Advanced Questions on The Protection of Personal Information Act | PoPIA

PoPIA l Petanque International

As the legislation matures and more directives are formulated, more issues will undoubtedly come to light. To the credit of the office of the Information Regulator, there is a commitment to adopt privacy best practices from around the world. This should provide a solid basis from which to move forward with efforts to protect personal information in South Africa.

The practical implications of PoPIA certainly needs considering. Our PoPIA Team has put together answers to a few of the questions being asked on PoPIA forums.

How will POPIA protect my personal information collected by the security guards when visiting a complex/residential building?

All responsible parties who collect PI for security reasons must ensure the prevention of loss, damage or unlawful processing of PI given for this purpose. In other words, if the PI you have given to gain access to a building is lost, processed unlawfully by another party or damaged in any way that would constitute a breach and as the data subject you would have recourse to the regulator.

Does government get held to the same standard as private sector in the event of a breach?

Yes, indeed.   POPIA applies to all public institutions except for PI processed during a criminal investigation or investigation of any activities related to the financing of terrorism or money laundering. The exception also applies in cases considered sensitive for national security reasons as well as PI processed by the judiciary and the Cabinet. (See section 6 of POPIA)

Would a General Practitioner (GP) need to disclose to all patients that they had a data breach, even if only one patient has been compromised?

The GP would only have to disclose to the affected patients, unless the GP is ordered to publicise the breach by the information regulator.

Who will be responsible if government departments share citizens’ personal information with companies e.g. sharing with SANRAL?

I assume this question relates to SANRAL and e-tolling in South Africa. The lawfulness of e-tolling is being challenged by OUTA and is far more complex than the processing of PI. Exactly how sharing of PI across government agencies and different levels of government (i.e. municipal, provincial and national) will apply, I would suggest, will only be known once the Act is in force, regulation has been published and case law exists. The Act does specifically allow for the sharing of PI from private organisations with the South African Revenue Service.

How are employees of companies affected by this law if they have access to client information on their mobile devices?

Any personal information belonging to clients and stored on mobile devices must meet the security safeguards of prevention of loss, damage or unlawful processing. In practical terms, encryption of all mobile devices is the reasonable control to meet the minimum standards.

How would an individual, like a family GP, be ‘punished’ for a data breach?

Contravention of POPIA in South Africa will be a criminal offence. Any GP contravening the Act will face administrative penalties (fines) and/ or a prison sentence not exceeding 10 years. See chapter 11, sections 107 and 109 of POPIA.

What are the POPIA directives for IT and processing environments?

In terms of POPIA and the definition of processing, which includes the collection, storage, retrieval and dissemination of PI for lawful processing, any IT service provider would be deemed to be operators.

The responsible party (that is, for example, GP practices) must ensure that all operators, including IT service providers, meet the minimum-security safeguards as contained in condition 7 of POPIA.


We’d love to hear from you if you have any more questions to add. Get in touch at popi(at)

%d bloggers like this: