ARTICLE 1 IN A SERIES ON POPIA

  1. THE IMPORTANCE OF PERSONAL INFORMATION IMPACT ASSESSMENTS
  • The Protection of Personal Information Act (Act No. 4 of 2014) (“POPIA”) commenced on 1 July 2020. All business and legal entities, whether owned by individuals, companies, partners, sole proprietors, close corporations, NGOs/PBOs, associations and business trusts, including dormant entities, are required to comply with POPIA.
  • Personal information is any information that relates to a living, identifiable natural person or an existing juristic person (like a company). POPIA provides certain compulsory conditions relating to the processing of personal information and establishes an enabling framework for persons and entities (data subjects) to exercise their related rights.
  1. SAFEGUARDING OF PERSONAL INFORMATION
  • POPIA gives effect to the constitutional right to privacy by safeguarding personal information when processed by a responsible party. This entails that a responsible party is required to maintain the confidentiality and integrity of personal information under its control by taking appropriate, reasonable technical and organizational measures to prevent:
  • the loss of, damage to or unauthorized destruction of personal information; and
  • unlawful access to or processing of personal information.
  • POPIA requires that a responsible party must have regard to generally accepted information security practices and procedures when determining which measures to implement to safeguard personal information. These may be generally required in terms of specific industry or professional rules and regulations.
  • Responsible parties are further required to take reasonably practical steps to ensure that personal information processed by them is accurate, up to date, complete and not misleading.
  1. PERSONAL INFORMATION IMPACT ASSESSMENTS
  • This is where personal information impact assessments (“PIIAs”) come in. Regulation 4(1)(b) of the Regulations published in terms of POPIA (“the POPIA Regulations”) create a legal obligation on responsible parties to perform PIIAs to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.
  • Organisations and businesses can use PIIAs to assess and identify organisational risks for data subjects which exist due to certain technology or systems used by the organisation, and determine the most appropriate measures and standards to remedy and prevent the risks.
  • Regulation 4(1)(b) of the POPIA Regulations requires such PIIAs to be carried out regardless of the level of risk that is likely to emanate from the nature, scope, context or purpose of the data processing conducted for the rights of the affected data subjects.
  1. THE STARTING POINT
  • Businesses can easily feel overwhelmed with the myriad of obligations seemingly imposed by POPIA. The starting point for a PIIA entails a careful analysis and description of the data processing taking place in an organisation, including the purposes (and where applicable, legitimate interests) of the responsible party in terms of Section 11(1)(f) of POPIA.
  • In order to consider the nature and seriousness of the risk, the responsible party must involve data subjects in its analysis, and where appropriate give them a chance to express their views on the intended processing. This will enable the processing to take place proportionately (Section 10 of POPIA) and in relation to the risks, and the rights of data subjects can be sufficiently assessed for purposes of Section 11(1)(d) of POPIA.
  • Once the risks to an organisation have been identified and safeguards, security measures and protection mechanisms of personal information have been implemented, and an organisation can demonstrate overall compliance with POPIA as required by Section 8, an organisation’s PIIA is completed.
  1. IS FAILURE TO COMPLY A BIG DEAL?
  • If a responsible party fails to adequately protect personal information processed by it, such deviation from the required standard of foreseeable harm creates negligence on the part of the responsible party, regardless of whether the failure occurred as a result of an act or omission by the responsible party itself, the information officer, an employee or contractor or service provider. A responsible party can therefore be held liable for harm to data subjects that result from such deviation. The burden of proof in this instance is on the responsible party to show that it identified reasonably foreseeable risks and implemented measures to mitigate them.  POPIA also imposes offences and severe penalties for non-compliance.

Over the next few weeks, we will publish a series of articles on PIIAs and helping you understand your organisation’s POPIA compliance framework.  Contact us for assistance.  

 

Luïse Von Dürckheim-Botes

BProc; LLB; LLM (Criminal Law)(Cum Laude); LLM (Corporate Law)

Consultant                              

Corporate and Commercial Law

Email: luise@sstlaw.co.za

Phone: 012 361 9823