HR Pulse




Menu Style


Getting up close and personal with POPI

Shane Johnson


The president assented to the Protection of Personal Information Act, No 4 of 2013 (POPI) at the end of last year. However, as no date for commencement has been set, you don't have to worry about compliance issues just yet.

The POPI's primary purpose is to promote the protection of personal information that is processed by public and private bodies. Essentially, POPI has been enacted to regulate how those who process personal information must, for example, acquire and destroy information.

POPI also seeks to align South African legislation with international legislation regarding the compliance requirements for the lawful processing of personal information.

What compliance conditions are placed on organisations?

Organisations that process personal information will need to comply with eight principles to process personal information lawfully:

  • Accountability: Organisations must ensure they are accountable. That is they can demonstrate they are in compliance with the conditions for the lawful processing of information.

  • Processing limitations: Information must be processed in a reasonable manner that doesn't infringe on the natural person's right to privacy.

  • Purpose specification: This condition obliges organisations to collect information for a specific purpose that relates to the organisation's function or activity.

  • Further processing limitation: If the organisation requires the personal information to be processed further, this processing must be in compliance with the original purpose the information was collected for.

  • Information quality: The organisation must ensure that the personal information collected is complete, accurate and updated where necessary.

  • Openness: The organisation must ensure all the processing operations under their control are in compliance with the standards in s14 to 51 of the POPI Act.

  • Security safeguards: The organisation must implement appropriate security measures that will maintain the integrity and confidentiality of personal information.

  • Participation: A natural person, who provides adequate proof of identity, is entitled to request that the organisation:

    - Confirms if they hold any of his personal information,
    - Provide a record of the personal information held and information regarding the identity of any third parties who have had access to such a record.

It is clear that POPI will have significant compliance implications for the variety of organisations that process personal information - including employers. Although POPI is not in operation as yet, organisations are well advised to be proactive and ensure that their policies and procedures are in compliance with POPI.

This review process will take time and effort, and organisations shouldn't wait until POPI starts to see if they are in compliance with the act. Non-compliance with the provisions of POPI could result in significant difficulties for organisations.

Shane Johnson is a candidate attorney in the employment practice at Cliffe Dekker Hofmeyr. He joined the firm in 2013 after completing an LLB at the University of the Witwatersrand.