Implications of the PoPI Act for the higher education sector

Protection of Personal Information (POPI) Act No. 4 of 2013 Protection of Personal Information (POPI) Act No. 4 of 2013. Gazetted in late 2013, with partial commencement in April 2014 POPI IS LAW – ACT NOW! What should you be asking? Protection of Personal Information (POPI) Act No. 4 of 2013. Gazetted in late 2013, with partial commencement in April 2014. Now is the time to get things moving in terms of compliance with the Act. Once the Act is made effective, companies will be given a year’s grace period to comply with the Act, unless this grace period is extended as allowed by the Act. The President has signed a proclamation declaring some parts of the Protection of Personal Information Act No 4 of 2013 effective from 11 April 2014 (74Kb PDF) The sections that became effective deals with the appointment of the Information Regulator. The National Assembly approved the appointment of members to the Information Regulator on 7 September 2016.  The Regulator will be responsible for education, monitor and enforce compliance, handle complaints, perform research and facilitate cross-border cooperation. Adv Pansy Tlakula was appointed as the Information Regulator with effect from 1 December 2016. Adv Lebogang Stroom, and Johannes Weapond were appointed as full-time members and  Prof Tana Pistorius and Sizwe Snail were appointed as part-time members. They will serve a term of office of five years. Protection of Personal Information Act, No 4 of 2013   The Protection of Personal Information Act was signed into law in November 2013, after being introduced in the National Assembly during 2009. The Act aims to promote the protection of personal information by private and public bodies and provide for minimum conditions that should be followed in the lawful processing of information. The Act also provides for the establishment of an Information Regulator. The President signed a proclamation which was gazetted on 11 April 2014 where the effective date of certain sections of the Act was proclaimed as 11 April 2014. The following sections are in effect from 11 April 2014: section 1 which deals with the definitions in the Act; Part A of Chapter 5 which deals with the establishment of the Information Regulator, the powers, duties and functions of the Regulator, appointment and terms of office of members of the Regulator, appointment of staff and the chief executive officer; section 112 dealing with the fact that the Minister may make Regulations relating to the establishment of the Regulator and that the Regulator may make Regulations in terms of certain areas; and section 113 dealing with the procedures for making Regulations by the Minister and the Regulator. This is just the first step of the implementation of the Protection of Personal Information Act. Once section 114 is enacted all processing of personal information must conform to the requirements in the Act within one year after that date.

Does the POPI Act apply to the University? Now is the time to get things moving in terms of compliance with the Act Does the POPI Act apply to the University? Does the University have to register an Information Officer? The POPI Act is applicable to every business in South Africa that collects, uses, stores or destroys personal information of a data subject (see definition below), which is entered into a record by the business using automated and non-automated means. This Act requires every business to register an Information Officer with the Information Regulator. Prof Marlene Verhoef, Institutional Registrar is appointed as the University’s Information Officer.

What are the obligations for the University under POPI Some of the obligations are: only information that’s needed security measures relevant & up to date Only what you need as long as you need data subject - available upon request only to collect information that you need for a specific purpose apply reasonable security measures to protect it; ensure it is relevant and up to date only hold as much as you need, and only for as long as you need it allow the data subject of the information to see it upon request

Important definitions Personal information … is any piece of information that relates to a living, identifiable human being - anything that you can look at and say "this is about an identifiable person". Data subject A data subject is the person to whom the personal information relates. Personal information is extremely wide stated and is information relating to an identifiable, living natural person or juristic person and includes, but is not limited to: Demographic information History: Biometric information: Opinions of and about the person email, telephone, address, etc. Private correspondence etc. age, sex, race, birth date, ethnicity etc. Contact details employment, financial, educational, criminal, medical history, blood type, etc. What is a data subject? A data subject is the person to whom the personal information relates.  

Processing and the principals All activities concerning personal information = processing Accountability Processing limitation Purpose specification Further processing limitation Openness Security safeguards Data subject participation What is processing? Processing is very widely stated and includes a vast number of activities whether or not undertaken by automatic means, concerning personal information. What is the information processing principles? The information processing principles which form the core of POPI are: Accountability the University must ensure that the information processing principles are complied with; Processing limitation processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed; Purpose specification Personal information must be collected for a specific, explicitly defined and lawful purpose relating to a function or activity of the University; Further processing limitation This is where personal information is received from a third party and passed on to the responsible party for processing.; Openness Certain prescribed information must be provided to the data subject by the University including what information is being collected, the name and address of the responsible party, the purpose for which the information is collected and whether or not the supply of the information by the data subject is voluntary or mandatory. Security safeguards The University must secure the integrity of personal information in its possession or under its control by taking prescribed measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information. Data subject participation A data subject has the right to request the University, free of charge: 1. whether or not the University holds personal information about the data subject and can request the record or a description of the personal information held; 2. to correct or delete personal information that is inaccurate, irrelevant, excessive, misleading or obtained unlawfully; and 3. destroy or delete a record of personal information that the University is no longer authorised to retain.

Two last remarks & practical guide Do I need to provide an opt in or opt out for direct marketing? Yes. The University should make use of both opt in and opt out options to make sure that the data subject understands and knows what he or she is consenting and objecting to. So where is the “stick and carrot” for POPI? The University has twelve months to become fully compliant or face the prospect of some potentially stiff penalties (including fines of up to R10 million) or worse, reputational damage and loss of customers. That’s the “stick” part of the deal. (CONFIRM WITH WERNER) The “carrot” aspect is the opportunity to boost confidence in the University by demonstrating the way sensitive personal data is managed. This means showing that the University has processes and procedures in place to handle effectively and securely all aspects of what’s covered in the POPI Act.

How we do it at the NWU want to share with the conference attendees, the kind of requests you receive and how you go about dealing with them; if possible the number of requests you get in a month and lastly as an add on, how you go about updating the alumni database and the number we have on the system. And some of the challenges that we come across from the request we received....  

Example application form on the NWU web http://nwupaia.snforms.co.za/forms/e9ec9db6-8a10-40aa-a21e-bdfaaae01ec4-0006.aspx Or www.nwu.ac.za