Jane is very concerned about her ex-boyfriend Jason finding her new address and cell phone number on the internet. She left him because of his obsessive control over her, and fears that he may be dangerous to her. Jane approached an attorney to obtain advice on whether her personal details are safe as she has heard a lot about the Protection of Personal Information Act (“POPI”) and hopes that this Act will give her some protection as well.
The Protection of Personal Information Act, 4 of 2013 (POPI) which came into effect on 1 July 2020 seemed like the answer to many South African citizens’ prayers. According to its preamble, the Act seeks to
“Promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.”
Section 5 of POPI provides for certain rights of data subjects. The term data subjects are not defined by the Act and therefore it is assumed that it is a term used to describe any person whose personal data is disclosed. Section 5 provides rights as follows:
5) A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information…, including the right-
(a) to be notified that-
(i) personal information about [her] is being collected …or
(ii) [her] personal information has been accessed or acquired by an unauthorised person…;
(b) to establish whether a responsible party holds personal information of that data subject and to request access to [her] personal information…;
(c) to request, where necessary, the correction, destruction or deletion of [her] personal information…;
(d) to object, on reasonable grounds relating to [her] particular situation to the processing of [her] personal information…;
(e) to object to the processing of [her] personal information-
(i) at any time for purposes of direct marketing…;
(f) not to have [her] personal information processed for purposes of direct marketing by means of unsolicited electronic communications…;
(g) not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of [her] personal information intended to provide a profile of such person…;
(h) to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator…; and
(i) to institute civil proceedings regarding the alleged interference with the protection of [her] personal information…”
In very broad terms, the Act provides that Jane’s information, once submitted to any entity for a specific reason, may not be distributed freely and without her consent. Therefore, in principle, Jane should not worry that if she gives her address to her new employer for example, that her ex-boyfriend will obtain such information.
This of course is the right way, and we know by now that things tend to go wrong at times.
A little over a month after the POPI Act came into effect, news broke of a huge data leak by large Consumer Reporting Agency Experian According to reports, millions of data subjects were affected in that their personal data was obtained by an unauthorised third-party fraudster.
Where does this leave the data subject?
Section 22 of the POPI Act provides for circumstances in which personal protected data has been accessed or acquired by any unauthorised person or party. The section provides that where there are reasonable grounds to believe that there has been such a breach, that the responsible party must notify both the regulator and the data subject of such breach.
Such notification must be made as soon as reasonably possible after discovery of the breach, and must be done in writing by post, email, placed in a prominent position on the website of the responsible party, published in the news or in a manner as directed by the regulator. The said notice must further describe possible consequences of the breach, description of the measures taken or intended by the responsible party, a recommendation of measures that the data subject should take to mitigate damage and, if known, the identity of the unauthorised person or entity that may have gained knowledge of the personal data.
What are the consequences of such a breach for both the entity holding such information and the person or entity unlawfully obtaining same?
Section 74 of the POPI Act provides that any person may submit a complaint to the regulator alleging interference with the protection of personal information of a data subject. The regulator must in terms of Section 76 advise the complainant as soon as reasonably practical of the outcome of such complaint.
The data subject may, on consideration of the outcome, institute civil proceedings against the perpetrator and the act further lists certain offences and the penalties that shall be imposed on the perpetrators. The penalties associated with violation of certain provisions of the POPI Act are either fines as determined by the regulator, or even imprisonment in certain circumstances.
Jane was quite right in obtaining advice regarding the POPI Act, as its workings will surely change the way in which personal data is handled quite substantially. If you require any advice or assistance regarding the use of your personal information or you are a company requiring advice on adherence to the POPI Act, please do not hesitate to give our offices a call to obtain advice in this regard.