The Protection of Personal Information (POPIA) Act, effective from 11 April 2014 with a compliance date of 30 June 2021, was promulgated in response to a theme nicely elucidated by a must-watch movie, The Great Hack. In essence, the POPIA Act aims to protect what the movie describes as ‘the most valuable asset on Earth’: data. To be more specific, data in the form of personal information on either flesh-and-blood people or organisations.
The Act purposes to safeguard natural and juristic persons’ personal information from being misused by either organisations or other people. It therefore warrants the attention of both private individuals and all kinds of entities, whether private or public. Similar legislation applies all over the world, in response to personal information having gone online – and, accordingly, out of one’s own control and prone to abuse.
The war in our living rooms
The right to privacy has long been constitutionally entrenched in the South African Bill of Rights, as a fundamental human right: ‘Everyone has the right to privacy, which includes the right not to have: […] (d) the privacy of their communications infringed’.
What no one could have foreseen, though, is just how far-reaching the consequences of the digitisation of our world would be, and how close to home it would reach. One’s ins and outs can literally be accessed from Anchorage in Alaska to the plains of India. This, of course, has exposed us to the new scourge of cybercrime, a warlike onslaught on online inhabitants that has dramatically escalated to the extent that no Inbox is safe anymore.
Cybercrime is real and devastating, and the list of these types of crime keeps growing. Spoofing (in the form of dummy mails), malware (out to break your computer), phishing (emails fishing for info such as passwords and credit card details) and vishing (voice-based phishing), ransomware attacks (demanding money to release your computer from being held hostage) and cyberextortion (demanding money to prevent such attacks) are only the tip of the iceberg.
Below lie numerous other online threats to society in the form of child pornography and solicitation, drug and human trafficking, intellectual property theft and much more, all of which are being facilitated by access to people’s personal information. And that information is being mined from where they sit in their beds and their living room couches – wherever they may be when they hit that key to go online.
What qualifies as ‘personal information’?
Personal information is any information relating to an identifiable, living, natural person. In certain instances, it may also apply to an identifiable, existing, juristic person such as a business entity. In short, it relates to any information about an identifiable human being or an identifiable company.
Examples of personal information include race; gender; sex; marital status; nationality; sexual orientation; age; physical or mental health; disability; religion; language; education; medical, financial, and employment information; ID number; email; physical address; telephone number; location information; blood type; biometric information; personal opinions and preferences; private or confidential correspondence; criminal record; and views or opinions.
Some types of personal information are more sensitive than others, for example religious beliefs, race, gender, sex life information, health and criminal record.
How does the POPIA Act affect organisations?
Any organisation will have at least some data on at least some people, even if it consists only of its employee data base. Most will have data on scores more people, such as customers and service providers. The onus is on organisations to equip themselves with the necessary knowledge on how they are supposed to handle that data; they cannot plead innocence when a data breach occurs and their systems are at fault.
Should such a breach occur, the cost can be prohibitive for the organisation, involving an investigative process; the notification of affected parties; post-breach protective steps; the possible payment of penalties; reputational damage; and more. It has even happened that a data breach has resulted in a drop in the affected entity’s share price.
The POPIA Act (and similar legislation worldwide) is relevant to all organisations, big or small, as well as to private individuals. It is everyone’s responsibility to find out what they should do – and not do – to comply with the Act. Our next blog will say more about this.