POPI is based on Eight Conditions for Lawful Processing of Personal Information. Each time a Responsible Party processes Personal Information, it must comply with all these conditions. Under each condition, POPI contains key requirements relating to the processing of Personal Information.
The Act outlines conditions in far greater detail, but a simplified summary of these conditions is as follows:
The Responsible Party must ensure that all seven conditions are upheld throughout the entire journey with the data. This includes ensuring that Operators handle the data with the same due care.
Personal Information must be processed in a manner that is adequate, relevant and not excessive for the purposes it is being processed. Only the minimal amount of Personal Information must be collected for the purpose it is required and the processing must be in accordance with the reason you collected it. The Responsible party must have one of the Six Legal Grounds for processing this Personal Information.
Information may only be collected for a specific, explicitly defined and lawful purpose relating to the Responsible Party’s function or activity. Information may be retained only for as long as necessary to achieve the purpose for which it was collected or processed (although there are exceptions to this rule).
The further processing of Personal Information must be in accordance with the purpose for which it was originally collected.
A Responsible Party must take reasonable practical steps to ensure that Personal Information is complete, accurate, not misleading and updated.
A Responsible Party must document their information processing operations, as required by POPI’s provisions. It must also ensure that Data Subjects are notified when their Personal Information is processed. In view of this condition, many organisations are compiling privacy policies, which explain their privacy operation.
Responsible Parties must ensure that Personal Information is kept confidential and that the information’s integrity is maintained. Responsible Parties must also take appropriate measures to prevent loss of, damage to or destruction of Personal Information and to guard against unlawful acts. If there has been a data breach, the Responsible Party will also have to comply with POPI’s requirements in this regard.
A Responsible Party must ensure that a Data Subject is able to confirm whether the Responsible Party holds any Personal Information about the Data Subject (at no extra cost). A Data Subject must also be allowed to correct their Personal Information and request that the Responsible Party destroy or delete it.
Lightstone has sought formal legal opinion in all matters relating to the POPI Act and we continue to refer to legal counsel while we implement our POPI compliance changes.