On 26 November 2013, the Protection of Personal Information Act No. 4 of 2013 (“POPI Act”) was passed into law. This act applies to anyone that processes (which includes collecting, recording, organising and storing) personal information of another person (“Data Subject”). Sections 2 deals with the objectives of the “POPI Act” and state that the act was passed to:
Give substance to a person’s constitutional right to privacy;
Set out a framework within which a person’s information may be lawfully processed;
Give persons rights and remedies against the unlawful processing of their information; and
Establish measures to promote, enforce, fulfill and ensure respect for the rights protected by POPI.
Like any other juristic person that processes information, Non Profit Organisations (“NPOs”) are also subject to its provisions. It is in fact fair to say that all “NPOs” process information of “Data Subject” and are therefore what the act call “Responsible Persons. This does not only relate to the processing of personal information of beneficiaries such as would be done by Non-profit Schools, Social Housing organisations, Hospitals, Early Childhood Development Centres, Children’s homes and religious communities like churches, for example. Personal information of volunteers, staff, donors and other stakeholders are also processed by “NPOs”.
Although the “POPI Act” has not yet commenced at the time of its promulgation, we at PSA Hendricks & Associates recognized the importance of its provisions to “NPOs”. We therefore made every effort to ensure that our NPO Governance and NPO Legal Compliance workshops, as well as, our consultations with NPO leaders included this very important topic. Given the severe legal consequences that flows from this Act, we believe that it is important that each leader in the NPO sector should ensure they are aware and explore early on the implementation thereof in their “NPO”.
As the “POPI Act” and its Regulations are too vast to cover fully in this blogpost, the objective of this article is therefore in brief to:
Make NPO leaders aware of the commencement of the “POPI Act”;
Point out the provisions that will be implemented ;
Highlight the period within which compliance ought be achieved; and
Stress the consequences of non-compliance
Make a copy of the Act accessible to the reader.
The compliance time frame
Section 114 provides that the provisions of the “POPI Act” would only commence 1 year after the president passed proclamations to that effect. Given this, on 11 April 2014 President Jacob Zuma in Notice R 25 of Government Gazette No. 37544 proclaimed the commencement of some of the Act’s provisions. These dealt with definitions, the establishment of the Information Regulator (“The Regulator”) and the provisions pertaining to the procedure for the establishment of regulations commenced. Following this on 14 December 2018 the regulations were published in Government Gazette No. R 1383. Eventually, on 22 June 2020 President Cyril Ramaphosa proclaimed that nearly all of the provisions will commence. This was published as Proclamation No. 21 off 2020 in Government Gazette No.43461 (“The Proclamation”).
This latter proclamation provides for two commencement dates.
The first deals with the date on which the provisions obligations, duties and enforcement under the “POPI Act” commence. This date is the 01st of July 2020. The provisions “NPOs” will have to comply with listed in this proclamation refers to are:
Sections 2 to 38
Sections 55 to 109
Section 111, and
Sections 114, (1), (2) and (3)
As already stated Section 114 (1) provides that “NPOs” are now given a period of one year from this date to get their compliance house in order. In other words, come 30th June 2021 all “NPOs” that collects, processes, stores and share personal information of another, must ensure that they are compliant with the provisions of the “POPI Act”. Failure to do so could hold dire consequences to “NPOs” as will be discussed further herein below. According to subsection 114(2), this period could be extended by the Minister for an additional period not exceeding 3 years, provided he/she does so in consultation with the “Regulator” and he/she gives notice thereof in the Government Gazette.
The Second date is set for 30 June 2021 when section 110 and 114(4) will commence. Section 110 refers to a list of other legislation, set out in the Schedule to the Act, to which amendments will take effect as caused by the “POPI Act”. In turn, section 114(4) refers to the finalisation of the function that the South African Human Rights Commission will play as provided for in section 83 and 84 of the Promotion of Access to Information Act 2 of 2000 (“PAIA”).
Compliance Provisions for Immediate Attention
We have already looked at, albeit in brief, the provisions pertaining to section 114(1) and (2) and these provisions will not be repeated here. In this part we list in table format the themes of the provisions that will commence on 1st July 2020.
Sections 3 to 38
Compliance Focus Area
Application & Interpretation
Lawful processing of personal information
Rights of Data subjects
Conditions for lawful processing of Information
Sections 55 to 109
Compliance Focus Area
Duties, Designation and Delegation of Information Officer(s)
Data that requires prior authorisation for processing
The information Regulators powers and processes to issue Codes of Conduct from time to time and maintain a record in respect thereof
A persons rights regarding direct marketing (Chapter8 s)
Trans border information flows
Regulators role and powers with regard to Complaints relating to non-compliance and data breaches
Conditions for lawful processing of Information
Offences, Penalties and Administration Fines
Prescribed fees payable by the data subject
*In terms of section 114(3) the provisions of section 58(2) does not commence until the Information Regulator determines otherwise.
It is important to realise that the “POPI Act” is not without teeth. One can get into serious trouble for non-compliance with its provisions. Offences Penalties and Administrative Fines are found in Chapter 11 of the Act. This is covered in Sections 100 – 109.
Although there are other offences, what follows is an extraction of only those potential offences that could attract to non-compliant “NPOs” as a Responsible Person. That being said it is an offence if the “NPO” (of course through its representatives):
Hinders or obstructs or unlawfully influences the “Regulator” (or any person acting on behalf of or at the direction of the latter) in the performance of their duties. [Section 100]
Fails to comply with an enforcement Notice that has been served. [Section 103(1)]
Knowingly Make a false statement when purporting to comply with an enforcement notice [Section 103(2)(a)]
Recklessly make a false statement, in material respects, when purporting to comply with an enforcement notice [Section 103(2)(b)]
Persistently and seriously failing to process information, in terms of the conditions set out in Chapter 3, as it relates to the processing of any unique identifier (an account number). Doing so knowing that there is a risk that a contravention would occur and/or that it would cause substantial harm. [Section 105(1)(2)(3)]
According to section 105(4) it would be a valid defence (to charges brought against an “NPO” as per item 5 above) if that “NPO” can show that they have taken all reasonable steps to comply with the provisions of section 8. It goes without saying that if a “NPO” puts in the time to bring themselves compliant with the “POPI Act” they would have no difficulty to demonstrate that they have taken such reasonable steps.
The “POPI Act” gives the magistrate courts the jurisdiction to penalise anyone found guilty of the abovementioned offences. In this regard the magistrate court could sentence a “NPO” (the CEO and/or member(s) of the governing body) as follows:
In respect of an offence under section 100 and 103 (1) to a maximum period of 10 years imprisonment or a fine or both; and
In respect of offences under section 103(2) to a maximum period of imprisonment of 12 months or a fine or both.
Section 109(1) provides that, the “Regulator” may deliver an Infringement Notice in the case of an alleged offence under the Act to an “NPO”. This notice must contain:
The name and address of the “NPO”;
Specify the alleged offence;
Specify an administrative fine payable;
Inform the infringing “NPO” in that notice that, not later than 30 days after service, they may:
Pay the administrative fine;
Make arrangements with the regulator to pay the administrative fine in installments; or
Elect to be tried in court on the mentioned alleged offence.
The said notice must also inform the “NPO” that failure to comply with the notice within the specified period will result in the “Regulator” filing with the clerk/registrar of a competent court a statement certified as correct, reflecting the administrative fine payable. That statement will then have all the effects of a civil judgement lawfully given in that court. However, when an “NPO” has been charged with an offence, the “Regulator” may not impose that administrative fine. [See Section 109(6)]
Such an administrative fine must be paid into the National Revenue Fund. [See section 109(9)]. Such payment does not constitute a previous conviction. [See section 109(8)]. Once paid, the NPO may not be prosecuted for that alleged offence [See Section 109(7)].
Hopefully the section on offences, penalties and administrative fines alone has driven the message home to “NPOs” that this is a serious piece of legislation with regard to legal compliance. These offences, penalties hold devastating consequences to “NPOs”.
Fortunately, “NPOs” have until 30 June 2021 to bring their personal information processing within the boundaries of the “POPI Act”. The writer suggests that NPO leaders deal with the risks posed rather early then later. They can do so by:
Taking the necessary steps to familiarise themselves with the content of the Act and Regulations;
Ensure that they identify to what extent the act applies to their organisation;
Identify the requirements that their “NPO” should meet in terms of the Act; and
Ensure that the NPO’s operational staff meet these requirements.
We believe that doing these things, whether in-house or getting assistance from an external service provider, will go a long way to ensure NPO Governance excellence.