No More Hiding as POPI Act Kicks Off on 1 July
Local organisations have no excuses when it comes to complying with the Protection of Personal Information (POPI) Act, SA’s data protection law, within the stipulated timeframe.
So said advocate Pansy Tlakula, chairperson of the Information Regulator, speaking to ITWeb following last week’s announcement that more sections of the POPI Act will come into effect as of 1 July.
“The Act was passed in 2013, so nobody has an excuse,” states Tlakula. “They [organisations] probably thought the Act will never come into operation. Remember that it was passed in 2013 and nothing happened.
“In December 2016, we were appointed, and we’ve been preaching, telling people to comply as this Act is there and not going anywhere. There are Acts that were cast for many years, which have not been brought into operation, so maybe they thought the same with this Act.
“We pushed very hard for the Act to be brought into operation…they can’t tell us they can’t comply because we have been engaging since the beginning of 2017.”
A 2019 Sophos-commissioned study to determine the state of POPI Act compliance within South African companies showed that only 34% of survey respondents felt their organisation was going to be ready to meet the POPI requirements.
Furthermore, most respondents (77%) believed their organisation would suffer reputational damage if fines for non-compliance were imposed.
“Those who have practices that do not comply with the Act will have to ensure they change those practices and bring them into conformity with the Act.
Over the next year, Tlakula said the Information Regulator will be looking into how the Act applies to accessing of personal information by security companies in office buildings, complexes as well as CCTV platforms, to determine what is and is not allowed.
In terms of office spaces, for instance, Tlakula explained that the issue is determining whether they are in compliance with the Act when collecting information from an individual. “A big issue that we need to interrogate is whether the information they require is excessive or not.
“The excessiveness is the main issue because they have to take information, collect it for the purpose they need it and they should not collect more than they need − those are the rules.
“The question that we then have to ask is if you enter a complex, is it excessive or not for the owners of that building to want to your name, your address, your ID and driver’s licence? They scan your driver’s licence, they scan the disk on your car, and we will have to ask if that is excessive or not? “Just off the cuff, I think it is excessive,” she adds. “For me, the thing that they should be looking for is the plate number for the car. I don’t see how they need my ID because it contains a lot of information. Once you have my ID, you have everything about me. Do they need that information and for what purpose, how do they store it, where do they store it, is it secure where it is, what do they use it for?
“We don’t know where they store that information, what if their systems are breached where they store it, and do they sell it? We don’t even know.
“For now, between now until next year, we’ll just be engaging these people to say we are worried about 1, 2 and 3 in the way that you process personal information, so fix it!”