Protection of Personal Information (POPI) isn't new in South Africa.  The Protection of Personal Information Bill was around in 2009, which meant that the discussion had been going on for years before that.  We became used to talking about POPI, and the Information Regulator is now prefering to use the term POPIA, or POPI Act. 

Is there a difference?

What is POPI?

POPI stands for Protection of Personal Information.  Regardless of whether there is a law or not, organisations should be considering what Personal Information they capture, manage and store, and how best to secure this.  It make common, logical sense that this information is sensitive, and shouldn't be exposed.  One of the principles that we all should consider is "privacy by design".  This means that we should consider privacy implications in all our processes and systems, and build security and privacy concepts into the day-to-day operation of our organisations. POPI is all about Privacy, and this means security.  In order to secure information, organisations need to clearly understand what information is gathered and kept.  This is going to require a detailed investigation and shouldn't be seen as a trivial exercise.  Once understood, steps need to be taken to protect the information.

What is POPIA?

POPIA stands for the Protection of Personal Information Act, Act No. 4 of 2013 or POPI Act.  This is the new law and is something that most (if not all organisations) will need to follow.  Is there a difference between POPI and POPIA?  Yes and no.  POPI is the act of protecting Personal Information.  This implies that all the policies, procedures, processes and practices in the organisation relating to personal information, are in fact doing POPI.  You cannot "do" POPIA, as this is merely the name of the law. In summary, in order to comply with POPIA, you need to implement a POPI programme.  In order to implement, there are a number of steps which need to be followed and a number of documents and instruments which need to be developed.   We'll be documenting these as things progress.  Join our mailing list to  keep up to date with latest POPIA developments.

The draft regulations to the Protection of Personal Infomation Act (POPIA) have been published for public comment.  Deadline for comments is 07 Nov 2017.  Links to the Government Gazette notification with the draft regulations are below:

GG 41105, GoN 709, 08 Sep 2017 - Protection of Personal Information Act, 2013 (Act. 4 of 2013): Invitation to comment on Draft Regulations relating to the Protection of Personal Information

Much of the Personal Information that is kept will be in the form of data in databases or systems, and the rest will be in form of documents or records.  Managing these correctly is imperative under POPIA.  This article will build on the records management elements that will need to be implemented in order to fully comply with the Protection of Personal Information Act.

Sections 100 – 106 of the POPI Act deal with instances where parties would find themselves “guilty of an offense”. The most relevant of these are:

  • Any person who hinders, obstructs or unlawfully influences the Regulator;
  • A responsible party which fails to comply with an enforcement notice;
  • Offences by witnesses, for example, lying under oath or failing to attend hearings;
  • Unlawful Acts by responsible party in connection with account numbers;
  • Unlawful Acts by third parties in connection with account number.

Section 107 of the Act details which penalties apply to respective offenses.

If someone is alleged to be in breach of the POPI Act, a complaint may be submitted to the Information Regulator.

This complaint will be dealt with by an adjudicator.If a person is not happy with the determination of the adjudicator, they can still approach the Information Regulator for another ruling.

Disputes and breaches are covered in great detail in the Act and the Act should be consulted before drawing up Policies and Procedures to handle such matters.

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013

The Act controls the transfer of personal information from South Africa to foreign countries and prohibits this unless: (section 71)

  • the person receiving the information is subject to similar laws;
  • the subject has agreed to the transfer of information;
  • such transfer is part of the performance of a contract which the subject is a party; or
  • transfer is for the benefit of the subject and it is not reasonably practicable to obtain their consent and that such consent would be likely to be given. (section 72)

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013


Page 1 of 3