THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013 (“POPI/the Act”)
PROMOTION OF ACCESS TO INFORMATION ACT (PAIA).
The Act was promulgated to protect everyone’s right to privacy contained under section 14 of the Constitution, including the right against the unlawful collection, retention, dissemination and use of personal information. The Act goes on to highlight the duty of the State to respect, protect, promote and fulfil the rights in the Bill of Rights.
POPI or POPIA sets out acceptable behavior in relation to the processing of personal information, which is defined as among, as information relating to an identifiable, living, natural person’s race gender, pregnancy, sexual orientation to mention a few, it also includes any identifying number, symbol, email address, physical address, telephone number. Correspondence sent by a person or even views and opinions of that person are included in the definition of personal information.
What many may not be aware of is that the Act also provides protection to juristic persons, such as companies, close corporations, trusts etc., which means medical practices as juristic persons are protected.
This definition is so wide and far reaching that, it is advisable to all processing Personal Information to err on the side of caution and ensure that there is compliance prior to the processing of any information of third parties.
It is also quite critical that we understand the meaning of the word “processing” in the context of the Act. Any operations concerning personal information, such as the collection and storage or personal information is regarded as processing. Even the destruction of Personal Information is processing.
Similar to the definition of Personal Information, processing is also wide enough to include all manner of handling of Personal Information. For example, merely receiving Personal Information is regarded as processing. You may have erroneously received the information, as it often happens in this day and age, yet, that in itself is processing of Personal Information. Erasing, removal or destruction of Personal information is regarded as processing.
Public Domain v Public record
For Personal Information to be lawfully processed it must, among others things, be collected directly from the Data Subject, unless it is derived from the public record or was deliberately made public by the Data Subject. There are a lot of misconceptions with regards to this provision. It is also widely misunderstood that public record in terms of the Act means public domain. The Act defines Public Record and Public Body.
Public record on one hand is a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body and public body refers to any state department or administration in the government sphere. Even then, there are still restrictions on these bodies in processing Personal Information. Only upon certain conditions can the Personal Information be processed by the state.
Another misconception is, that because the information is in the public domain, it does not deserve the protection of the Act, however, in terms of the Act, all Personal Information can only be lawfully processed with the consent of the Data Subject. There are certain exceptions provided by the Act. Further, the definition of Personal Information does not distinguish between data that is publicly available and data that is not in the public domain. It does not matter where the information is derived or sourced. Whether it is in the public domain or not, it still falls under the definition of Personal Information and therefore under the protection by the Act.
The only way that the Act envisages that processing of Personal Information can be lawful, is if certain conditions are met, which include processing lawfully and without infringing the privacy of the Data Subject and only collecting information sufficient for the specified purposes and upon consent by the Data Subject.
In a nutshell, there must be consent unless certain conditions are met. The information must not be in excess of what is required for a specific legitimate purpose and the processing must not be in contravention of the Act or the Data Subject’s right to privacy. The onus will rest on the responsible party to prove that the above conditions were met prior to processing of Personal Information.
POPI and PAIA in the Optometry Practice: What one must do?
The operation of a healthcare practice is similar to that of operating a small business, in that, there are customers, employees, suppliers and service providers, all of whose Personal Information is processed by the practice regularly. The processing in this case may also include the sharing of information with related parties such as franchisors etc.
In order to comply with the Act, each practice must:
- Develop a framework (policy) as require by the Act, that is aligned with the provisions of the Act and train all responsible for collecting information on how to use the policy.
- As required by the Act, develop a PAIA Manual that complies with PAIA and POPI and train personnel on the document, which includes fees payable by people requesting information in terms of PAIA.
- Develop a consent form to be signed by all people, whose Personal Information is being processed, and the form must include, among other things, the duration of the retention of the information, the legitimate and specific purpose of the processing, the manner in which the information will be deleted/destructed and the rights of the Data Subject in relation to the data in term of the Act.
- Ensure that all agreements with third parties, including employees, contain the abovementioned consent and that third parties with whom Personal Information may be shared, comply with POPI and indemnify the practice for any loss they may suffer should they breach their compliance with the Act.
PAIA AND POPI
The Information Regulator, Adv. Tlakula was appointed in December 2016 and subsequently the appointment of permanent and part-time members of her office. The Information Regulator is now responsible for both POPI and Promotion of Access to Information Act (PAIA). Meaning that she will be taking over some of the related functions of the Human Rights Commission. Data Subjects may complain to the Regulator, who has powers to investigate transgressions and impose fines in terms of section 107.
The Regulator may also choose to pursue criminal prosecution, the result of which are fines of up to R10 million, but also prison terms of up to 12 months. In the event that an individual or organisation wilfully obstructs an investigation (and similar transgressions), prison terms can be up to 10 years.