POPIA

Being fully compliant with Protection of Personal Information Act no. 4 of 2013 (POPIA) there are 8 Principles defined within the Act which must be addressed to be compliant. These are well-accepted attributes which are adopted throughout South Africa as the guidelines for a successful POPIA implementation.

The organisation must appoint a party (Information Officer) who will be responsible for ensuring that the information protection principles within POPIA and the controls that are in place to enforce them are complied with.

The second principle deals with the lawfulness of processing, minimality of information collected, consent, justification and objection, and the collection of personal information directly from the data subject.

The third principle provides that personal information must be collected for a specific purpose and the data subject from whom the personal information is collected must be made aware of the purpose for which the personal information was collected.

The fourth principle regulates the further processing of personal information. If a responsible party further processes personal information, such processing must be compatible with the purpose for which the information was collected in principle 3.

The fifth principle provides that the responsible party must take reasonable steps to ensure that the personal information that has been collected is complete, accurate, not misleading and up to date. In so doing, the responsible party must take into consideration the purpose for which the personal information was collected.

The sixth principle provides that the responsible party must be open about the collection of personal information by notifying the Regulator if it is going to process personal information and, if personal information is going to be collected, the responsible party must take “reasonably practicable steps to ensure that the data subject has been made aware that his or her personal information is going to be collected. The responsible party should for example, take reasonable steps to make the data subject aware of its name and address, and the purpose for which the personal information being collected.

The seventh principle provides that the responsible party must ensure that the integrity of the personal information in its control is secured through technical and organisational measures.

The eighth principle provides that data subjects have the right to request that a responsible party confirm (free of charge) whether it holds personal information about the data subject, and he or she may also request a description of such information.

The following documents apply:

  • The Protection of Personal Information: Act 4 of 2013
  • POPIA Manual to Promotion of Access: Word
  • Template: Website Privacy Policy: Word
  • Template: Personal Data Policy: Word
  • Information officers registration form: PDF
  • Guidelines for information officers of congregations: Guidelines
  • Form 1: Beswaar teen verwerking van persoonlike inligting: Word of PDF
  • Form 2: Versoek om regstelling of skrapping van persoonlike inligting of vernietiging of skrapping van rekord van persoonlike inligting: Word of PDF
  • Form 4: Aansoek om die toestemming van ’n data-subjek vir die verwerking van persoonlike inligting vir die doel van direkte bemarking: Word of PDF
  • Online registrations for information officers: https://justice.gov.za/inforeg/portal.html