Tax and Legal Insights | 3 min read

What you should know about POPIA

We are all data subjects. From the moment you are born (maybe even before then), you have personal information (PI) that is processed by someone, somewhere. The Protection of Personal Information Act, 2013, commonly known as POPIA, is a piece of legislation designed to ensure that every South African citizen’s constitutional right to privacy is upheld through the protection of PI. Lize de la Harpe, legal adviser at Glacier by Sanlam, helps us understand some of the key provisions contained in POPIA and why we need to pay attention.

Conditions for lawful processing

As an intermediary, if you process any PI (for example, ID numbers, contact or bank details, wills etc.) or documents containing PI, of your employees, clients, or suppliers, you act in the capacity of a responsible party.

Processing refers to all of the activities that could relate to handling PI – including, but not limited to, collection, receipt, collation, storage, updating, retrieval, use, destruction and the alteration or distribution of a record which contains PI. POPIA requires the responsible party to process PI lawfully and in a manner that does not infringe on the privacy of data subjects. In order for processing to be “lawful” it must comply with the minimum requirements as set out in the act. There are eight conditions for lawful processing:

  1. Accountability – as a responsible party, you’re accountable for compliance with POPIA.
  2. Processing limitation – you may only process the minimum information needed to fulfill the purpose for which the PI was collected.
  3. Purpose specification – PI must be collected for a specific, explicitly defined and lawful purpose related to the responsible party’s function or activity.
  4. Further processing limitation - further processing of PI must be compatible with the original purpose of collection of the PI.
  5. Information quality – the PI must be complete, accurate, not misleading and up-to-date, having regard to the purpose for which the PI is collected or further processed.
  6. Openness – you have to be transparent about your reasons for obtaining PI and ensure that what you do with the information is in line with the reasonable expectations of the data subject.
  7. Security safeguards – you must secure the integrity and confidentiality of PI by taking appropriate, reasonable, technical and organisational measures to prevent loss, damage, unauthorised destruction of, and unlawful access to, or processing of PI.
  8. Data subject participation – the data subject has the right to request you to confirm what PI you hold and with whom you have shared it, as well as to request you to correct, update or delete their PI.

Retention of records

You may not retain records of PI for longer than is necessary for achieving your purpose for collecting the information, unless:

  1. retaining the record is lawful (for example, FAIS requires records to be kept for five years after termination); or
  • the responsible party needs the record for lawful purposes related to its functions or activities (*for example, where a product provider needs to keep personal information about a customer so that they can deal with possible complaints about the services or to defend possible future legal claims); or
  • retaining the record is required by a contract between the parties; or
  • the data subject (or a competent person where the data subject is a child) has consented to you retaining the record.

Additionally, you must establish appropriate safeguards against the PI being used for any other purpose.

Breach

PI has become a currency for cyber crooks. Hacking and cyber attempts to access PI have become commonplace and even seemingly secure systems have borne the brunt of this criminal activity. Therefore, it has become incumbent on all responsible parties to ensure that PI is handled with due care and integrity, and to employ every possible means to ensure that PI is adequately protected. 

Consequences of non-compliance

Non-compliance with POPIA can result in legal action, administrative fines and even jail time. In addition, the resultant reputational and brand damage couldn’t be quantified. And not to mention the trust relationship that would be broken between you and the data subject, your client.

POPIA implementation at Glacier

Our POPIA analysis is available here.

Glacier Financial Solutions (Pty) Ltd and Sanlam Life Insurance Ltd are licensed financial services providers.

Your Next Read

Investment Insights | 1 min read
New opportunity to invest in The Glacier Top Brands Return Enhancer
Investment Insights | 1 min read
Wealth Edge Endowment Plan now open for AIFA relationship advice advisers

We use cookies to give you the very best possible online experience. By continuing, you confirm that you’re on board with our privacy policy.

What Glacier Insights is…and isn’t

Glacier Insights provides investment professionals and financial intermediaries with information on the markets in general, Glacier products, and the services we offer. This website is not primarily for private individuals, but we are pretty sure that everyone interested in investing would find the content useful. If you are a private individual, please seek financial advice from a registered financial intermediary before you invest. A trained financial intermediary will help you determine which of our products are most appropriate for your needs. Glacier Insights is not designed to replace the job and expertise of a professional financial intermediary.

Content use and ownership

We love that you want to browse Glacier Insights, and please let us know if there is any more information that you would like us to provide. Also know that the intellectual property rights in the content are protected by local and international laws and agreements. So, our intellectual property may not be used in any way without our consent or the consent of any business that licensed us to use its intellectual property. This includes reproducing, changing, publishing, displaying, distributing, licensing or creating by-products of the content on this site, unless you receive our permission in writing. The website with all its content is owned by or licensed to Glacier by Sanlam, and includes text, graphics, icons, hyperlinks, private information and designs.

I have read the above and understand the purpose of the Glacier Insights website.

No, I do not agree

Receive the latest Glacier Insights delivered to your inbox


Please enabled javascript to view Glacier.