The Protection of Personal Information Act (PoPIA) is a law in South Africa that regulates how people’s personal information can be used. It requires companies to only collect and use personal information that is necessary for a specific purpose, and to keep that information safe and secure. One important idea for data privacy is “privacy by design,” which means that companies should think about privacy from the beginning of a project, rather than trying to add it later. This helps protect people’s information and keep it safe and should form part of your PoPIA compliance plan.

The Information Regulator:

The PoPI Act establishes an independent body called the Information Regulator. The regulator is responsible for enforcing the provisions of the Act, receiving complaints and queries from the public, and promoting compliance with the Act. The regulator also has the power to conduct investigations and impose sanctions for non-compliance.

Electronic Communications:

PoPIA recognizes that much of the processing of personal information takes place through electronic communications. The Act, therefore, includes provisions that govern the collection, storage, and sharing of personal information through electronic means, such as email, social media, and mobile applications. The Act requires responsible parties to ensure that electronic communications are secure and that personal information is protected from unauthorized access, use, or disclosure.

Processing of Personal Information:

The Protection of Personal Information Act defines personal information broadly as any information relating to an identifiable living natural person or an existing juristic person. The Act requires responsible parties to only collect and process personal information that is necessary for a specific purpose, such as providing a service or fulfilling a contractual obligation. The Act also requires responsible parties to obtain the consent of data subjects before collecting and processing their personal information.

Specific Purposes:

PoPIA requires responsible parties to collect and process personal information for specific, explicitly defined purposes. Responsible parties must inform data subjects of the purposes for which their personal information is being collected and processed and must ensure that the collection and processing of personal information are necessary for the specified purposes.

Legitimate Interest:

The Act allows for the processing of personal information without the consent of data subjects in certain circumstances, such as when the processing is necessary for the legitimate interests of the responsible party or a third party. However, the Act requires responsible parties to balance their legitimate interests against the rights of data subjects and to ensure that the processing of personal information is fair, lawful, and reasonable.

Lawful Processing:

The PoPI Act requires responsible parties to ensure that the processing of personal information is lawful and to take reasonable steps to ensure that personal information is accurate, complete, and up-to-date. The Act also requires responsible parties to keep personal information confidential and secure and to prevent the unauthorized access, use, or disclosure of personal information.

Explicitly Defined:

PoPIA requires responsible parties to ensure that the purposes for which personal information is collected and processed are explicitly defined and that data subjects are informed of these purposes. The Act also requires responsible parties to ensure that personal information is not processed for any other purpose that is incompatible with the original purpose for which it was collected.

Responsible Parties:

PoPI places the responsibility for complying with the Act on the responsible party. The responsible party is defined as the public or private entity that determines the purpose and means of processing personal information. The data controller is the person or organization that determines the purpose and means of processing personal information. The data processor, which is the person or organization that processes personal information on behalf of the data controller, must also comply with the Act.

Only Collect:

The PoPIA requires that personal information must be collected directly from the data subject unless it is impossible or would involve a disproportionate effort. Data controllers must ensure that they only collect the personal information that is necessary for the specific purpose for which it is being collected.

Data Subjects:

Data subjects are the individuals to whom the personal information relates. The PoPIA gives data subjects the right to access and correct their personal information, as well as the right to object to the processing of their personal information.

What is Privacy by Design

Privacy by Design is a system design principle that seeks to ensure that personal data is protected by default. In other words, the privacy of an individual remains intact even if they do nothing to protect it.

The seven principles of privacy by design include:

1. Design for prevention, not remediation

This means that potential breaches should be anticipated and appropriate protections should be put in place, by design, to avoid any such breach. This principle protects organisations from privacy issues that could hurt the company’s reputation, or, under PoPIA subject it to potential penalties

2. Privacy as the default

This means that personal data is automatically protected (for example by encryption, masking and access controls) in any system or business practice. NO additional steps are required to be taken in order to secure data.

3. Embed privacy into the design

This basically means that privacy-related capabilities should not detract from the functionality and usability of the system and should be considered integral to the user experience.

4. Fully functional

Again, the business scope of the system should not be compromised to deliver privacy. Privacy requirements should be accommodated/added with compromising the function of the system, and vice versa

5. Lifecycle protection

The information must be secure and protected throughout its lifecycle – from the point of initial data capture all the way through to its final destruction

6. Visibility and transparency

Users and other stakeholders must be able to understand how personal data moves through your system(s). This means not only understanding data lineage, but also having clarity as to who is using data in different places, and for what purposes, as well as levels of security provided to different users and use cases. This clarity is critical for accountability and governance

7. Respect

At the core of Privacy by Design is the recognition that the privacy of your customer’s data should be your primary concern.

Is Privacy by Design Required by PoPIA?

Privacy by design is explicitly mentioned by Europe’s Global Data Protection Regulation (GDPR) but is not explicitly required by PoPIA.

So why think about it if PoPIA is your only concern?

Well, designing for privacy reduces the risk to your business, and your reputation and, hopefully, most importantly, it reduces the risk to your customer that their data will be compromised whilst under your care.

For new systems, this should be considered a default option. Good design should ringfence personal data using a combination of role-based access controls, encryption and masking to ensure that only staff with a genuine need to access the data are able to do so. When purchasing an off-the-shelf system (thinking of a new ERP or CRM for example) it makes sense to ensure that any new systems purchased follow privacy by design principles.

For older / existing systems implementing privacy by design principles may be harder.

A privacy audit will identify privacy weak points and allow you to plan new, user-friendly solutions to address them. From a PoPIA perspective, there is no urgency to address these.

However, as the biggest threat to personal privacy is internal data leaks, it makes business sense to phase privacy by design features into existing systems over time, beginning with those that present the greatest risk of exposure.

You should be thinking about privacy by design!