• The purpose of the Protection of Personal Information Act (POPI)
• Application of the POPI Act
• Definitions of the POPI Act
• Conditions for legal processing of personal information
• Restrictions on cross border information flows
• Automated decision-making
• Exceptions
• Consequences for non-compliance

• To give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party. 

• As a result of the POPI Act, any party that collects, holds and uses a person’s personal information will have to do so under certain circumstances, such as voluntarily and by consent.

• Personal Information (PI) means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to - information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; education or the medical, financial, criminal or employment history of the person, etc.

• Processing means any operation or activity or any set of operations, or activity or set of operations, whether or not by automatic means, concerning personal information.

• Record means any recorded information - regardless of form or medium in the possession or under the control of a responsible party; whether or not it was created by a responsible party; and regardless of when it came into existence

• Electronic Communication means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient

• Consent means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;

• Data subject (DS) means the person to whom personal information relates;
• Information Officer  of, or in relation to, a (a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
• Operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

• Responsible Party (RP) means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
• Regulator means the Information Regulator established in terms of section 39.

• POPI establishes eight (8) conditions, which need to be met in order for the processing of personal data to be lawful.

• The responsible party must ensure compliance with the conditions for the lawful processing of personal information.

• Processing of Personal information must be lawful and in a reasonable manner that does not infringe the privacy of the data subject.
• Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
• A data subject may object, at any time, to the processing of personal information - on reasonable grounds relating to his/her or its particular situation, unless legislation provides for such processing; or for purposes of direct marketing by means of unsolicited electronic communications. 
• If a data subject has objected to the processing of personal information, the responsible party may no longer process the personal information.

• Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
• The data subject must be aware of the purpose of the collection of the information.
• Subject to certain exceptions, the records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed.
• Records no longer required or for which the responsible party is no longer authorised to retain, must be done in a manner that prevents its reconstruction.

• Any processing of personal information must be in accordance or compatible with the purpose for which it was initially collected;
• The compatibility of any further processing with the purpose of collection can be ascertained by consideration of:
  • the relationship between the purposes ;
  • the nature of the information concerned;
  • the consequences for the data subject;
  • the manner in which the information was collected; and
  • any contractual rights and obligations between the parties.
• The further processing of personal information is compatible if:
  • The data subject consents;
  • The personal information is available in public record;
  • The data subject has deliberately made the personal information public;
  • Necessary to prevent a threat to public health, public safety or the protection of life or health of other data subjects;
  • The personal information is used for historical, statistical or research purposes.

• A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
• The responsible party must have regard to the purpose for which personal information is collected or further processed.
   

• The Responsible Party must take responsible steps to notify the Data Subject of – 

1. The information that is collected.
2. The purpose for which the PI is collected
3. Whether the provision of the PI is voluntary or mandatory
4. The consequences of failure to provide PI
5. Any particular laws and/or regulations that applies

• The steps to notify the Data Subject about the collection of PI must be taken – prior to collection where the information is collected directly from the Data Subject or before collection or as soon as reasonably practical

• The RP must secure the integrity and confidentiality of PI in its possession by taking appropriate and such reasonable technical and organizational measures to prevent loss, damage, unauthorized access, unlawful access to/or processing of PI.
• The RP must take all reasonable measures to identify all reasonable foreseeable internal and external risks, as well as establish and maintain appropriate safeguards against risks.
• Regularly verify that all safeguards are being adequately implemented, ensure all are continuously updated in response to new risks or deficiencies in previously implemented safeguards.
• Where the RP has outsourced the processing of PI, in any manner whatsoever, the RP must ensure that The Operator establishes and maintains appropriate safeguards, and treats the PI confidentially. 
• The RP must in the event of security breaches, notify both the Regulator and the Data Subject.
   

• The DS has a right to request certain information from the RP, such as confirmation where the PI is being held, a description of the information being held and that the RP correct or delete irrelevant or inaccurate information.
• Where the Data Subject request PI to be amended, the RP must comply with the request or attach the amendment request to the information if it is not amended
• The Responsible Party must only refuse a Data Subject’s request for information on the basis of any of the grounds set out in the Promotion of Access to Information Act (PAIA) Chapter 4 Section 18.

• Examples of automated decision-making would be:
• Using software to create a profile of a DS , including his/her 
• performance at work
• Creditworthiness
• Reliability
• Location
• Health
• A DS may not be subjected to a decision resulting in legal consequences for, or affecting him/her to a substantial degree if the decision is based solely on automated processing.

NB – There is an exception to the principle if the automated decision has been taken in terms of an employment contract or is authorized by a law or code of conduct. As long as appropriate measures are take to protect the employee’s (Data Subject’s) legitimate interests, the automated decision making will be lawful.

1. The Regulator may on application authorize the processing of PI and such processing will not be in breach of the POPI Act.
2. There are a number of listed exceptions for specific categories of special personal information, including if the processing of PI is – 

•  In the public interest, or
•  Relates to an important economic and financial interest of a public body, or
•  Is necessary for historic, statistical or research activity.

• Fine and/or imprisonment (not exceeding 10 years)
  • Any person who hinders, obstructs or unlawfully influences the Regulator or any person acting on behalf of or under the direction of the Regulator
  • An employer who fails to comply with an enforcement notice
  • An employer who violates any conditions of processing of an account number
     

• Fines
  • Administrative fines:
    • The Regulator may issue an infringement notice in the event of an alleged contravention of the provisions of POPI
    • The Regulator must specify the amount of the administrative fine which may not exceed ZAR 10 Million
    • The Transgressor may within 30 days of receipt of the infringement notices
      • Elect to pay the fine
      • Make instalment arrangements, or
      • Take the Regulators determination on review to the High Court 
         

• Civil damages
  • The DS may sue the transgressor for damages or may request the Regulator to sue for damages.
  • The principle of strict liability applies, meaning its not necessary for the DS or the Regulator on behalf of the DS to prove intent or negligence.
  • The amount of damages that may be awarded is punitive and far in excess of what can presently be awarded under South African law:
• The damages could include monetary or non-monetary loss
• Aggravated damages
• Interests and costs 

• To conduct an analysis on the workforce profile as required by the Employment Equity Act, 1998.
• To comply with the Public Service Act, 1994, its regulations and directives when:
   
  • Recruiting and appointing employees, contract workers and interns.
  • Allocating bursaries to our employees.
  • Managing and improving performance.
  • Managing various benefits such as pension (including the nomination of beneficiaries), housing, leave, as well as allowances such as overtime, acting in a higher post or resettlement.
  • To comply with the Compensation for Occupational Injuries and Diseases Act, 1993 when managing injuries on duty
  • To comply with the Labour Relations Act, 1995, when managing grievances.

• To control access and safeguard resources (this includes people, property, information and assets).
• To manage records required by the Public Service Act, 1994, Provincial Archives and Records Service of the Western Cape Act No. 3 of 2005, and the Minimum Information Security Standards.
• To enable the department to perform its functions as required by the Local Government: Municipal Finance Management Act, 2003 and the Public Finance Management Act, 1999.

• Assessing applications to perform remunerative work outside the public service in line with RWOPS.

• To review skills and competencies of audit committee members.

• To measure, monitor and assess Municipal SMC procedures and operations in terms of compliance to laws and regulation;
• To obtain bid documents from potential suppliers for provision of services for the department.
• To liaise and secure contracts with cell phone network providers on behalf of officials.
• To procure goods and services and to maintain and manage inventory and assets.

• To monitor and evaluate SCM and asset management compliance.
• To assess readiness and capacity of departments to implement Supply Chain Management.
• To register suppliers on the Northern Cape Central Supplier Database.

• To ensure the effective use of various financial management systems.
• To implement, manage and oversee financial systems and train users in accordance with their system profiles and issue certificates of competence.
• To use data collated by National Treasury on various financial management systems for effective management of the department’s functions.
• To building capacity in provincial departments in respect of transversal systems.
• To process employee payments and maintain employment history and personal information on the Personal and Salary Administration System (PERSAL).
• To share personnel and salary information specific to the requirement of Provincial departments (for example monthly reports, financial reports and audit reports) mainly to prevent duplication of information.