Are you PAIA and POPI compliant?

In the most recent developments in our law there are two central pieces of legislation that are actively changing how individuals access and protect their personal information, namely the Promotion of Access to Information Act 2 of 2000 (“PAIA” hereinafter) and the Protections of Personal Information Act 4 of 2013 (“POPIA” hereinafter). In terms of which it has become essential that every person who carries on a business, profession or trade, whether it is a sole proprietor, partnership, trust, company or otherwise familiarises themselves and understands the legal responsibilities and obligations placed on them in terms of this legislative framework.
 
We at Liddle and Associates Inc. would like to assist you by setting out a concise framework of the legal responsibilities and obligations imposed by PAIA and POPI on all public and private bodies who process personal information of individuals or corporate entities they work with in order to provide their services and carry out their business effectively. We regard the protection of personal information as integral in maintaining confidence between any business and their clients, employees, agent, designees and appointees. In the spirit of Ubuntu we aim to assist our fellow individuals and corporate entities to ensure that they are PAIA and POPI compliant, so that we may all evolve together and grow with dignity and compassion.
 
The guidelines provided below must be read in conjunction with PAIA and POPI and should not be regarded as more than a summary.
 
POPI compliance considerations:

• All public and private bodies must draft a Data Protection and Information Sharing Policy that sets out how information is collected, retained, disseminated and processed by them. This information can also be incorporated in the terms and conditions of the public or private body.
• The policy and/or updated terms and conditions must then be made available to the public at their principal place of business and on their website (if available) by no later than the 30th of June 2021.
• This policy and/or updated terms and conditions must contain policy information which sets out how individuals can request access to, amendments or destruction of their information which is being stored, as well as an explanation of how information will be processed and which security measures will be implemented to ensure security standards. The policy must also contain certain definitions, processing conditions and rights that data subject must be made aware of, which is available in the Guidance Note and in POPIA.
• Valid consent should be obtained from all data subjects whose personal information is collected, retained, disseminated and processed by the public or private body.
• An information officer must be appointed and identified in the policy document, which responsible party must maintain a record of all information processing operations and act as a compliance officer who ensures the policy is property implemented in line with POPIA.
• Non-compliance can result in a fine between R1 million and R10 million, or one to ten years imprisonment. Compensation can also be claimed by data subjects who have suffered damage due to a data breach.

 
PAIA compliance considerations:

• All public and private bodies must draft a Manual in terms of section 51 of PAIA that sets out how information can be accessed and make it available to the public at their principal place of business and on their website (if available) by no later than the 31st of December 2021.
• This manual must contain the full contact information of the public or private body and certain information which is set out in PAIA and the Guide on how to use the Promotion of Access to Information Act.
• A responsible party (usually an information officer) should also be appointed and identified in the manual, which responsible party must maintain a record of all information processing operations.
• At present the South African Human Rights Commission has not imposed any legal sanction for non-compliance with PAIA, but fines can be issued for non-compliance. 

General compliance considerations:

• An information officer should be appointed and registered with the Information Regulator. An electronic registration can be done at https://www.justice.gov.za/inforeg/portal.html
• A personal information impact assessment should be conducted by the information officer to ensure that adequate measure and security standards exist that protect the processing of personal information.
• Employees and service providers should be made aware of the implications of PAIA and POPI and sign a consent that confirms they have read and understood the Data Protection and Information Sharing Policy.
• Your PAIA manual and POPI policy should be updated yearly to ensure that security standards are at all times sufficient and compliant.

 
We always encourage any questions or comments, so that we may grow together in a meaningful and informed way. Feel free to contact our Information Officer with any concerns or suggestions.
​
Information Officers’ Contact Details
 
ROBYN BRONWYN ZIMMERMANN
0871383275
[email protected]