Protection of Personal Information

Overview

POPIA can be described as a “general information protection statute” designed to prevent the negligent disclosure of personal information.

While POPIA does not prevent an organisation or “Responsible Party” (the Data Collector) from collecting personal information, it may now only record or process such information with an individuals’ (the Data Subjects’) express consent and in accordance with the determinations of the act.

The Responsible Party is responsible to secure the collected information from the moment that it’s captured until it is destroyed and also need to ensure that information is destroyed in line with industry standards as soon as the information is no longer needed.

The Responsible Party is further required to disclose to the data subject why the information is being collected, for what purpose and for how long the information will be retained.

Access Track, as an Operator, provides license scanning and information collection equipment and services for use by the Responsible Party for collection and management of visitor information for purposes of access control and access authorisation, subject to a Data Processing Agreement entered into between Access Track and the Responsible Party.

It should be noted that the Responsible Party does not automatically become “compliant” with POPIA by implementing and using the equipment and services provided by Access Track.

Access Track, as an Operator, provides license scanning and information collection equipment and services for use by the Responsible Party for collection and management of visitor information for purposes of access control and access authorisation,

subject to a Data Processing Agreement entered into between Access Track and the Responsible Party.

It should be noted that the Responsible Party does not automatically become “compliant” with POPIA by implementing and using the equipment and services provided by Access Track.


Minimum Requirements

The following points describe the minimum requirements that need to be met by the Data Collector (Responsible Party) in accordance with POPIA guidelines:

1.   Data Process Audit

Data Collectors must audit the processes used to collect, record, store, disseminate and destroy personal information. In particular, organisations must ensure the integrity and safekeeping of personal information in their possession or under their control. They must take steps to prevent the information from being lost or damaged, or unlawfully accessed.

2.   Define the Purpose of the Information Collection

Personal information must be collected for a specific, explicitly defined and lawful purpose that is related to a function or activity of the organisation concerned.

3.   Limit the Processing Parameters

The processing of personal information must be lawful and it may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed.

4.   Take Steps to Inform the Data Subject

The Data Subject whose information is being processed has the right to know this is being done and why. The data subject must be told the name and address of the company processing their information. In addition, the data subject must be informed as to whether the provision of the information is voluntary or mandatory.

5.   Check the Rationale for any Further Processing

If information is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.

6.   Ensure Information Quality

The company processing the information must make sure the information is complete, accurate, up to date and not misleading.

7.   Notify the Information Protection Regulator

The Data Collector must notify the Regulator about any data breach.

8.   Accommodate Data Subject Requests

The POPI Act allows Data Subjects to make certain requests, free of charge, to organisations holding their personal information. For instance, the Data Subject has the right to know the identity of all third parties that have had access to their information. A Data Subject can also ask for a record of the information concerned.

9.   Retain Records for Required Periods

Personal information must be destroyed, deleted or ‘de-identified’ as soon as the purpose for collecting the information has been achieved. However, a record of the information must be retained if an organisation has used it to make a decision about the Data Subject. The record must be kept for a period long enough for the data subject to request access to it.

10. Cross Border Data Transfer

There are restrictions on the sending of personal information out of South Africa as well as on the transfer of personal information back into South Africa. The applicable restrictions will depend on the laws of the country to whom the data is transferred or from where the data is returned, as the case may be.