The Protection of Personal Information Bill 2009 (POPI or the Bill*) aims to bring South Africa in line with international data protection laws. The impact of this legislation will be far-reaching and will significantly affect the way companies collect, store and disseminate personal information. Members of our Information Law and Data Protection Group provide some insight into the implications of POPI in this series of Snapshots.
The Bill sets out eight conditions that responsible parties will need to take into consideration for the processing of personal information to be lawful. This Snapshot considers the first of these eight conditions, namely accountability.
Condition 1 - Accountability
Under POPI, a responsible party processing personal information must comply with eight conditions and the measures necessary to give effect to these conditions. Compliance must be achieved not only when the actual processing of information takes place, but also when determining the purpose and means of processing the personal information.
Accountability refers to accountability supported by legal sanctions, as well as to accountability established by codes of conduct.
An organisation will be responsible for personal information in its possession or custody, including information that has been transferred to service providers for processing. Thus a responsible party should use contractual or other means to provide a comparable level of protection while the information is being processed by a third party processor.
In addition, when personal information is to be transferred to another person or organisation, whether domestically or internationally, an organisation should:
- obtain the consent of the individual; or
- exercise due diligence and take reasonable steps to ensure that the recipient person or organisation will protect the information consistently with these conditions.
The impact of this condition on organisations that process personal information is that it will need to implement measures to ensure that its employees are aware of the conditions, and monitor compliance by its employees.
Click here to read clause 8 - Accountability.
Footnote
*The Bill has been adopted by the Portfolio Committee on Justice and Constitutional Development and by the National Assembly (NA). This Snapshot has been drafted using the latest version of the Bill as passed by the NA.
The Bill will now be referred to the National Council of Provinces for consideration and thereafter signed into law. It is anticipated that this process could take anything from one to six months. The Bill provides for a one year grace period before POPI's provisions become effective.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.