Personal information privacy presents a growing challenge and the Act requires organisations to establish appropriate policies and procedures to protect the various forms of data that are part of their business operations.
If your company processes information such as names, addresses, e-mail addresses, ID numbers, employment history or health data that is associated with an individual; or if you outsource your data to third parties, your organisation will have to comply with POPI.
All organisations have personal information about shareholders, employees, customers, suppliers so POPI affects every area of your business.
POPI establishes 10 principles that must be adhered to by public and private organisations:
1. ACCOUNTABILITY: An organisation is responsible for personal information under its control but may designate individuals or companies, who have the expertise, to manage POPI compliance on their behalf.
2. IDENTIFYING PURPOSES: The purpose for which personal information is collected shall be identified by the organisation before or at the time the personal information is collected.
3. CONSENT: The knowledge and consent of the individual is required when using or disclosing information.
4. LIMITING COLLECTION: The collection of personal information must be limited to that which is necessary for the purpose identified and must be collected by fair and useful means.
5. LIMITING USE, DISCLOSURE AND RETENTION: Personal information must not be used or disclosed for any other purpose than those for which it was collected, unless with the individual consent. This information must also be deleted once it has served its purpose.
6. ACCURACY: Personal Information must be accurate, complete and up to date.
7. SECURITY SAFEGUARDS: The integrity Personal information must be protected by taking appropriate reasonable technical and organisational measures.
8. OPENNESS: An organisation must make readily available to individuals specific information about its policies and practices relating to the management of personal information.
9. INDIVIDUAL ACCESS: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and must be given access to that information.
10. COMPLIANCE: Organisations must comply with the provisions of POPI and report to the Regulator appointed by the Act.