By: Peter Hendricks
Introduction
On 26 November 2013, the Protection of Personal Information Act No. 4 of 2013 (“POPI Act”) was passed into law. This act applies to anyone that processes (which includes collecting, recording, organising and storing) personal information of another person (“Data Subject”). Sections 2 deals with the objectives of the “POPI Act” and state that the act was passed to:
Like any other juristic person that processes information, Non Profit Organisations (“NPOs”) are also subject to its provisions. It is in fact fair to say that all “NPOs” process information of “Data Subject” and are therefore what the act call “Responsible Persons. This does not only relate to the processing of personal information of beneficiaries such as would be done by Non-profit Schools, Social Housing organisations, Hospitals, Early Childhood Development Centres, Children’s homes and religious communities like churches, for example. Personal information of volunteers, staff, donors and other stakeholders are also processed by “NPOs”.
Although the “POPI Act” has not yet commenced at the time of its promulgation, we at PSA Hendricks & Associates recognized the importance of its provisions to “NPOs”. We therefore made every effort to ensure that our NPO Governance and NPO Legal Compliance workshops, as well as, our consultations with NPO leaders included this very important topic. Given the severe legal consequences that flows from this Act, we believe that it is important that each leader in the NPO sector should ensure they are aware and explore early on the implementation thereof in their “NPO”.
As the “POPI Act” and its Regulations are too vast to cover fully in this blogpost, the objective of this article is therefore in brief to:
The compliance time frame
Section 114 provides that the provisions of the “POPI Act” would only commence 1 year after the president passed proclamations to that effect. Given this, on 11 April 2014 President Jacob Zuma in Notice R 25 of Government Gazette No. 37544 proclaimed the commencement of some of the Act’s provisions. These dealt with definitions, the establishment of the Information Regulator (“The Regulator”) and the provisions pertaining to the procedure for the establishment of regulations commenced. Following this on 14 December 2018 the regulations were published in Government Gazette No. R 1383. Eventually, on 22 June 2020 President Cyril Ramaphosa proclaimed that nearly all of the provisions will commence. This was published as Proclamation No. 21 off 2020 in Government Gazette No.43461 (“The Proclamation”).
This latter proclamation provides for two commencement dates.
The first deals with the date on which the provisions obligations, duties and enforcement under the “POPI Act” commence. This date is the 01st of July 2020. The provisions “NPOs” will have to comply with listed in this proclamation refers to are:
As already stated Section 114 (1) provides that “NPOs” are now given a period of one year from this date to get their compliance house in order. In other words, come 30th June 2021 all “NPOs” that collects, processes, stores and share personal information of another, must ensure that they are compliant with the provisions of the “POPI Act”. Failure to do so could hold dire consequences to “NPOs” as will be discussed further herein below. According to subsection 114(2), this period could be extended by the Minister for an additional period not exceeding 3 years, provided he/she does so in consultation with the “Regulator” and he/she gives notice thereof in the Government Gazette.
The Second date is set for 30 June 2021 when section 110 and 114(4) will commence. Section 110 refers to a list of other legislation, set out in the Schedule to the Act, to which amendments will take effect as caused by the “POPI Act”. In turn, section 114(4) refers to the finalisation of the function that the South African Human Rights Commission will play as provided for in section 83 and 84 of the Promotion of Access to Information Act 2 of 2000 (“PAIA”).
Compliance Provisions for Immediate Attention
We have already looked at, albeit in brief, the provisions pertaining to section 114(1) and (2) and these provisions will not be repeated here. In this part we list in table format the themes of the provisions that will commence on 1st July 2020.
Sections 3 to 38
Section(s) | Compliance Focus Area |
3 | Application & Interpretation |
4 | Lawful processing of personal information |
5 | Rights of Data subjects |
6 | Exclusions |
7 | Journalistic Exclusions |
8-38 | Conditions for lawful processing of Information |
Sections 55 to 109
Section(s) | Compliance Focus Area |
55&56 | Duties, Designation and Delegation of Information Officer(s) |
57-59* | Data that requires prior authorisation for processing |
60-68 | The information Regulators powers and processes to issue Codes of Conduct from time to time and maintain a record in respect thereof |
69-71 | A persons rights regarding direct marketing (Chapter8 s) |
72 | Trans border information flows |
73-99 | Regulators role and powers with regard to Complaints relating to non-compliance and data breaches |
8-38 | Conditions for lawful processing of Information |
100-109 | Offences, Penalties and Administration Fines |
111 | Prescribed fees payable by the data subject |
*In terms of section 114(3) the provisions of section 58(2) does not commence until the Information Regulator determines otherwise.
To familiarise yourself with the full extent of the applicable provisions that will commence, Please be sure to download complete copies of the “POPI Act” (https://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf) and Regulations (https://www.justice.gov.za/inforeg/docs/20181214-gg42110-rg10897-gon1383-POPIregister.pdf),
Offences, Penalties & Administrative fines
It is important to realise that the “POPI Act” is not without teeth. One can get into serious trouble for non-compliance with its provisions. Offences Penalties and Administrative Fines are found in Chapter 11 of the Act. This is covered in Sections 100 – 109.
Offences
Although there are other offences, what follows is an extraction of only those potential offences that could attract to non-compliant “NPOs” as a Responsible Person. That being said it is an offence if the “NPO” (of course through its representatives):
According to section 105(4) it would be a valid defence (to charges brought against an “NPO” as per item 5 above) if that “NPO” can show that they have taken all reasonable steps to comply with the provisions of section 8. It goes without saying that if a “NPO” puts in the time to bring themselves compliant with the “POPI Act” they would have no difficulty to demonstrate that they have taken such reasonable steps.
Penalties
The “POPI Act” gives the magistrate courts the jurisdiction to penalise anyone found guilty of the abovementioned offences. In this regard the magistrate court could sentence a “NPO” (the CEO and/or member(s) of the governing body) as follows:
Administrative fines
Section 109(1) provides that, the “Regulator” may deliver an Infringement Notice in the case of an alleged offence under the Act to an “NPO”. This notice must contain:
The said notice must also inform the “NPO” that failure to comply with the notice within the specified period will result in the “Regulator” filing with the clerk/registrar of a competent court a statement certified as correct, reflecting the administrative fine payable. That statement will then have all the effects of a civil judgement lawfully given in that court. However, when an “NPO” has been charged with an offence, the “Regulator” may not impose that administrative fine. [See Section 109(6)]
Such an administrative fine must be paid into the National Revenue Fund. [See section 109(9)]. Such payment does not constitute a previous conviction. [See section 109(8)]. Once paid, the NPO may not be prosecuted for that alleged offence [See Section 109(7)].
Conclusion
Hopefully the section on offences, penalties and administrative fines alone has driven the message home to “NPOs” that this is a serious piece of legislation with regard to legal compliance. These offences, penalties hold devastating consequences to “NPOs”.
Fortunately, “NPOs” have until 30 June 2021 to bring their personal information processing within the boundaries of the “POPI Act”. The writer suggests that NPO leaders deal with the risks posed rather early then later. They can do so by:
We believe that doing these things, whether in-house or getting assistance from an external service provider, will go a long way to ensure NPO Governance excellence.
Peter SA Hendricks is an Attorney and he writes in his personal capacity.