Share this article

​​Protection of Personal Information Act​

POPIA or POPI was promulgated on 26 November 2013. The Protection of Personal Information Act (POPIA) is intended to promote the right to privacy in the Constitution, while at the same time protecting the flow of information and advancing the right of access to and protection of information.

POPIA establishes the rights and duties that are designed to safeguard personal data. In terms of POPIA, the legitimate needs of organisations to collect and use personal data for business and other purposes are balanced against the right of individuals to have their right of privacy, in the form of their personal details, respected.

POPIA applies to a particular activity, i.e., the processing of personal data, rather than a particular person or organisation. Therefore, if you process personal data then you must comply with POPIA and you must handle personal data in accordance with POPIA’s data protection principles.

Therefore, if you collect or hold information about an identifiable individual or if you use, disclose, retain, or destroy that information, you are likely to be processing personal data. The scope of POPIA is very wide and it applies to almost everything you might do with an individual’s personal details including details of your employees.

POPIA Framework

Essentially, POPIA:

sets out the rules and practices which must be followed when processing information about individuals and juristic persons;
grants rights to individuals in respect of their information;
and creates an independent regulator to enforce these rules, rights, and practices.

It should be noted that POPIA applies to:

information that is processed automatically;
information recorded on paper;
and health records and certain public authority records.