The Protection of Personal Information Act (The PoPI Act)

What is South Africa’s Protection of Personal Information Act (The PoPI Act)?

The Protection of Personal Information Act (AKA The PoPI Act or PoPIA) is South Africa’s data protection and privacy law. It gives effect to the constitutional right to privacy in South African and regulates how personal information may be processed by establishing 8 conditions that set the minimum requirements for the lawful processing of personal information. Processing personal information without meeting the requirements of the PoPI Act can result in serious penalties, including fines of up to 10 million ZAR and imprisonment for up to 10 years.

Read the Protection of Personal Information Act PDF

What is personal information according to The PoPI Act?

The PoPI act defines personal information as any information about any identifiable, living natural person and where it is applicable, an identifiable, existing juristic person (A legal term for non-human entities such as Corporations, companies, government agencies, etc).

The PoPI act also classifies some types of personal information as ‘special personal information’, which has been identified as more sensitive. The PoPI act prohibits individuals and organizations from processing special personal information without general authorization.

Examples of personal information include:

• Demographic information such as race, gender and marital status (Classified as special personal information)
• Historical information such as education, medical, financial, or criminal records (Classified as special personal information)
• Identifying numbers or symbols such as email addresses and telephone numbers
• Biometric information (Classified as special personal information)
• A person’s views and opinions (Classified as special personal information)
• The views and opinions of others about a person
• The name of the person if it appears with other personal information or if the name itself would reveal the identity of the person

What are the rights of data subjects under the PoPI Act?

As with most global data privacy laws, the PoPI Act brings into effect the privacy rights of data subjects in its jurisdiction. The PoPI Act requires data processors (referred to in the act as ‘responsible parties’) to inform their data subjects of their privacy rights and how to exercise them. If your website collects personal information, you can do this by including these rights in your privacy policy.

The right to be notified of data processing

As a data subject, you have the right to be told when someone collects your personal information and be notified if someone unauthorized has accessed your information.

The right to access your personal data

As a data subject, you have the right to ask any organization if they have your personal information and request to see what information that organization possesses about you.

The right to control your personal data

As a data subject, you have the right to ask organizations to fix, delete or destroy your information if it’s wrong or outdated.

The right to object to data processing

As a data subject, you have the right to object to your information being processed on reasonable grounds and refuse the collection of your information for the purposes of direct marketing.

The right to refuse data processing

As a data subject, you have the right to refuse unwanted data processing for the purposes of direct marketing via unsolicited electronic communications.

The right not to be subjected to automated decisions

As a data subject, you have the right to object to decisions being made about you that are made purely by computers/automated systems.

The right to submit a complaint

As a data subject, you have the right to file complaints with the Information Regulator if you believe your rights have been violated and take legal action if someone misuses your personal information.

The right to institute civil proceedings

As a data subject, you have the right to initiate legal action in court if you believe there has been interference with the protection of your personal information.

How to Lawfully process personal information under the PoPI Act

Under the PoPi Act, to lawfully process personal information, you (the responsible party) must:

1. Meet the requirements of all 8 conditions for the lawful processing of personal information
2. Only process personal information when you have means to use it
3. Never process any special personal information unless you have general authorization to do so
4. Never process the personal information of a child under the age of 18 unless you have general authorization to do so

What are the PoPI Act’s 8 conditions?

The POPI Act requires individuals and organizations processing personal information to meet 8 conditions for the lawful processing of personal information, referred to in the act as:

1. Accountability
2. Processing limitation
3. Purpose specification
4. Further processing limitation
5. Information quality
6. Openness
7. Security safeguards
8. Data subject participation

How to comply with each of the PoPI Act’s 8 conditions

Condition 1: Accountability

Condition 1 requires the responsible party (The person or entity who determines the purpose and means of processing personal information) to ensure that all conditions are met for the lawful processing of personal information, prior to collecting personal information.

Note: For organizations, the responsible party is usually the organization itself. This means that it is the responsibility of the organization to ensure complying with The PoPI Act throughout all stages of data processing. It’s therefore the organization that will be held responsible if data is processed unlawfully, not the person in charge of compliance (the information officer) or the poor marketer that looks after the analytics account (the operator).

How to meet the requirements of condition 1: Accountability

To meet the requirements of condition 1: accountability, make sure that someone is responsible for ensuring your organization’s data processing practices are lawful at every stage of data processing.

To do this:

1. Appoint yourself, or another member of your team as the Information Officer who can take charge of your organization’s compliance
2. Register your information officer with the regulator here.
3. Ensure that your appointed information officer understands each of the 8 conditions of the act

Condition 2: Processing limitation

Condition 2: Process limitation, prevents the excessive processing of personal information. It requires individuals and organizations to only process personal information if:

• It can be done lawfully without infringing on the privacy rights of the data subject
• There is a clear purpose for doing so.
• They have consent, can provide a clear justification for doing so, and have enabled the data subject to object to their data being processed.

How to meet the requirements of condition 2: Processing limitation

To meet the requirements of condition 2: process limitation, follow these 3 steps.

1. Ensure that your forms, analytics software, and other data collection points collect only necessary information that you currently have use for.
2. Obtain consent from individuals before processing their data.
3. Provide your data subjects with a way to object to processing if they wish.

The easiest way to obtain consent is with a Consent Management Platform (CMP). Our CMP includes a cookie banner generator that can be configured to block data collection until users have provided consent, ensuring you are compliance ready for the PoPI Act.

Condition 3: Purpose specification

Condition 3: Purpose specification, requires data processors to only collect personal information if they can define a specific and lawful purpose for doing so, and to ensure that their data subject is aware of these purposes. It also requires anyone processing personal information to specify how long personal information is stored and remove personal information when it is no longer necessary.

How to meet the requirements of condition 3: Purpose Specification

To meet the compliance requirements of Condition 3: Purpose specification, you’ll need:

1. A privacy policy that clearly explains what personal information you are collecting, your purpose for collecting it, and how long you keep any personal information you collect.
2. A process for deleting or de-identifying personal information once it is no longer needed or a data subject requests it.

You can easily create a privacy policy with our Privacy Policy Generator. It comes with all of the necessary clauses you’ll need for the PoPI Act.

Condition 4: Further processing limitation

Condition 4: further processing limitation, requires business to ensure that if personal information is used more than once, that purpose aligns with the original purpose of collection, and to gain further consent if this is not the case.

How to meet the requirements of condition 4: Further processing limitation

To meet the requirements of condition 4: further processing limitation, simply make sure you don’t use data for purposes unrelated to the original reason you collected it and find a way to gain consent if you wish to use collected data for a new purpose.

E.g. If a customer provides their contact details for the purpose of answering a question, you are prohibited from also using that information to sign them up to your newsletter without gaining additional consent. If your goal is to grow your mailing list, create a separate newsletter signup form, or add a checkbox to your contact forms allowing your users to opt in the marketing and offers.

Condition 5: Information quality

The PoPI Act’s 5^th condition, information quality, requires personal information to be complete, accurate, not misleading and updated when needed, based on the purpose it was collected for. This prevents decisions being made about individuals based on incorrect or outdated information, which could unfairly impact their rights or interests.

How to meet the requirements of condition 5: Information Quality

To meet the requirements of condition 5: information quality, you’ll need to ensure that your business keeps up to date records of any person you’ve collected personal information from. You can do this by:

• Verifying information is accurate when collecting it, e.g. add a review step to each of your websites forms
• Updating records when notified of changes, e.g. if your website allows users to edit their personal information, make sure you integrate this system with your other internal databases.
• Implementing processes to check data quality regularly, e.g. send out a yearly reminder for your customers to review their personal information.

Condition 6: Openness

Condition 6: Openness requires any person that processes personal information to document all processing activities and notify their data subjects about what information is being collected, why, and their rights regarding that information.

How to meet the requirements of condition 6: openness

All of the requirements of condition 6: Openness, can be met with a well written privacy policy.

Just make sure your privacy policy explains:

1. What types of personal information are collected (e.g. name, address, payment details)
2. When personal information is collected (e.g. when they submit a contact form)
3. The purpose of collecting personal information (e.g. so you can respond to their inquiry)
4. The privacy rights of data subjects.

You can create a PoPI Act ready privacy policy in under 5 minutes with our Privacy Policy Generator, or read our blog on how to make a privacy policy yourself.

Condition 7: Security safeguards

Condition 7: Security safeguards, requires data processors to take reasonable measures to secure the integrity and confidentiality of the personal information it collects. This means:

• Keeping all processed personal information confidential.
• Protecting collected personal information from unauthorized access, loss, damage or destruction.
• Implementing security measures and ensuring that if a third party is processing personal information for them, that the third party also implements these security measures.
• Notifying both the regulator and data subjects the moment a compromise is detected.

How to meet requirements of condition 7: Security safeguards

To meet the requirements of condition 7: Security safeguards, you’ll need to perform a risk assessment and take measures to ensure that no unauthorized personnel can access your database of personal information.

You can start by taking some steps to protect your database:

1. Implement password protection and 2FA for all company devices
2. Encrypt client files
3. Remove old contact forms from your website’s content management system and store backups on a password protected hard drive in your office
4. Restrict data access to authorized staff only
5. Create a procedure to report any data breaches

You’ll also need to clearly explain how you protect personal information within your privacy policy, and your process in the event of a breech. We recommend including a disclaimer as no system is perfect and breeches do happen.

Condition 8: Data subject participation

Condition 8: Data subject participation, requires data processors to grant data subjects their individuals rights to access their personal information, request corrections/deletions, and know who has access to their information.

How to meet the requirements of Condition 8: Data subject participation

To meet the requirements of Condition 8: Data subject participation, you’ll need a process for enabling users to request access to, update or delete their personal information, and ensure that you’re able to respond within a reasonable time frame.

To do this, we suggest that you add the following information to your privacy policy:

3. The contact details of your information officer
4. Instructions for contacting you in regards to accessing, updating or removing personal information.
5. A section stating the rights of data subjects

Processing ‘special personal information’

The PoPI Act defines special personal information as any personal information that is considered more sensitive and therefore requires stricter protection. The PoPI act prohibits the collection of special personal information without general authorization.

Special personal information includes personal information relating to:

• Religious or philosophical beliefs
• Race or ethnic origin
• Trade union membership
• Political opinions
• Health or sex life
• Biometric information (e.g., fingerprints, retinal patterns)
• Criminal behavior or records related to alleged offenses

How to get ‘general authorization’ to process special personal information

Processing special personal information is generally prohibited unless you have general authorization, which means you have met one of the following conditions:

• You’ve obtained the data subject’s explicit consent for processing their special personal information.
• You have legal justification, i.e. The processing is necessary for obligations under law, protecting a legitimate interest, or fulfilling public law duties.
• You have specific authorizations e.g.
  • Processing health-related data may be allowed for medical purposes with appropriate safeguards.
  • Biometric data may be processed if necessary for security purposes.
• You have approval from South Africa’s Information Regulator

Processing the personal information of children

Under the Protection of Personal Information Act (The PoPI Act) in South Africa, the personal information of children is defined as any information relating to a child (a natural person under the age of 18 years). The PoPI Act explicitly prohibits the processing of children’s personal information without general authorization.

How to obtain general authorization to process children’s personal information under the PoPI Act

To process a child’s personal information legally under The PoPI Act you’ll need general authorization, which means:

1. You have explicit consent from a competent person (e.g., parent or legal guardian) to process their child’s personal information.
2. You’ve been given general authorization from South Africa’s Information Regulator. This requires that you show them that:
   • The processing is in the best interests of the child.
   • The purpose of processing aligns with lawful and legitimate objectives.
3. It is required by law, necessary for public interest, or related to legal proceedings

Are there exemptions for the PoPI Act’s conditions?

Yes there are! While in most cases, anyone processing personal information will need to meet all 8 conditions of the PoPI Act, there are some situations that are exempt.

1. When data is collected for personal / household activities like private address books
2. When the information is de-identified so it cannot reasonably be re-linked to individuals.
3. When the data is processed by public bodies for the purpose of:
   • National security / defense
   • Crime prevention/detection
   • Prosecution of offenders
   • Cabinet/Executive Council activities
4. When data is processed for judicial functions such as court-related processing activities
5. When data is process for journalistic, literary, or artistic purposes for public interest, but only if freedom of expression outweighs privacy concerns

Legal Definitions

Responsible Party

A responsible party is any organization or person who decides why and how personal information will be collected and used, either on their own or together with others.

Juristic Person

A juristic person is a non-human entity that has legal rights and duties, like companies or organizations. Similar to how corporations can own property or enter contracts.

Data Subject

A data subject is any person whose personal information is being collected, stored, or used by an organization or individual.

Biometric Information

Biometric information is physical or behavioral characteristics that can identify someone, such as fingerprints, facial features, voice patterns, or DNA.

Information Regulator

The information regulator is the government body responsible for enforcing data protection laws and handling privacy-related complaints in South Africa.

Information officer

An information officer is the person responsible for encouraging compliance with the conditions for lawful processing of personal information within an organization. For public bodies, the default information officer is the head of the public body. For private bodies the default information officer is the head of the organization or CEO.

Data Processing

Data processing is any action performed with personal data, including collecting, storing, using, sharing, or deleting it.

Privacy Policy

A privacy policy is a document explaining how an organization collects, uses, protects, and handles personal information from its users or customers.

What is a privacy policy?

Data Breach

A data breach occurs when personal or confidential information is accidentally or deliberately accessed, shared, or stolen by unauthorized people.

Consent

Consent, in the context of data privacy, is any voluntary, specific and informed expression of will permitting the processing of personal information.

Encryption

Encryption is a security method that scrambles information into a code to protect it from unauthorized access.

De-identification

To de-identification is the process of removing or changing personal information so that it can no longer be used to identify someone.

Operator

An operator is a personal who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.