ARTICLE 2: Conditions 1 and 2 of the Protection of Personal Information Act (POPI)
As part of our series of articles discussing POPI, in this article we provide insight into the requirements set out in Conditions 1 and 2.
Condition 1: Accountability
Responsible party to ensure conditions for lawful processing
Insight: Organisations that process personal information will be held accountable for complying with the conditions of POPI and will need to take the necessary steps to ensure compliance. A good starting point for taking accountability is to assess the current level of compliance after which a privacy compliance roadmap can developed to set out the necessary steps to comply with the conditions of POPI.
Condition 2: Purpose Specification
Lawfulness of processing
- Meeting all POPI conditions.
- Processing of special personal information is prohibited unless the specific POPI exemptions are applicable.
- Processing of a child’s personal information is prohibited unless the specific POPI exemptions are applicable.
- Processing must be in line with sector codes of conduct, where these are developed.
Insight: Personal information should only be processed if an organisation has a specific and relevant business purpose for it i.e. as little as possible personal information should be collected and processed.
Consent, justification and objection
Insight: Personal information may be processed in order to execute the contract entered into between the data subject and the organisation. A data subject must be notified of the purpose(s) for collecting their personal information and provide explicit consent for such processing. Further, data subjects must be able to object to the processing of their personal information for other purposes such as direct marketing. Organisations must have a mechanism to stop processing (including the entire life cycle) a data subject’s personal information based on a legitimate objection. Specific opt-in consent is required for the processing of a child’s information.
Collection directly from data subject
Insight: Responsible parties should collect personal information directly from data subjects. There are however certain exceptions in which personal information do not have to be collected directly, including:
- Where information is gathered from public sources (i.e. made public e.g. on Google or published by the data subject).
- Where a child’s personal information is collected, a competent person has consented.
- Where collection from another source is necessary. E.g. where law requires the information to be collected, for tax purposes, matters of national security, to maintain legitimate interest of the organisation or third party to whom the information is supplied.
Information Processing Lifecycle
NOTE: The insight in this article is not aimed at providing legal advice. Further the content of this article may be subject to change based on amendments to the Protection of Personal Information Act, No. 4 of 2013 and requirements of related industry legislation and codes of conduct.
To view article 1 please visit the following link: