Beware of PoPI non-compliance

1 October 2017 Security Services & Risk Management, Integrated Solutions

The Protection of Personal Information Act (No. 4 of 2013) (or PoPI Act) is soon to be promulgated in South Africa. Jenny Reid of iFacts recently discussed the matter with Kevin McCallum of Tuckers Incorporated, who specialises in corporate legal matters.

McCallum says that the PoPI Act, although already an Act of Parliament, has not yet come in to full effect. It will only take effect once the President of South Africa signs a proclamation declaring the Act to actually be in effect. By all accounts, compliance with the Act will then be enforced 12 months after its proclamation. It is, however, worthwhile preparing for its inception right now.

Being caught short for non-compliance could have disastrous consequences, given the onerous requirements placed on the collector of personal information and the huge penalties expected to be imposed for the breach of, or non-compliance with, the Act.

A number of companies and institutions have already begun moving towards full compliance with the Act, in anticipation of it coming into effect. This is partly because compliance requires a serious shift away from the haphazard or random collection of personal information. The Act also limits the use of personal information, as this information now cannot be used for just any purpose the collector desires. This includes adequate protection of information so that it cannot be used and shared by unauthorised parties. The Act has its origins in Section 14 of the Constitution of the Republic of South Africa (Act No. 108 of 1996), which governs our rights to privacy.

The collection of personal information in respect of a person (impersonally called a ‘data subject’ in the Act) will require the consent of that particular data subject. The data subject must know and understand the precise purpose for the collection of any information, how it will be utilised, how the information is to be protected against distribution or theft by unauthorised parties, how long it will be retained, and how it will be destroyed when it is no longer required (Section 13 of the Act).

Unlawful retention, distribution, sharing or unauthorised use of personal information may result in non-compliance with the Act, which will carry onerous penalties of up to R10 million in fines, and could even result in jail sentences (in some instances of up to 10 years, depending on the seriousness of the breach or non-compliance).

Section 14 of the Act governs the length of time for which personal information is to be securely retained. Generally the information should only be retained, in a secure manner, for as long as is required to achieve the purpose for which it was collected. Subsequent to this, it should be destroyed to prevent it becoming available to unauthorised users.

As an example, an employee also has the right to challenge the correctness of the information collected, so information should be retained long enough to afford that opportunity.

The PoPI Act in its entirety is more complex than can be dealt with here and contains numerous provisions under which various categories of personal information can and/or must be retained, shared or destroyed. In addition, there are various exceptions to those provisions. Various other statutes and laws may govern the period for which various types of information must be retained and those statutes would have to be read in conjunction with the PoPI Act.

Individuals, companies and other entities who are involved in the collection of personal information are urged to read and familiarise themselves with the PoPI Act. It is advisable to take legal advice to ensure strict compliance before, even inadvertently, falling foul of its provisions and suffering the potentially huge penalties for breach of its provisions.

Ignorance of the law may not be sufficient to save you from the Act when it comes into operation.

For more information contact iFacts, +27 (0)11 609 5124,,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Industrialisation or imperialism?
Issue 7 2020 , Security Services & Risk Management
4IR has to be a matter of national agenda; national economic and political sovereignty and national security - necessitating commensurate prioritisation.

PCI DSS can be your PoPIA security blueprint
Issue 6 2020, Galix Group , Security Services & Risk Management
Some of the requirements of PCI DSS can also be used to comply with PoPIA, South Africa’s data privacy law.

Monopoly: AI edition
Issue 6 2020 , Security Services & Risk Management
Due to the inherent nature of artificial intelligence (AI), AI-powered industries naturally tend towards monopolisation.

eVisa solutions for Botswana
Issue 6 2020 , Security Services & Risk Management
Travelers to Botswana will soon be able to complete visa applications online and ease their entry into the country.

Three steps to kick-start POPIA compliance
Issue 6 2020 , Security Services & Risk Management
Complying with data privacy, security laws and regulations can be a daunting task for any organisation.

Leaders in risk and security: As long as there are people, there will be risk
Issue 5 2020, iFacts, Technews Publishing , Editor's Choice
Jenny Reid is a self-made success, focusing on people, the risks they create and the potential they have.

Mitigating the human risk
Issue 5 2020, Managed Integrity Evaluation, Technews Publishing, iFacts , CCTV, Surveillance & Remote Monitoring
Hi-Tech Security Solutions asked Jennifer Barkhuizen and Jenny Reid for some information around background screening and vetting of potential new hires.

Digital evidence handling in the cloud
Issue 5 2020 , Security Services & Risk Management
Investigate Xpress is a free, cloud-based digital evidence management solution designed to make police forces more efficient and productive.

The evolution of security in residential estates
Residential Estate Security Handbook 2020 , Editor's Choice, Integrated Solutions, Security Services & Risk Management
Two large estates discuss their security processes and the ever-expanding scope of responsibilities they need to fulfil.

Home-grown, cloud-based safety and security solutions
Residential Estate Security Handbook 2020 , IT infrastructure, Integrated Solutions
BeSecure has taken security and communications technologies and turned them into what is best described as care and safety solutions for the estate community in South Africa.