16 April 2014

Paying attention to POPI

After 13 years in the making, the Protection of Personal Information Act, 2013 (POPI) is expected to come into effect later this year.

Organisations that process and keep personal information will have a transition period of 1 year within which to comply with POPI, with a possible extension of 3 years granted by the Minister of Justice.

POPI deals with the processing of personal information by private and public bodies. It is expected to bring South Africa's privacy law in harmony with international standards.

POPI defines personal information to include information relating to:

• race, gender, sex, well-being, belief, culture, language,
• any identifying number, symbol, e-mail address, physical address, telephone number,
• education, medical, criminal, financial, employment history,
• personal opinions, views, and
• private or confidential correspondence.

Using the Promotion of Access to Information Act, 2000, the South African History Archive (SAHA), through its Freedom of Information Programme, requests and makes information publicly available. The information that is made publicly available often includes some personal information. POPI therefore has implications for organisations, such as SAHA, that collect and store personal information.

In the course of processing personal information, most organisations obtain consent forms from people whose personal information will be requested and made publicity available. Consent is normally obtained by way of signed consent forms.

With the introduction of POPI, a typical consent form may fall short of complying with POPI, and may need to be redrafted.

POPI suggests that, in order to comply, the consent forms will need to clearly capture:

• reasons for collecting the personal information,
• the purpose for keeping the personal information, and
• process for ongoing consent for making the information publicly available.

Failure to comply with POPI may have significant legal implications. A responsible person who has been convicted for failing to comply with POPI may be imprisoned for a period of up to 12 months or be fined, or face both a fine and imprisonment.

POPI also has implications for archives work by organisations like SAHA. Archives accumulate and store records that can include personal information of third parties. While archivists have usually adopted high standards in processing and keeping personal information, POPI raises compliance concerns with what will represent an increased burden on archivists. Archivists may be required to perform risk assessments in relation to the many documents that contain third party information that have already been collected. They may then have to categorise the information they hold, based on potential legal implications for the storage and publication of personal information of third parties.

SAHA's archive team, along with other archivists, is currently involved in a process of drafting a code of conduct that will establish information protection principles. The code of conduct will provide principles tailored for archivists. This will provide support to ensure that archivists comply with POPI.

While it may seem as if there is still time before it is mandatory to comply with POPI, organisations that process personal information would be well advised to start now in taking POPI into account when processing and keeping personal information. At a minimum that may mean less work to apply POPI to recently collected documents when POPI commences.

Learn more about SAHA's archival work