POPI: Compliance v defiance

March 1st, 2017

By Sasha Beharilal

There has been a buzz around the Protection of Personal Information Act 4 of 2013 (POPI), which was promulgated in 2013, but it has not been in full effect, the buzz may seem to be white noise. If you choose to take an active role in becoming compliant, you will not win any award or receive a gold star on your forehead, but you will gain and retain the trust of your clients, customers and employees. If you choose to be defiant and ignore the white noise because ‘it is not urgent yet’ then it is likely that you will fall into the deep end when it is urgent, and this will result in sloppiness and subsequent legal problems.

Compliance with POPI is not an easy task; the process requires you to consult with lawyers, technology experts and consultants who will identify potential risks. You will then spend money on security measures and training to mitigate those risks, so is it worth it to commence the process, or can you afford to wait?

There are hundreds of articles explaining what POPI is, however, in most cases, POPI is regurgitated and summarised, and many authors are still confused as to what is required to be compliant. To understand what is expected of you in terms of POPI, there are eight conditions that you must be aware of.


You, as the responsible party, have the obligation of ensuring that information is processed lawfully. A responsible party is defined as ‘a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.’

Regardless if you are the manager of a gym or large corporation, your entity possesses information on your clients, customers, employees and third parties. You are, therefore, responsible for how an individual’s information is used.

Processing limitation

Information must be processed for its given purpose. If you require identification for the purpose of entering an office building, for example, it is not necessary for you to process or collect information related to an individual’s health records. That would be irrelevant and excessive and, therefore, unlawful. A gym, however, would require an individual’s health information to ensure that if a member has an incident, the appropriate action can be taken. Individuals must consent to the processing of their information
(s 11(1)(a)).

Purpose specification

Personal information must be collected for a specific purpose that is clearly defined, and the individuals in question must be aware of this. Information must not be retained for longer than necessary. For example, if you are operating a spaza shop and someone has bought on credit, their information must be deleted on full payment, or when an individual decides to terminate their membership with a gym, the gym must – unless it has a legitimate reason to keep them – remove all records of that individual. Exact terms regarding data retention and destruction should be stipulated in the relevant contracts. Once the purpose of the data collection has been fulfilled, information must be removed or individuals must be de-identified. Another example is the use of camera surveillance. Due to security concerns, many businesses use closed-circuit television (CCTV) cameras. CCTV collects your biometrics. Biometrics is defined as ‘a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition’. A sign that says ‘These premises are under CCTV surveillance’ or ‘Smile you are on camera’ is not POPI compliant. A sign that says ‘CCTV in use for the purposes of crime prevention’ is compliant as it informs individuals that data is being collected and the reason for collection.

Further processing limitation

The further processing must be compatible with the purpose of the collection of personal information. You must ensure that you do not divert from the reason the information was collected. If your primary reason for collecting personal information is for statistical purposes, you cannot then sell this information to marketers, with the case of CCTV footage, you will not be allowed to use the footage in a movie, for example, as the object of collection was the collection for security purposes.

Information quality

This one is simple. The information must be accurate, complete and up-to-date. An example of good practice in this regard, is to try to regularly verify information. The South African Revenue Service and commercial banks are particularly good at this, although they may have other reasons for doing so.


When processing or collecting personal information, the individuals whose information is being collected and processed must be notified and made aware. It is unlawful to process an individual’s information behind their back. A good example – which is likely to become more prevalent – is warning visitors to your website that you use cookies (small programs that install themselves on a computer) and obtain the individual’s consent.

Security safeguards

You need to take adequate measures to ensure that the personal information is secure and identify all the reasonable foreseeable risks and take proactive measures to prevent them. For example, if your spaza shop is in a crime ridden area, your premises will require fences, a safe and an alarm system in addition to a standard firewall. If you are a large corporation, such as an insurance company, your business has information regarding peoples’ income, jobs, age, sex, status, medical records and so forth. Sensitive information such as this must be protected with the adequate level of security. It is your duty to ensure that your partners, who have access to this information, meet the minimum security requirements. This includes firewalls, state of the art antiviruses, strong encryption and POPI training for staff.

Data subject participation

Individuals are the data subjects, and they have the right to access all their personal information that has been collected, they may request the information be corrected or for the removal of outdated and irrelevant information.

If you chose to be defiant, existing and potential customers and employees will gravitate towards businesses that process their information in a lawful manner. For example, TalkTalk, a UK telecommunications company, lost 101 000 customers and £ 60 million in revenue after a data breach (Kat Hall ‘TalkTalk admits losing £ 60 m and 101 000 customers after that hack’ www.theregister.co.uk, accessed 2-2-2017).

Any person convicted of an offence in terms of POPI faces imprisonment of up to ten years and or a fine, not to mention the civil actions instituted by aggrieved individuals. Defiance could save costs in the short term, but could result in criminal and civil actions being instituted against you in the future, and litigation is not cheap.

Sasha Beharilal BCom Law LLB (Unisa) is a candidate attorney at PPM Attorneys in Johannesburg.

This article was first published in De Rebus in 2017 (March) DR 14.

De Rebus