In simple terms, the purpose of the PoPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information by holding them accountable should they abuse or compromise your personal information in any way. The PoPI legislation basically considers your personal information to be "precious goods" and therefore aims to bestow upon you, as the owner of your personal information, certain rights of protection and the ability to exercise control over:
Examples of "personal information" for an individual could include:
It must however be noted that some personal information, on its own, does not necessarily allow a third party to confirm or infer someone's identity to the extent that this information can be used/abused for other purposes. The combination of someone's name and phone number and/or email address for example is a lot more significant than just a name or phone number on its own. As such the Act defines a "unique identifier" to be data that "uniquely identifies that data subject in relation to that responsible party".
We have to accept that we now live in an information age and along with this progress comes the responsibility for each person to take care of and protect their own information. Do not accuse someone else of sharing or compromising your personal information when you publish the very same information on public services like Facebook, LinkedIn, Google+ or public directories. Modern technology makes it easy to access, collect and process high volumes of data at high speeds. This information can then be sold, used for further processing and/or applied towards other ends. In the wrong hands such an ability can cause irreparable harm to individuals and companies. To protect your right to privacy and abuse of your information, data protection legislation is necessary even if it means imposing some social limits on society to balance the technological progress. So remember: The PoPI Act cannot protect you if you do not take care to protect yourself.
It is important to note though that this right to protection of "personal information" is not just applicable to a natural person (i.e. an individual) but any legal entity, including companies and also communities or other legally recognised organisations. All of these entities are considered to be "data subjects" and afforded the same right to protection of their information. So this means that while you as a consumer now have more rights and protection, you and your company/organisation are considered "responsible parties" and have the same obligation to protect other parties personal information. As a company this would include protecting information about your employees, suppliers, vendors, service providers, business partners, etc.
The PoPI legislation is not a rare or unique phenomenon to South African law. Many countries have similar legislation in place to protect the personal information of their "data subjects", including rules and regulations for international (cross-border) transfer and sharing of data. The general consensus seems to be that, apart from an unrealistic implementation period of one year and some practical implementation challenges, the PoPI Act is well thought out and it borrows from the "best of" other similar international laws, learning from their mistakes and shortcomings.
As usual, ignorance of the law is no excuse. Incorporating PoPI into the day-to-day operations of a business will most likely require a significant amount of time and effort, including: educating and training staff, updating business processes and implementing or updating technology solutions. Early action is essential, especially if you do not have a business nervous system (BNS) to facilitate this. Consider for example that under the PoPI Act you could be breaking the law if you do something as simple as synchronising your contacts on your phone, sending an email with sensitive content, taking/sharing a video or photo, using an international mail provider (like Google...) and so forth.
If you are a custodian of personal information it is important that you read our article on "Implementing PoPI: How the PoPI Act affects you and your business" as there are serious implications for non-compliance. This document also discusses the conditions that apply to processing of personal information in more detail as well as their practical implications and considerations.