The long anticipated Protection of Personal Information act, commonly known as PoPI, seems to finally be in the home stretch. Initiated in 2009, the bill was approved by all parties during its second reading at the National Assembly on 11 September 2012.
The next step is National Council of Provinces (NCOP) before enactment. Judging from the fact that this process started over 3 years ago, predicting a date for enactment is dangerous, however, it is expected to occur before end 2012.
So where does PoPI come from and why do we have it?. More importantly, what does it mean to me as a legal practice, and what will happen if I don’t comply?
PoPI has its roots in the Constitution of South Africa. The bill of rights states that “Every person has the right to privacy”. Every person’s personal information forms part of this right to privacy including, but by no means limited to, information relating to their identity, personal preferences and medical information. Very real dangers exist when such information becomes available to the public, identify theft being the most common example. The objective of PoPI is to protect the individuals from such situations.
The enactment of PoPI will finally put South Africa in line with legislation which already exists in the rest of the world. It will provide organisations with the necessary peace of mind that South African companies apply a similar level of rigour in their processes for collecting, processing and storing information
So who will be impacted by PoPI? Chapter 2 of the law (in its current version); Application Provisions, states that the Protection of Personal Information applies to any “responsible party” working with “personal information”. A “responsible party” is either a public or private body working with personal information, while “personal information” refers to “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person,”. In short – the law applies to any organisation working with information that can identify a person or another organisation, including employees and suppliers. Therefore, ALL organisations.
Generating and providing information is the lifeblood of a law firm. On many occasions this information includes individuals’ personal information (particularly in the case of conveyance firms). The introduction of PoPI will require law firms to implement certain security and management practices. Not only to comply with the law but also to demonstrate their compliance to business partners. Some organisations are already requiring such assurance as in the case of ABSA Bank’s compliance requirements which require panel firms to attest to the existence of certain information controls. While PoPI will almost certainly require changes to a business the right approach can avoid the overburden of multiple, time consuming processes and, instead, create a more secure and efficient environment. The ability to demonstrate this can in turn drive value in a firm’s dealings with its’ customers and business partners. The cost of not complying on the other hand can, according to the law, result in penalties of up to R10m and 10 years in jail.
Contributed by Keyphase Technologies.