The road until now
After the Bill was first introduced, almost a decade ago, it is nearing finality at last.
Before it can become a law, a bill must be passed by both Houses of Parliament (the National Assembly and the National Council of Provinces). Once a bill has been introduced, a bill is referred to the relevant committee, where it is debated in detail and, if necessary, amended. If there is a lot of public interest in a bill (as with POPI), the committee may organise public hearings.
Once the committee has finalised its deliberations on a bill, it reports to the corresponding House that then decides to adopt it or refer it back to the committee. Once both Houses have approved and adopted a bill, it will be signed into law.
After much deliberations by the Portfolio Committee on Justice and Constitutional Development during August and September 2012 the National Assembly approved the latest draft of POPI.
What is next for POPI?
The next step is that POPI will be tabled in the National Counsel of Provinces for deliberations.
If POPI is passed by both the National Assembly and the National Counsel of Provinces, it will be sent to the President to sign it into law and we will finally see POPI become a legally enforceable act.
This means that companies will have one year (from the date of commencement) to ensure that they put the right measures in place to avoid penalties and possible imprisonment for contravening POPI.
The Top 5 Things you need to know about POPI
1. ALL BUSINESSES THAT COLLECT PERSONAL INFORMATION MUST NOW COMPLY WITH new data privacy requirements
Explained broadly, information may only be received and processed if:
• Consent has been obtained
• The information is required in order to conclude the transaction in question
• The Information processed is adequate, relevant and not excessive
• The information was collected for a specific, explicitly defined and lawful purpose
• Steps were taken to make the individual aware of the purpose of the collection
• Records of personal information are not retained any longer than necessary
• Measures are taken to secure the integrity and confidentiality of personal information, and to prevent loss, damage or unlawful access or destruction.
2. It establishes an independent Information Regulator
The Regulator is to be a fully independent body, accountable only to Parliament, and will be empowered to receive and investigate complaints of non-compliance relating to both POPI and the Promotion of Access to Information Act of 2002.
3. The Regulator may issue codes of conduct
This is good news for business sectors dealing with complex or large amounts of personal data that may find it difficult to comply with the provisions of the Act. The Regulator may be approached to issue codes of conduct containing regulations tailored to specific industries.
Codes of conduct may apply to: a class of information; specified activities; a specific industry or profession.
4. It restricts unsolicited electronic communications
Processing of personal information for the purpose of direct marketing by electronic communication, including automated calling, fax, SMSs or e-mail is prohibited, unless the individual’s consent has been received or the recipient is a customer. Companies will be allowed
to approach individuals only once to obtain their permission for further communication.
5. It regulates international transfers of personal information
Information may only be transferred to a foreign country if the receiving country has equivalent data protection laws; consent has been received from the person whose data is being transmitted; and the transfer is necessary for the performance of a contract.
Source: Parliamentary NewsWatch by BUSA