Beware of PoPI non-compliance

1 October 2017 Security Services & Risk Management, Integrated Solutions

The Protection of Personal Information Act (No. 4 of 2013) (or PoPI Act) is soon to be promulgated in South Africa. Jenny Reid of iFacts recently discussed the matter with Kevin McCallum of Tuckers Incorporated, who specialises in corporate legal matters.

McCallum says that the PoPI Act, although already an Act of Parliament, has not yet come in to full effect. It will only take effect once the President of South Africa signs a proclamation declaring the Act to actually be in effect. By all accounts, compliance with the Act will then be enforced 12 months after its proclamation. It is, however, worthwhile preparing for its inception right now.

Being caught short for non-compliance could have disastrous consequences, given the onerous requirements placed on the collector of personal information and the huge penalties expected to be imposed for the breach of, or non-compliance with, the Act.

A number of companies and institutions have already begun moving towards full compliance with the Act, in anticipation of it coming into effect. This is partly because compliance requires a serious shift away from the haphazard or random collection of personal information. The Act also limits the use of personal information, as this information now cannot be used for just any purpose the collector desires. This includes adequate protection of information so that it cannot be used and shared by unauthorised parties. The Act has its origins in Section 14 of the Constitution of the Republic of South Africa (Act No. 108 of 1996), which governs our rights to privacy.

The collection of personal information in respect of a person (impersonally called a ‘data subject’ in the Act) will require the consent of that particular data subject. The data subject must know and understand the precise purpose for the collection of any information, how it will be utilised, how the information is to be protected against distribution or theft by unauthorised parties, how long it will be retained, and how it will be destroyed when it is no longer required (Section 13 of the Act).

Unlawful retention, distribution, sharing or unauthorised use of personal information may result in non-compliance with the Act, which will carry onerous penalties of up to R10 million in fines, and could even result in jail sentences (in some instances of up to 10 years, depending on the seriousness of the breach or non-compliance).

Section 14 of the Act governs the length of time for which personal information is to be securely retained. Generally the information should only be retained, in a secure manner, for as long as is required to achieve the purpose for which it was collected. Subsequent to this, it should be destroyed to prevent it becoming available to unauthorised users.

As an example, an employee also has the right to challenge the correctness of the information collected, so information should be retained long enough to afford that opportunity.

The PoPI Act in its entirety is more complex than can be dealt with here and contains numerous provisions under which various categories of personal information can and/or must be retained, shared or destroyed. In addition, there are various exceptions to those provisions. Various other statutes and laws may govern the period for which various types of information must be retained and those statutes would have to be read in conjunction with the PoPI Act.

Individuals, companies and other entities who are involved in the collection of personal information are urged to read and familiarise themselves with the PoPI Act. It is advisable to take legal advice to ensure strict compliance before, even inadvertently, falling foul of its provisions and suffering the potentially huge penalties for breach of its provisions.

Ignorance of the law may not be sufficient to save you from the Act when it comes into operation.

For more information contact iFacts, +27 (0)11 609 5124,,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Communication in any situation
Issue 8 2020, Elvey Security Technologies , Global Communications (Member of Hudaco Group) , Security Services & Risk Management
Global Communications offers an industry-first with five-year warranty on select Kenwood two-way radios.

The year resilience paid off
Issue 8 2020, ContinuitySA , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Free-flow smart weapons detection system
Issue 8 2020, XPro Security Solutions , News, Security Services & Risk Management, Products
Detecting people carrying weapons and preventing them from entering your venue is now possible, without sacrificing the visitor experience.

Meeting compliance obligations
Issue 7 2020 , Security Services & Risk Management
Helping businesses in SA understand and meet their compliance obligations to local regulations.

Business continuity through a COVID-19 lens
Issue 8 2020, ContinuitySA , Security Services & Risk Management
COVID-19 has brought business continuity under scrutiny, with the opportunity to enhance resilience into the future.

7 Arrows becomes a part of Fidelity ADT
Issue 8 2020, Fidelity ADT , News, Security Services & Risk Management
Fidelity ADT and 7 Arrows have concluded an acquisition agreement effective 1 October 2020. 7 Arrows will now form a part of Fidelity ADT.

The future of the VMS
CCTV Handbook 2020, Technews Publishing, Cathexis Technologies, Arteco Global, XtraVision , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Integrated Solutions
Will AI-enhanced video analytic apps that can be downloaded and installed directly onto cameras take business away from the VMS market?

Industrialisation or imperialism?
Issue 7 2020 , Security Services & Risk Management
4IR has to be a matter of national agenda; national economic and political sovereignty and national security - necessitating commensurate prioritisation.

Password vulnerabilities in South Africa
Issue 7 2020, Kaspersky , Security Services & Risk Management
Research from Kaspersky has shown that people are putting their online safety at risk by making bad password decisions and simple password mistakes that may have far-reaching consequences.

The greatest crime-fighting weapon is predictably
Issue 7 2020 , Security Services & Risk Management
Predictability fuelled by artificial intelligence (AI) and big data has the ability to reduce violent crimes by 25% by 2023 according to Aura.