PoPI or PPI is the Protection of Personal Information Act, an act approved by government at the end of 2013. The purpose of this act is to ensure that all South African institutions collect, process, save and share the personal information of entities in a responsible way.
The act deems institutions responsible if any personal information is abused or compromised. This is to your advantage as individual and owner of your personal information and gives you certain rights to be protected and also control of how your information can be used.
But what, according to PoPI, is personal information (PI)?
This is information pertaining to a living, natural person and where applicable an existing juristic person and includes the following:
Race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person;
Education, medical, financial, criminal or employment history;
Biometric information of the person; personal opinions, views or preferences; ID number, student number, e-mail address, physical address, telephone number;
Private or confidential correspondence. PI such as biometric information, medical status, religion, among others, are considered as Special PI (as described in section 26 of the act). Special PI is subject to stricter security measures.
8 informormation protection principles exist in PI according to PoPI. These principles can be illustrated by looking at a few examples within the university context:
| PRINCIPLE | DESCRIPTION | EXAMPLE |
| Accountability | The organisation must ensure that the principles and measures in the Act are complied with. | SU establishes accountability and responsibilities, roles and organisation, policies and procedure to adhere to PoPI’s regulations. |
| Processing limitation | PI may only be processed in a fair and lawful manner with the consent of individuals. | US may only, for example, process the necessary PI of a prospective student, student and alumni, with the person’s permission. |
| Purpose specification | PI may only be processed for specific, explicitly defined and legitimate reasons. | Each PI item in an application form should have a specific and legitimate reason to be processed for the purposes of prospective study. “Religious belief” would therefore be questioned. |
| Further processing limitation | PI may not be processed for a seconday purpose unless that processing is compatible with the original purpose. | PI forming part of research data, processed for a specific research project, may not be used for another research project. |
| Information quality | The organisation must ensure that PI is accurate, reliable and up=to-date. | The responsibility lies with SU to ensure all PI regarding alumni, students, prospective students, scholars, etc. is accurate and up to date. |
| Openness | The Regulator and the data subject to be aware that PI is being collected by the organisation. | Potential prospective students have the right to be informed about SU’s intention to process their PI and for which reason. |
| Security safeguards | PI must be kept secure against the risks of loss, unauthorised access, interference, modification, destruction or disclosure. | The IT Division ensures that all policies, tools and control measures are in place and supplied to users to prevent leakage or unauthorised access to PI. |
| Data subject participation. | Data subjects may request the correction/deletion of any PI held about them that may be inaccurate or misleading. | This implies that alumni have the right to know what PI SU has of them and request that errors be corrected or that the item(s) be removed. |
It is expected that PoPI will be fully promulgated early in 2015 and the University will be given granted 12 months to comply.
The project to comply to PoPI was launched at SU during 2013. Over a period of a year a multi-disciplinary project team, under leadership of mr Ralph Pina, Director: IT (Development) and Mobius Consulting, conducted a gap analysis and developed a road map. This phase has just been completed and the report was submitted last week. The remedial phase will be executed during this coming year.
PoPI of PPI is die Protection of Personal Information Act, `n wet wat einde 2013 goedgekeur is en waarvan die doel is om te verseker dat alle Suid-Afrikaanse instellings op `n verantwoordelike wyse persoonlike inligting van individue insamel, verwerk, stoor en deel. Die wet hou ook instansies verantwoordelik as enige persoonlike inligting misbruik of blootgestel word.
Dit bevoordeel dus vir jou as individu en eienaar van jou persoonlike inligting en gee aan jou sekere regte om beskerm te word en gee ook aan jou beheer oor hoe jou inligting gebruik mag word.
Maar wat, volgens PoPI, is persoonlike inligting (PI)? Persoonlike inligting is enige informasie wat te doen het met `n lewende persoon, en waar toepaslik, `n bestaande jursitiese persoon. Dit sluit die volgende in:
Ras, geslag, swangerskap, huwelikstatus, nasionaliteit of etniese herkoms, seksuele orientasie, ouderdom, fisiese of geestelike welstand, ongeskiktheid, geloof, gewete, geloof, kultuur, taal en geboortedetails;
Opvoeding-, mediese, finansiële, kriminele of werknemersgeskiedenis;
Biometriese informasie, persoonlike opinies, menings of voorkeure; ID nommer, studentenommer, e-posadres, fisiese adres, telefoonnommer en privaat of persoonlike korrespondensie.
PI soos biometriese inligting, mediese status, geloofsoortuigings, onder andere, word as Spesiale PI beskou (in afdeling 26 van die wet beskryf). Spesiale PI is onderhewig aan strenger beskermingsmaatreëls.
M.a.w. as die inligting die persoon kan identifiseer, is dit persoonlike inligting.
Daar bestaan 8 beginsels insake die beskerming van PI volgens POPI. Die beginsels word aan die hand van enkele voorbeelde in die universiteit se konteks verduidelik:
| BEGINSEL | BESKRYWING | VOORBEELD |
| Accountability | The organisation must ensure that the principles and measures in the Act are complied with. | Die US vestig verantwoordbaarheid en verantwoordelikhede, rolle en organisasie, beleide en prosedures om aan die bepalings van PoPI te voldoen. |
| Processing limitation | PI may only be processed in a fair and lawful manner with the consent of individuals. | Die US mag slegs die nodige PI m.b.t. ʼn voornemende student, student en alumnus, byvoorbeeld, met die toestemming van die persoon vaslê. |
| Purpose specification | PI may only be processed for specific, explicitly defined and legitimate reasons. | Elke PI item in die aansoekvorm moet slegs vir ʼn spesifieke en legitieme rede vir die doeleindes van voornemende studie vasgelê word. ʼn “Kerkverband” sou dus bevraagteken kon word. |
| Further processing limitation | PI may not be processed for a seconday purpose unless that processing is compatible with the original purpose. | PI wat deel uitmaak van navorsingsdata wat vir ʼn spesifieke navorsingsprojek vasgelê is, mag nie vir ʼn ander navorsingsprojek aangewend word nie. |
| Information quality | The organisation must ensure that PI is accurate, reliable and up=to-date. | Die onus berus by die US om te verseker dat PI omtrent alumni, studente, voornemende studente, skoliere, ens. akkuraat en op-datum is. |
| Openness | The Regulator and the data subject to be aware that PI is being collected by the organisation. | Potensiële voornemende studente het ʼn reg om ingelig te word dat die US PI omtrent hulle vaslê, en vir welke rede. |
| Security safeguards | PI must be kept secure against the risks of loss, unauthorised access, interference, modification, destruction or disclosure. | Die Afdeling IT verseker dat die beleide, gereedskap en beheermaatreëls in plek is en aan gebruikers voorsien word om lekkasie van of ongeoorloofde toegang tot PI te voorkom. |
| Data subject participation. | Data subjects may request the correction/deletion of any PI held about them that may be inaccurate or misleading. | Dit impliseer dat ʼn alumnus die PI wat die US omtrent hom/haar het, kan ondersoek en vra dat foute reggestel word of uitgewis word. |
Daar word aangeneem dat PoPI in werking gestel sal word vroeg in 2015 en dat die Universiteit gevolglik, 12 maande gegun sal word om daaraan te voldoen.
Reeds in 2013 is die projek by die US om aan PoPI te voldoen, goedgekeur. Oor `n tydperk van `n jaar het `n multi-dissiplinêre projekspan, onder mnr Ralph Pina, Direkteur: IT (Ontwikkeling) se leierskap, en Mobius Consulting ‘n gapings-analise gedoen en `n padkaart ontwikkel. Hierdie fases is sopas afgehandel en die verslag is verlede week voorgelê. Die remediërende fases sal in die komende jaar uitgevoer word.
