The Overview
The Protection of Personal Information Act 4 of 2013 (POPI Act) provides for a comprehensive definition of personal information; however, a shorter and sweeter meaning of personal information is; information about a data subject that allows any other person or organization to identify the data subject. A data subject is a person or entity involved, whom the personal information relates to. The POPI Act came into effect on the 1st of July 2020 then has a grace period of a year to ensure that everyone is complaint.

The Processing of Information of the Data Subject
In terms of the POPI Act, the data subject has the right to have his or her personal information processed by the conditions for the lawful processing of personal information. The POPI Act is the highest authority when it comes to dealing with requirements for processing personal information. Processing includes the collection and obtaining of personal information, preserving, and using personal information, and providing other third parties with such personal information.

The processing of personal information must be conducted by the responsible party. The responsible party is a public or private body that determines the purpose of and means of collecting and processing personal information. The idea of enacting legislation dealing with the protection of personal information is to give effect to the right to privacy, and that personal information must be obtained directly from the data subject concerned. It is not permissible to process personal information from third parties unless the data subject is unreachable.

Special Personal Information

The legislation makes provision for special personal information which is information that has as a prior condition for collecting; to obtain consent from the data subject. The processing of such information has to be particularly derived as its relevance in various relationships such as business, contract or employment gives rise to controversy as South Africa is a diverse country. The processing of information is underpinned by eight principles which are legally required for the processing of protection of personal information.

The Protection of Personal Information Act Eight Conditions for the Lawful Processing of Personal Information
The data subject has the right to have his/her personal information processed in accordance with these conditions;
1. Accountability – This condition is to ensure that the next seven conditions are complied with. The responsible party is normally the accountable party.
2. Process Limitation – The responsible party must process personal information in accordance with the law, process relevant information, obtain consent from the data subject and process only information directly from the data subject.
3. Purpose Specification – The responsible party must specify reason(s) for the processing of personal information. The responsible party must only keep the personal information only for the period he needs the information.
4. Further Processing Limitation – If the responsible party collects personal information for a specific purpose, he/she definitely cannot collect it for something else thereafter.
5. Information Quality – The responsibility party must take responsible steps to keep personal information complete, accurate and updated.
6. Openness – The responsible party must inform the data subject of the processing of personal information.
7. Data Subject Participation – Allows the data subject access to their personal information, also the opportunity to correct it.
8. Security measures – Reasonable measures to secure personal information, and reasonable to secure from loss or change.

The eight conditions apply to the processing of personal information in the course of a relationship between the data subject and the responsible party. The relationship can come into being as a result of an employment relationship, procurement relationships among others.

The rights of data subject to be notified
The data subject must be notified that personal information about him or her is being processed. An authorised person must access the personal information of the data subject. The data subject must be provided with the responsible party’s name and address.

Personal information needs to be accessed by an authorised person

The responsible party must outline the intention of processing the personal information of a data subject, or particular law authorising the processing of the data subjects’ personal information amongst other things. Every so often, there is a court order that requires provision of an individuals’ personal information or the South African Police Services in terms of an on-going investigation. The law enables the data subject to know when and how the personal information is going to be used.

The data subject furthermore has the right to request to see the privacy policy of any other institution to maintain the protection of the personal information. The data subject can also request from a responsible party the identity of all third parties who had access to the data subjects’ personal information within a certain time.

The responsible party as the possessor of the personal information has the responsibility to notify the data subject in case of a security compromised, and to take measures to avoid further weakening of the security and mitigate the possible adverse effects of the security compromise. In terms of the POPI Act, the responsible party must report the identity of the unauthorized person who may have accessed or acquired the personal information of the data subject.

The right to request correction of personal information

The data subject may request the responsible party to correct or delete personal information in the responsible party’s possession that is inaccurate, irrelevant excessive, obsolete, misleading and obtained unlawfully. The data subject can request the responsible party to destroy personal information about him/her that is no longer important to retain. The data subject may refuse the collection of his/her personal information for the purpose of direct marketing other than direct marketing by means of unsolicited electronic communications.

Consent as a requirement

The data subject must give consent for the processing of personal information necessary to carry out actions for conclusion of a contract to which he/she is a party to, for instance, a contract of employment. The employer is entitled to gather employees’ personal information that is required to manage, recruit, and terminate an employment relationship. The employer has the responsibility to protect the employees’ personal information. The information that may not be protected by the POPI Act is work information that the employees’ provide in their capacity as a business entity. Such information is publicly provided as part of the business process, this includes business contact and employees’ position within the business entity.

Automated Processing

In terms of the POPI Act, a data subject may not be a subject to a decision which results in legal consequences for him/her and affects him/her to a substantial degree which is based solely on the basis of automated processing of his/her personal information intended to provide a profile of the person including his/her performance at work, or his/her credit worthiness, reliability, location, health, personal preferences or conduct. Similarly, surveillance systems in certain places are also intrusive; the
. The systems normally require data subjects to provide their personal information has to be done away within a certain time frame, some responsible parties sell it. An entity as a responsible party will no longer be able to give out customer details to other businesses. The POPI Act gives serious enforcement powers to the . The POPI Act applies to both the Information Regulator and public bodies, as a result, the public or private body that violates the provisions of the POPI Act can be levied an administrative fee of up to R10 million and there are also provisions for criminal prosecutions.

Conclusion
The POPI Act governs the way personal information of data subjects is managed, and has built in it consent to engage with data subjects regarding the processing of their personal information. The POPI Act set-out rules that responsible parties must follow when it comes to direct marketing. The responsible party may only do direct marketing towards a data subject if that responsible party has the consent of the data subject or if that data subject is already associated with the responsible party.
The POPI Act deals with the way to process data subjects’ information, how the responsible party cannot solely provide personal information to third parties. The POPI Act also set-out guidelines and requirements that responsible parties have to follow when it comes to using and processing personal information. The Information Regulators’ task is to ensure that the responsible party complies with the law; the Information Regulator is the supervising authority. The data subject needs to notify the Information Regulator of the breach notification. The Information Regulator needs to encourage awareness, assist the data subject to protect personal information.
This article is the authors’ opinion, for legal advice please kindly contact a Legal Practitioner.