POPI Act: Under the magnifying glass
Michelle Orsmond, Attorney, Notary Public & Conveyancer at Hammond Pole Attorneys shares valuable insight on the what the POPIA Act is all about, the importance of compliance and the fact that consent is not always necessary.
What is POPI and when did it start?
The Protection of Personal Information Act 4 of 2013 (POPIA) forms part of South Africa’s Privacy Data law and its purpose is to protect Personal Information together with the requirements for the processing of Personal Information.
The POPI Act gives effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justiﬁable limitations.
The justifiable limitations under the Act include:
- balancing the right to privacy against other rights, particularly the right of access to information; and
- protecting important interests, including the free ﬂow of information within the Republic and across international borders.
The President proclaimed 1 July 2020 to be the start date. South Africans were afforded a grace period of one year which started running from the commencement date. Now that it has commenced, you must ensure that you comply with the POPI Act as the Information Regulator, which is an officer appointed in terms of the Act, will start enforcing the regulations of POPI Act one year after the commencement date, which due date is 1 July 2021.
What is POPI’s Purpose and why is it Important to comply?
The purpose of POPI is to protect personal information of individuals in a manner that is controlled and secured. The POPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way.
The POPI Act is important as it gives companies the ability to:
- Gain the trust of their clients by reassuring them that the personal information received is dealt with in accordance with prescribed legislation;
- Allow for transparency within business management by auditing their own procedures, documents and ensuring that when personal information is collected, stored and processed that same is done within the ambit of the POPI Act; and
At Hammond Pole we believe in creating a firm sense of security protection around the company, by incorporating it in the day-to-day process of staff members and ensuring that there is no risk of data being breached.
Is Consent necessary?
The POPI Act is applicable to any person, business or entity that processes, stores and collects personal information of data subjects. This includes, for example Companies, non-profit companies, hospitals and medical practitioners, insurers, attorneys, estate agents, government departments, state owned companies and municipalities.
The POPI Act sets out 8 Conditions for Lawful processing1 and how data must be legally gathered and processed, more particularly Processing Limitation which one of the justification Grounds include obtaining consent from a data subject to process, store or collect information about a particular data subject. Section 11 of the Act2, provides that personal information may only be processed if:
- the data subject or a competent person where the data subject is a child consents to the processing;
- processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- processing complies with an obligation imposed by law on the responsible party;
- processing protects a legitimate interest of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
In a recent High Court Judgement Divine Inspiration 205 (Pty) Limited v Gordon and Others3, The applicants sought an order for the disclosure of the 1st Respondents being Gordon, medical records from her medical practitioners. The medical records were required for the purpose of an action wherein Gordon was suing Divine Inspiration being the applicant for damages of between R500 000.00 and R7-million plus as a result of injuries she sustained in an incident when she visited Divine Inspirations premises.
Gordon’s medical practitioners refused to provide the medical records to the applicants, despite having received a subpoena, on the basis that the National Health Act, 2003 directs that records cannot be disclosed without Gordon’s consent.
Gordon opposed the application for the release of the records on the grounds that the discovery thereof would impinge on her right to dignity and privacy and that the disclosure of these documents would impinge on her rights under POPI. Section 11 of the POPI Act came into consideration by the parties and the court.
The court rejected Gordon’s argument that the release of her medical records would infringe on her rights and based its judgment on Section 11(c) and (f). The court found that Gordon’s medical practitioners are responsible parties and an obligation to deliver the medical records had been imposed on them by law by virtue of them having received the subpoenas.
The court went on to cite section 15(3)(c)(iii) of POPIA which provides that the further processing of personal information once it has been collected is allowed if it is necessary for the conduct of proceedings in any court.
The POPI Act has created a huge hype amongst South Africans, instilling fear in that if consent is not given one cannot obtain access to information regarding another data subject. But this is not true.
POPI should be dealt with on a case by case scenario and special attention must be given to the type of scenario in which information is required. One thing though that should be consistent is respecting another individual’s right to privacy and how information is dealt with.
With the POPI Act deadline looming around the corner, we will see a huge change in the way how individuals consent to information, how businesses will conduct marketing going forward and alternative mechanisms to obtain disclosure of information, will start to feature.
There are many grey areas surrounding the POPI Act, however embracing change should not be feared but rather encouraged.
1 The Protection of Personal Information Act 4 of 2013, Chapter 3 Conditions For Lawful Processing
2 The Protection of Personal Information Act 4 of 2013, Section 11 Consent, Justification and Objection
3 Divine Inspiration Trading 205 (Pty) Ltd v Gordon and Others (22455/2019)  ZAWCHC 38 (3 March 2021)
For more assistance on this and other topics, please email firstname.lastname@example.org or contact our office on 011 874 1800.