Beware of PoPI non-compliance

1 October 2017 Security Services & Risk Management, Integrated Solutions

The Protection of Personal Information Act (No. 4 of 2013) (or PoPI Act) is soon to be promulgated in South Africa. Jenny Reid of iFacts recently discussed the matter with Kevin McCallum of Tuckers Incorporated, who specialises in corporate legal matters.

McCallum says that the PoPI Act, although already an Act of Parliament, has not yet come in to full effect. It will only take effect once the President of South Africa signs a proclamation declaring the Act to actually be in effect. By all accounts, compliance with the Act will then be enforced 12 months after its proclamation. It is, however, worthwhile preparing for its inception right now.

Being caught short for non-compliance could have disastrous consequences, given the onerous requirements placed on the collector of personal information and the huge penalties expected to be imposed for the breach of, or non-compliance with, the Act.

A number of companies and institutions have already begun moving towards full compliance with the Act, in anticipation of it coming into effect. This is partly because compliance requires a serious shift away from the haphazard or random collection of personal information. The Act also limits the use of personal information, as this information now cannot be used for just any purpose the collector desires. This includes adequate protection of information so that it cannot be used and shared by unauthorised parties. The Act has its origins in Section 14 of the Constitution of the Republic of South Africa (Act No. 108 of 1996), which governs our rights to privacy.

The collection of personal information in respect of a person (impersonally called a ‘data subject’ in the Act) will require the consent of that particular data subject. The data subject must know and understand the precise purpose for the collection of any information, how it will be utilised, how the information is to be protected against distribution or theft by unauthorised parties, how long it will be retained, and how it will be destroyed when it is no longer required (Section 13 of the Act).

Unlawful retention, distribution, sharing or unauthorised use of personal information may result in non-compliance with the Act, which will carry onerous penalties of up to R10 million in fines, and could even result in jail sentences (in some instances of up to 10 years, depending on the seriousness of the breach or non-compliance).

Section 14 of the Act governs the length of time for which personal information is to be securely retained. Generally the information should only be retained, in a secure manner, for as long as is required to achieve the purpose for which it was collected. Subsequent to this, it should be destroyed to prevent it becoming available to unauthorised users.

As an example, an employee also has the right to challenge the correctness of the information collected, so information should be retained long enough to afford that opportunity.

The PoPI Act in its entirety is more complex than can be dealt with here and contains numerous provisions under which various categories of personal information can and/or must be retained, shared or destroyed. In addition, there are various exceptions to those provisions. Various other statutes and laws may govern the period for which various types of information must be retained and those statutes would have to be read in conjunction with the PoPI Act.

Individuals, companies and other entities who are involved in the collection of personal information are urged to read and familiarise themselves with the PoPI Act. It is advisable to take legal advice to ensure strict compliance before, even inadvertently, falling foul of its provisions and suffering the potentially huge penalties for breach of its provisions.

Ignorance of the law may not be sufficient to save you from the Act when it comes into operation.

For more information contact iFacts, +27 (0)11 609 5124, [email protected], www.ifacts.co.za



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Risk management and compliance enforcement
Security Services & Risk Management
Having a risk management and compliance programme (RMCP) is not just a procedural formality; it is a legal requirement under Section 42 of the Financial Intelligence Centre Act (FICA).

Read more...
The dangers of poor-quality solar cables
Security Services & Risk Management Smart Home Automation
Reports indicate that one in six fires attended by South African firefighters is linked to substandard solar installations, often due to faulty wiring or incompatible components.

Read more...
Growing risks for employers
Security Services & Risk Management
With South Africa’s unemployment rate exceeding 32% and expected to rise beyond 33% this year, desperation is fuelling deception in the job market. Trust is no longer a given, it is a gamble.

Read more...
Chubbsafes celebrates 190 years
Gunnebo Safe Storage Africa News & Events Security Services & Risk Management
Chubbsafes marks its 190th anniversary in 2025 and as a highlight of the anniversary celebrations it is launching the Chubbsafes 1835, a limited edition 190th-anniversary collector’s safe.

Read more...
New law enforcement request portal
News & Events Security Services & Risk Management
inDrive launches law enforcement request portal in South Africa to support safety investigations. New portal allows authorised South African law enforcement officials to securely request user data related to safety incidents.

Read more...
Continuous AML risk monitoring
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
AU10TIX, launched continuous risk monitoring as part of its advanced anti-money laundering (AML) solution, empowering businesses to detect behavioural anomalies and emerging threats as they arise.

Read more...
Smart cities and the role of video security
Surveillance Integrated Solutions
As cities around the world continue to embrace smart technology, including IoT that not only connects to people, but also the surrounding activity, the integration of advanced video security systems is crucial to ensure safety and efficiency in environments.

Read more...
Growing risks for employers
Security Services & Risk Management
With South Africa’s unemployment rate exceeding 32% and expected to rise beyond 33% this year, desperation is fuelling deception in the job market. Trust is no longer a given, it’s a gamble.

Read more...
Managing mining physical security risks
Zulu Consulting Security Services & Risk Management Mining (Industry) Facilities & Building Management
[Sponsored] Risk-IO, a web app from Zulu Consulting, is designed to assist risk managers in automating and streamlining enterprise risk management processes, ensuring no steps are skipped and everything is securely documented.

Read more...
The benefits of offsite control rooms
Astrosec Surveillance Integrated Solutions
As the security landscape grows more intricate, control rooms – the crucial hub of security operations – need to adapt. With escalating costs, mounting threats, and a heightened demand for immediate responses, many organisations are reassessing the operations of their control rooms.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.