The Protection of Personal Information (POPI) Act 4 of 2013

Northern Cape Privincial Treasury (NCPT) respects and protects your privacy. Our Data Protection Declaration applies to anyone (both natural and legal persons, such as businesses and affiliates) who collects personal data, regardless of format or medium. This includes our employees, consultants, agents, service providers, and local government representatives. The privacy policy applies to all of our services and related websites. 

POPI ACT CONTENT

  • The purpose of the Protection of Personal Information Act (POPI)
  • Application of the POPI Act
  • Definitions of the POPI Act
  • Conditions for legal processing of personal information
  • Restrictions on cross border information flows
  • Automated decision-making
  • Exceptions
  • Consequences for non-compliance

PURPOSE OF THE POPI ACT

  • To give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party. 

Application of the POPI Act

  • As a result of the POPI Act, any party that collects, holds and uses a person’s personal information will have to do so under certain circumstances, such as voluntarily and by consent.

Definitions of the POPI Act Personal Information (PI)

  • Personal Information (PI) means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to - information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; education or the medical, financial, criminal or employment history of the person, etc.

 

Definitions of the POPI Act Processing

  • Processing means any operation or activity or any set of operations, or activity or set of operations, whether or not by automatic means, concerning personal information.

Definitions of the POPI Act Record

  • Record means any recorded information - regardless of form or medium in the possession or under the control of a responsible party; whether or not it was created by a responsible party; and regardless of when it came into existence

Definitions of the POPI Act Electronic Communication

  • Electronic Communication means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient

Definitions of the POPI Act

  • Consent means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;

Definitions of the POPI Act

  • Data subject (DS) means the person to whom personal information relates;
  • Information Officer  of, or in relation to, a (a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
  • Operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

Definitions of the POPI Act

  • Responsible Party (RP) means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
  • Regulator means the Information Regulator established in terms of section 39.

Conditions for legal processing of personal information

  • POPI establishes eight (8) conditions, which need to be met in order for the processing of personal data to be lawful.

Condition 1. Accountability

  • The responsible party must ensure compliance with the conditions for the lawful processing of personal information.

Condition 2. Processing limitation

  • Processing of Personal information must be lawful and in a reasonable manner that does not infringe the privacy of the data subject.
  • Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
  • A data subject may object, at any time, to the processing of personal information - on reasonable grounds relating to his/her or its particular situation, unless legislation provides for such processing; or for purposes of direct marketing by means of unsolicited electronic communications. 
  • If a data subject has objected to the processing of personal information, the responsible party may no longer process the personal information.

 

Condition 3. Purpose specific

  • Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
  • The data subject must be aware of the purpose of the collection of the information.
  • Subject to certain exceptions, the records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed.
  • Records no longer required or for which the responsible party is no longer authorised to retain, must be done in a manner that prevents its reconstruction.

Condition 4. Further processing limitation

  • Any processing of personal information must be in accordance or compatible with the purpose for which it was initially collected;
  • The compatibility of any further processing with the purpose of collection can be ascertained by consideration of:
    • the relationship between the purposes ;
    • the nature of the information concerned;
    • the consequences for the data subject;
    • the manner in which the information was collected; and
    • any contractual rights and obligations between the parties.
  • The further processing of personal information is compatible if:
    • The data subject consents;
    • The personal information is available in public record;
    • The data subject has deliberately made the personal information public;
    • Necessary to prevent a threat to public health, public safety or the protection of life or health of other data subjects;
    • The personal information is used for historical, statistical or research purposes.

Condition 5. Information quality

  • A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
  • The responsible party must have regard to the purpose for which personal information is collected or further processed.
     

Condition 6. Openness

  • The Responsible Party must take responsible steps to notify the Data Subject of – 
  1. The information that is collected.
  2. The purpose for which the PI is collected
  3. Whether the provision of the PI is voluntary or mandatory
  4. The consequences of failure to provide PI
  5. Any particular laws and/or regulations that applies
  • The steps to notify the Data Subject about the collection of PI must be taken – prior to collection where the information is collected directly from the Data Subject or before collection or as soon as reasonably practical

Condition 7. Security safeguards

  • The RP must secure the integrity and confidentiality of PI in its possession by taking appropriate and such reasonable technical and organizational measures to prevent loss, damage, unauthorized access, unlawful access to/or processing of PI.
  • The RP must take all reasonable measures to identify all reasonable foreseeable internal and external risks, as well as establish and maintain appropriate safeguards against risks.
  • Regularly verify that all safeguards are being adequately implemented, ensure all are continuously updated in response to new risks or deficiencies in previously implemented safeguards.
  • Where the RP has outsourced the processing of PI, in any manner whatsoever, the RP must ensure that The Operator establishes and maintains appropriate safeguards, and treats the PI confidentially. 
  • The RP must in the event of security breaches, notify both the Regulator and the Data Subject.
     

Condition 8. Data subject participation

  • The DS has a right to request certain information from the RP, such as confirmation where the PI is being held, a description of the information being held and that the RP correct or delete irrelevant or inaccurate information.
  • Where the Data Subject request PI to be amended, the RP must comply with the request or attach the amendment request to the information if it is not amended
  • The Responsible Party must only refuse a Data Subject’s request for information on the basis of any of the grounds set out in the Promotion of Access to Information Act (PAIA) Chapter 4 Section 18.

Restrictions on cross border information flows

  • Cross-border transfers of PI are only permitted if there is some justification such as – 
    • The consent of the DS has been obtained for the transfer of the PI,
    • The cross-border transfer of PI is a contractual necessity,
    • Where there are binding corporate rules or an agreement which provides an adequate level of protection,
    • Where the recipient of the data is regulated by an adequate level of data protection in the country where the data is to be received.
    • Where the transfer of PI is beneficial to the DS and the DS would in all likelihood grant such consent


NB – It is however always best practice to obtain the voluntary and informed consent of the Data prior to transferring any data outside South Africa

Automated decision making

  • Examples of automated decision-making would be:
  • Using software to create a profile of a DS , including his/her 
  • performance at work
  • Creditworthiness
  • Reliability
  • Location
  • Health
  • A DS may not be subjected to a decision resulting in legal consequences for, or affecting him/her to a substantial degree if the decision is based solely on automated processing.

NB – There is an exception to the principle if the automated decision has been taken in terms of an employment contract or is authorized by a law or code of conduct. As long as appropriate measures are take to protect the employee’s (Data Subject’s) legitimate interests, the automated decision making will be lawful.

Exceptions to POPI requirements

  1. The Regulator may on application authorize the processing of PI and such processing will not be in breach of the POPI Act.
  2. There are a number of listed exceptions for specific categories of special personal information, including if the processing of PI is – 
  •  In the public interest, or
  •  Relates to an important economic and financial interest of a public body, or
  •  Is necessary for historic, statistical or research activity.

Consequences for Non-Compliance with POPI

  • Fine and/or imprisonment (not exceeding 10 years)
    • Any person who hinders, obstructs or unlawfully influences the Regulator or any person acting on behalf of or under the direction of the Regulator
    • An employer who fails to comply with an enforcement notice
    • An employer who violates any conditions of processing of an account number
       

Consequences for non-compliance with POPI

  • Fines
    • Administrative fines:
      • The Regulator may issue an infringement notice in the event of an alleged contravention of the provisions of POPI
      • The Regulator must specify the amount of the administrative fine which may not exceed ZAR 10 Million
      • The Transgressor may within 30 days of receipt of the infringement notices
        • Elect to pay the fine
        • Make instalment arrangements, or
        • Take the Regulators determination on review to the High Court 
           

Consequences for non-compliance with POPI

  • Civil damages
    • The DS may sue the transgressor for damages or may request the Regulator to sue for damages.
    • The principle of strict liability applies, meaning its not necessary for the DS or the Regulator on behalf of the DS to prove intent or negligence.
    • The amount of damages that may be awarded is punitive and far in excess of what can presently be awarded under South African law:
  • The damages could include monetary or non-monetary loss
  • Aggravated damages
  • Interests and costs 

 

Human Resource Management

  • To conduct an analysis on the workforce profile as required by the Employment Equity Act, 1998.
  • To comply with the Public Service Act, 1994, its regulations and directives when:
     
    • Recruiting and appointing employees, contract workers and interns.
    • Allocating bursaries to our employees.
    • Managing and improving performance.
    • Managing various benefits such as pension (including the nomination of beneficiaries), housing, leave, as well as allowances such as overtime, acting in a higher post or resettlement.
    • To comply with the Compensation for Occupational Injuries and Diseases Act, 1993 when managing injuries on duty
    • To comply with the Labour Relations Act, 1995, when managing grievances.

Facilities, Security and Records Management

  • To control access and safeguard resources (this includes people, property, information and assets).
  • To manage records required by the Public Service Act, 1994, Provincial Archives and Records Service of the Western Cape Act No. 3 of 2005, and the Minimum Information Security Standards.
  • To enable the department to perform its functions as required by the Local Government: Municipal Finance Management Act, 2003 and the Public Finance Management Act, 1999.

Legal Service and Labour Relations

  • Assessing applications to perform remunerative work outside the public service in line with RWOPS.

Internal Audit

  • To review skills and competencies of audit committee members.

Departmental Supply Chain Management (SCM)

  • To measure, monitor and assess Municipal SMC procedures and operations in terms of compliance to laws and regulation;
  • To obtain bid documents from potential suppliers for provision of services for the department.
  • To liaise and secure contracts with cell phone network providers on behalf of officials.
  • To procure goods and services and to maintain and manage inventory and assets.

Provincial Supply Chain Management (PSCM)

  • To monitor and evaluate SCM and asset management compliance.
  • To assess readiness and capacity of departments to implement Supply Chain Management.
  • To register suppliers on the Northern Cape Central Supplier Database.

Supporting and Interlinked Financial Systems

  • To ensure the effective use of various financial management systems.
  • To implement, manage and oversee financial systems and train users in accordance with their system profiles and issue certificates of competence.
  • To use data collated by National Treasury on various financial management systems for effective management of the department’s functions.
  • To building capacity in provincial departments in respect of transversal systems.
  • To process employee payments and maintain employment history and personal information on the Personal and Salary Administration System (PERSAL).
  • To share personnel and salary information specific to the requirement of Provincial departments (for example monthly reports, financial reports and audit reports) mainly to prevent duplication of information.