THE POPI ACT - The Protection of Personal Information

THE POPI ACT - The Protection of Personal Information

THE PAI ACT - The Promotion of Access to Information Act

The Protection of Personal Information Act (POPIA) came into operation on 1 July 2020 and all community schemes must have registered and be compliant by 30 June 2021.

It is important to understand that the POPI Act outlines the principles and conditions for the legal processing of all personal information. The actual processes and implementation of the POPI Act may well vary from one community scheme to another.

The POPI Act aims to protect personal information, which includes any information relevant to an identifiable, living, natural or juristic person including:

Race Gender Age Religion ID/Passport No Disabilities

Addresses Tel/Fax/Cell No E-mail Address Biometrics Images

This information also includes personal opinions, views, preferences, financial affairs, and any correspondence of a private nature sent by the person.

The POPI Act applies to any person or organisation that processes personal information including the:

Collection Receipting Recording Collation Organising Storage

Updating Retrieval Updating Deleting Destruction Dissemination

Altering Consultation Use of Distribution Copying

of personal information.

The main purpose of the POPI Act is to ensure transparent processing of personal information including :

• Why personal information is collected;
• How personal information is used;
• How personal information is stored;
• When and how personal information is shared;
• What process will be followed if a data breach occurs;
• How personal information held by the organization can be accessed and corrected;
• When personal information is deleted; and
• The appointment of an information officer.

All community schemes will need to conduct some form of processing of personal information, whether it be for purposes of communicating with owners, collecting levies, keeping a register of members, conducting opinion surveys, using CCTV security cameras, or using biometric security access systems. Community schemes will also be obliged to sign POPI contracts with all service providers who will have access to the personal information relating to the scheme.

The Promotion of Access to Information Act (PAIA) was enacted in 2000 to ensure that citizens and non-citizens are able to exercise their constitutional right of access to any information, held by government entities and private corporations, as is required for the exercise or protection of any of their rights.

Each scheme will be obliged to prepare, inter alia:

• A POPIA Manual / Policy Document
• A PAIA Manual
• A POPIA Addendum to the Management Agreement
• Staff training on POPIA and PAIA
• A POPIA non-disclosure agreement template

The Act notes that the chairman of each scheme is by default appointed as the POPIA and PAIA Information officer and whilst the duties may be outsourced to a managing agent, the responsibility of adhering to the Acts rests with the chairman.

The 8 conditions for the processing of information are :

1. Accountability - all conditions must be met before processing any data.
2. Lawfulness - strict controls must be implemented on what it means to process data.
3. Purpose - information may only be collected for a specific lawful reason and the data subject must be made aware of these reasons. Data cannot be collected from a 3^rd party. Once the data is no longer required it must be deleted unless required by law to keep for 5 years.
4. Further processing limitation - data may only be processed for the purpose it was collected.
5. Information quality - steps must be taken to ensure that all data collected is accurate and complete.
6. Openness - refers to the PAIA and your duty to maintain strict documentation of all the processing activities. The data subject must be informed why you require the information.
7. Security safeguards - implement effective and reasonable technical and organizational measures to prevent unlawful access, loss or damage of personal data.
8. Participation - stipulates the rights of the data subject in respect of the information provided, enabling them to have access thereto and to change data if required.