to support the basics in a very understandable and logical approach. It lacks, for example, many of the negative and frightening characteristics that are encompassed in other legislative attempts underway in countries throughout the world to control negative aspects of social media.
It avoids any perception of trying to combat conspiracy theories such as using personal information for foreign espionage purposes in order to undermine state security, or some other grand scheme that only our good friend Donald “AI” Trump would come up with if he had anything to do with the POPIA exercise.
To a large extent, the enforcement of POPIA over the next 12 months should see a fairly noticeable reduction in the incidence of spam and the overload of unsolicited email and other messages received via SMS that makes its way into our daily lives.
Although the ubiquitous “unsubscribe” or “opt out” clause has been a compulsory component of every mass marketing message sent out for several years now and is generally honoured, breaches of this basic function could land the company concerned with ignoring the request in big trouble.
But, beware. It’s almost inevitable that as momentum gathers when companies get down to cleaning up their databases to ensure compliance that there will be those who exploit the situation.
It’s almost guaranteed that phishing – the fraudulent attempt to obtain sensitive information or data and typically carried out by email, instant messaging, and text messaging – will be used under the pretext of “cleaning up” records and will increase dramatically over the next 12 months.
Watch this space …