PoPI or PPI is the Protection of Personal Information Act, an act approved by government at the end of 2013. The purpose of this act is to ensure that all South African institutions collect, process, save and share the personal information of entities in a responsible way.
The act deems institutions responsible if any personal information is abused or compromised. This is to your advantage as individual and owner of your personal information and gives you certain rights to be protected and also control of how your information can be used.
But what, according to PoPI, is personal information (PI)?
This is information pertaining to a living, natural person and where applicable an existing juristic person and includes the following:
Race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person;
Education, medical, financial, criminal or employment history;
Biometric information of the person; personal opinions, views or preferences; ID number, student number, e-mail address, physical address, telephone number;
Private or confidential correspondence. PI such as biometric information, medical status, religion, among others, are considered as Special PI (as described in section 26 of the act). Special PI is subject to stricter security measures.
8 informormation protection principles exist in PI according to PoPI. These principles can be illustrated by looking at a few examples within the university context:
PRINCIPLE | DESCRIPTION | EXAMPLE |
Accountability | The organisation must ensure that the principles and measures in the Act are complied with. | SU establishes accountability and responsibilities, roles and organisation, policies and procedure to adhere to PoPI’s regulations. |
Processing limitation | PI may only be processed in a fair and lawful manner with the consent of individuals. | US may only, for example, process the necessary PI of a prospective student, student and alumni, with the person’s permission. |
Purpose specification | PI may only be processed for specific, explicitly defined and legitimate reasons. | Each PI item in an application form should have a specific and legitimate reason to be processed for the purposes of prospective study. “Religious belief” would therefore be questioned. |
Further processing limitation | PI may not be processed for a seconday purpose unless that processing is compatible with the original purpose. | PI forming part of research data, processed for a specific research project, may not be used for another research project. |
Information quality | The organisation must ensure that PI is accurate, reliable and up=to-date. | The responsibility lies with SU to ensure all PI regarding alumni, students, prospective students, scholars, etc. is accurate and up to date. |
Openness | The Regulator and the data subject to be aware that PI is being collected by the organisation. | Potential prospective students have the right to be informed about SU’s intention to process their PI and for which reason. |
Security safeguards | PI must be kept secure against the risks of loss, unauthorised access, interference, modification, destruction or disclosure. | The IT Division ensures that all policies, tools and control measures are in place and supplied to users to prevent leakage or unauthorised access to PI. |
Data subject participation. | Data subjects may request the correction/deletion of any PI held about them that may be inaccurate or misleading. | This implies that alumni have the right to know what PI SU has of them and request that errors be corrected or that the item(s) be removed. |
It is expected that PoPI will be fully promulgated early in 2015 and the University will be given granted 12 months to comply.
The project to comply to PoPI was launched at SU during 2013. Over a period of a year a multi-disciplinary project team, under leadership of mr Ralph Pina, Director: IT (Development) and Mobius Consulting, conducted a gap analysis and developed a road map. This phase has just been completed and the report was submitted last week. The remedial phase will be executed during this coming year.