Retention periods
When retaining records of personal information of its data subjects, the first point of call for the Responsible Party is to ensure that the records are not retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed
However, the records may be retained for longer, but only where:
- The retention is required or authorised by law.
- The Responsible Party reasonably requires the record for lawful purposes related to its functions or activities.
- The retention is required by a contract between the parties.
- The data subject or a competent person (where the data subject is a minor child), has consented to the retention of the record for a longer period.
- For historical, statistical or research purposes if the Responsible Party has established appropriate safeguards against the records being used for any other purposes.
The Regulations
The POPIA Regulations are final and commence on 1 July 2021 with the exception of:
- Regulation 4 (Responsibilities of Information officers) which will be effective on 1 May 2021.
- Regulation 5 (Application for issuing code of conduct) which was effective on 1 March 2021.
The Regulations are largely administrative in nature and deal with:
- How a data subject can object to the processing of their personal information.
- How a data subject can request the correction or deletion of information.
- The responsibilities of an Information Officer. Regulation 4 sets out more of the duties and responsibilities of the Information Officer.
- How to apply for the regulator to issue a code of conduct.
- How to request marketing consent. Form 4 of the Regulations sets out how to get consent for the direct marketing (by electronic communications) of a data subject.
- How to submit a complaint to the Information Regulator.
- How the Information Regulator will act as a conciliator in investigations.
- What the Information Regulator must do before it investigates you.
- How the Information Regulator will try to settle complaints.
- How the Information Regulator will conduct assessments.
- How the Information Regulator will notify people during investigations.
There are two parties who have the power to make Regulations. The Information Regulator is one and the other is the Minister of Justice and Constitutional Development. The Minister has limited power to make Regulations (under section 112(1). These powers are limited to the establishment of the Information Regulator and the determination of the fees that data subjects must pay to a Responsible Party for accessing the personal information it processes and to the Information Regulator when lodging a complaint with it.
Enforcement and Remedies
The process of lodging a complaint with the Information Regulator is set out in Chapter 10 of the Act and may be summarised as follows:
Investigation by IR
- Issue of Warrants.
- Requirements for issuing an Warrant.
- Execution of Warrants.
- Matters exempt from Search and Seizure.
- Communication between legal adviser and client are exempt.
Complaints
- Action on receipt of complaint.
- IR may decide to take no action.
- Or referral to Regulatory Body.
- Pre-investigation proceedings of IR.
- Settlement of Complaints.
Objections to search and seizure
- Return of Warrants.
- Assessment.
- Information Notice.
- Parties informed of result of assessment.
- Matters referred to Enforcement Committee.
Functions of Enforcement Committee
- Parties to be informed during and result of investigation.
- Enforcement Notice.
- Cancellation of Enforcement Notice.
- Right of Appeal.
- Consideration of Appeal.
- Civil remedies.
Offences, Penalties and administrative fines
Chapter 11 lists the offences under POPIA as follows:
- Obstruction of the Information Regulator.
- Breach of confidentiality (Section 54).*
- Obstruction of the Execution of a Warrant.
- Failure to comply with an Enforcement or Information Notice.
- Offences by Witnesses.**
- Unlawful acts by Responsible Party in connection with account number.
- Unlawful acts by third parties in connection with account number.
*Breach of confidentiality (breach of Section 54 – where a person acting on behalf of or under the direction of the Information Regular must keep all personal information that he or she is privy to during the course of his or her duties, as confidential).
**Offences by witnesses (e.g. failure to attend and give evidence when summoned to do so).
Penalties: Any person convicted of an offence in terms of this Act (as listed above), will be liable to penalties which range from R1 million and/or 1year imprisonment to R10 million and/or 10 year’s imprisonment – depending on the severity of the offence.
Administrative fines of up to R10 million may be imposed by the Information Regulator on the Responsible Party – as set out in an infringement notice.
A Responsible Party may also be subject to civil claims for damages brought by data subjects as well as reputational damage.
POPIA, a few important points to remember
In summary, we recommend that a Responsible Party (RP) take cognisance of the following important points:
- The RP has to ensure compliance with the Act and must ensure that an Information Officer is appointed.
- Personal information must be collected directly from the data subject (some exceptions apply here).
- Personal information may only be processed if it is fair and lawful to do so, and with the data subject’s consent.
- The RP should also:
- Keep a record of what information is being held, its purpose, and on which date it must be destroyed. This can be called a “Records Retention Register”, and
- State the reason for collecting information and only use that information for that specific purpose – after that, the information must be destroyed.
- The process to destroy personal information must prevent its reconstruction.
- The RP should not process personal information for a secondary purpose unless it is compatible with the original purpose. If the RP wishes to use the personal information for a secondary purpose, they will need to obtain the consent from the data subject again.
- The RP must ensure that at all times, the personal information collected is complete, accurate, not misleading and updated where necessary.
- The RP must check to see if its activities fall into the ambit of “direct marketing”. It is widely defined in the Act to include “any approach” to a data subject, “for the direct or indirect purpose of…promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject.” A RP can, as a general rule, market to existing customers in respect of similar products or services (there are limits and recipients must be able to “opt-out” at any stage), potential new customers can only be marketed with their consent, i.e. on an “opt-in” basis.
- The RP must keep personal information secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction and disclosure, and must:
- Process information in a transparent manner and have a Privacy Policy, which is available for perusal and which sets out its data processing procedure;
- Train its staff on POPIA, the new procedures, and the implementation thereof;
- Review its agreements, letters of engagement (where applicable), contracts, and employment contracts, and amend these in order to align them with POPIA.
- Where there is a data breach, the RP and the Operator must provide notification thereof. The RP must formulate a ‘Breach Plan’ and ‘Breach Incident Management Process’;
- Allow data subjects to access their personal information and to request that it be corrected or deleted. Data subjects may also decline to share their information.