The Protection of Personal Information bill (POPI) is nearing the end of its passage through the legislative process.   Once enacted it will afford considerable protection and impose serious punishments for abuse.   It will also ensure consistency with measures adopted by the European Union.   It is recommended that anyone having an audit done to ensure compliance with POPI engages the services of a practising attorney to ensure all communications and reports are protected by confidentiality and legal privilege.

The article SA finally poised to get laws on data protection was first published in Business Day and BDlive today and was written by Dario Milo, a partner, and Greg Palmer, an associate at Webber Wentzel (where I did my articles from 1964 to 1966).

Courtesy of Business Day here are some random extracts but the entire article can be read by clicking on the links.

THE landscape of the right to information privacy in SA is about to change drastically.   The Protection of Personal Information Bill was approved by Parliament’s portfolio committee on justice and constitutional development last week and was passed by the National Assembly on Tuesday.   It will radically change the way in which private and public institutions deal with citizens’ personal information.

An open-ended definition of “personal information” is contained in the bill.   The definition includes information relating to individuals and companies and provides a detailed list of examples.   A person’s race, age, sexual orientation, marital status, correspondence and identifying symbols are all included as types of personal information that are protected.   Even the “views or opinions of another individual about the person” are included.

The bill subjects the processing of what it terms “special personal information” to more stringent conditions than those of “personal information”.   The former includes religious or philosophical beliefs, race or ethnic origin, trade-union membership, political persuasion, health or sex-life or biometric information.

The eight data-protection conditions that inform the “conditions for lawful processing of personal information” lie at the heart of the bill:

  • accountability;
  • specification of the purpose of processing;
  • limitation on processing (including the general rule of obtaining the data subject’s consent);
  • limitation on further processing;
  • information quality;
  • openness;
  • security safeguards; and
  • data-subject participation.

These conditions ensure that the “data subject” is aware and in control of the processing, that the processing is limited to the extent necessary, without unjustifiably infringing on the privacy of the individual, and that it is subject to secure processes.

The bill’s independent supervisory authority, the information regulator, is afforded significant powers.   The bill proposes that the regulator has the power to authorise a specific breach of the processing of personal information and issue enforcement notices which, in the case of noncompliance, carry the penalty of a criminal offence.   It also has substantial powers to conduct search and seizure operations, subject to obtaining of a warrant from a judge or magistrate, even in certain circumstances without notice to the parties concerned.

The bill imposes criminal penalties for offences that include the unlawful obstruction, interference with or influence of the regulator, the failure to assist a person who is executing a warrant in accordance with a search and seizure operation, and the failure to comply with an enforcement notice.