POPI Act Summary

POPIA regulates the “processing” of personal information in South Africa, including the processing of personal information that is entered in a record, by a private or public body that is domiciled in SA, or a private or public body that is domiciled elsewhere but uses automated or non-automated means situated in South Africa.

POPIA provides for 8 conditions for the lawful processing of personal informaton in section 4

1. Accountability

• The responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions, are complied with at the time of the determining of the purpose and form of the processing of personal information. (section 8)

2. Processing Limitation

• Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject. (sections 9 – 12)

3. Purpose Specification

• Personal information may only be processed for specific, explicitly defined and legitimate reasons. (sections 13 – 14)

4. Further Processing Limitation

• Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose. (section 15)

5. Information Quality

• The responsible party must take reasonable steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary. (section 16)

6. Opennes

• The data subject whose information are being collected must be aware that you are collecting such personal information and for what purpose the information will be used. (sections 17 – 18)

7. Security Safeguards

• Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorized destruction and disclosure. (sections 19 – 22)

8. Data Subject Participation

• Data subjects may request whether their personal information is being held by a particular business. They may also request the correction or amendment of their personal information or the deletion thereof from the business’ records. (section23 – 25)