THE PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013: A NPO COMPLIANCE ALERT

THE PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

A NPO LEGAL COMPLIANCE ALERT

Peter SA Hendricks

30 June 2020

Introduction

On 26 November 2013, the Protection of Personal Information Act No. 4 of 2013 (“POPI Act”) was passed into law. This act applies to anyone that processes (which includes collecting, recording, organising and storing) personal information of another person (“Data Subject”). Sections 2 deals with the objectives of the “POPI Act” and state that the act was passed to:

1. Give substance to a person’s constitutional  right to privacy;
2. Set out a framework within which a person’s information may be lawfully processed;
3. Give persons rights and remedies against the unlawful processing of  their information;  and
4. Establish measures to promote, enforce, fulfill and ensure respect for the rights protected by POPI.

Like any other juristic person that processes information, Non Profit Organisations (“NPOs”) are also subject to its provisions. It is in fact fair to say that all “NPOs” process information of  “Data Subject” and are therefore what the act call “Responsible Persons. As examples, one immediately think of Non-profit Schools, Social Housing organisations, Hospitals, Early Childhood Development Centres, Children’s homes and religious communities like churches.

Although the “POPI Act” has not yet commenced at the time of its promulgation, we at PSA Hendricks & Associates recognized the importance of its provisions to “NPOs”. We therefore made every effort to ensure that our NPO Governance and NPO Legal Compliance workshops, as well as, our consultations with NPO leaders included this very important topic. Given the severe legal consequences that flows from this Act, we believe that it is important that each leader in the NPO sector should ensure they are aware and explore early on the implementation thereof in their "NPO".

As the “POPI Act” and its Regulations are too vast to cover fully in this blogpost, the objective of this article is therefore in brief to:

1. Make NPO leaders aware of the commencement of the "POPI Act";
2. Point out the provisions that will be implemented  ;
3. Highlight the period within which compliance ought be achieved; 
4. Stress the consequences of non-compliance; and
5. Make a copy of the Act accessible to the reader.

The compliance time frame

Section 114 provides that the provisions of the act would only commence 1 year after the president passed proclamations to that effect.  Given this, on 11 April 2014 President Jacob Zuma in Notice R 25 of Government Gazette No. 37544 proclaimed the commencement of certain of the provisions. These dealt with definitions, the establishment of the Information Regulators (“The Regulator”) and the provisions pertaining to the procedure for the establishment of regulations. Following this on 14 December 2018 the regulations were published in Government Gazette No. R 1383. Eventually, on 22 June 2020 President Cyril Ramaphosa proclaimed that nearly all of the provisions will be implemented. This was published as Proclamation No. 21 off 2020 in Government Gazette No.43461 (“The Proclamation”).

This latter proclamation provides for two commencement dates.

The first deals with the date on which the provisions obligations, duties and enforcement under the “POPI Act” commence. This date is the 01^st of July 2020. The provisions “NPOs” will have to comply with as listed in this proclamation are:

1. Sections 2 to 38
2. Sections 55 to 109
3. Section 111, and
4. Sections 114, (1), (2) and (3)

As already stated Section 114 (1) provides that “NPOs” are now given a period of one year from this date to get their compliance house in order. In other words, come 30^th June 2021 all “NPOs” that collects, processes, stores and share personal information of another, must ensure that they are compliant with the provisions of the “POPI Act”. Failure to do so could hold dire consequences to “NPOs” as will be discussed further herein below. According to subsection 114(2), this period could be extended by the Minister for an additional period not exceeding 3 years, provided he/she does so in consultation with the “Regulator” and he/she gives notice thereof in the Government Gazette.

The Second date is set for 30 June 2021 when section 110 and 114(4) will commence. Section 110 deals with when the amendments, caused by POPI, to a list of legislation set out in the Schedule to the Act, will take effect. In turn, section 114(4) refers to the finalisation of the function that the South African Human Rights Commission will play as provided for in section 83 and 84 of the Promotion of Access to Information Act 2 of 2000 (“PAIA”).

Compliance Provisions for Immediate Attention

We have already looked at, albeit in brief, the provisions pertaining to section 114(1) and (2) and these provisions will not be repeated here. In this part we list in table format the themes of the provisions that will commence on 1^st July 2020.

Sections 3 to 38

Section(s)	Compliance Focus Area
3	Application & Interpretation
4	Lawful processing of personal information
5	Rights of Data subjects
6	Exclusions
7	Journalistic Exclusions
8-38	Conditions for lawful processing of Information

Sections 55 to 109

Section(s)	Compliance Focus Area
55&56	Duties, Designation and Delegation  of  Information Officer(s)
57-59*	Data that requires prior authorisation for processing
60-68	The information Regulators powers and processes to issue Codes of Conduct from time to time and maintain a record in respect thereof
69-71	A persons rights regarding direct marketing (Chapter8 s)
72	Trans border information flows
73-99	Regulators role and powers with regard to Complaints relating to non-compliance and data breaches
8-38	Conditions for lawful processing of Information
100-109	Offences, Penalties and Administration Fines
111	Prescribed fees payable by the data subject

*In terms of section 114(3) the provisions of section 58(2) does not commence until the Information Regulator determines otherwise.

To familiarise yourself with the full extent of the applicable provisions that will commence, Please be sure to download complete copies of the “POPI Act” here and its Regulations here.

Offences, Penalties & Administrative fines

It is important to realise that the “POPI Act” is not without teeth. One can get into serious trouble for non-compliance with its provisions. Offences Penalties and Administrative Fines are found in Chapter 11 of the Act. This is covered in Sections 100 - 109.

Offences

Although there are other offences, what follows is an extraction of only those potential offences that could attract to non-compliant “NPOs” as a Responsible Person. That being said it is an offence if the “NPO” (of course through its representatives):

1. Hinders or obstructs or unlawfully influences the “Regulator” (or any person acting on behalf of or at the direction of the latter) in the performance of their duties. [Section 100]
2. Fails to comply with an enforcement Notice that has been served. [Section 103(1)]
3. Knowingly make a false statement when purporting to comply with an enforcement notice [Section 103(2)(a)]
4. Recklessly make a false statement, in material respects, when purporting to comply with an enforcement notice [Section 103(2)(b)]
5. Persistently and seriously failing to process information, in terms of the conditions set out in Chapter 3, as it relates to the processing of any unique identifier (an account number). Doing so knowing that there is a risk that a contravention would occur and/or that it would cause substantial harm. [Section 105(1)(2)(3)]

According to section 105(4) it would be a valid defence (to charges brought against an “NPO” as per item 5 above) if that “NPO” can show that they have taken all reasonable steps to comply with the provisions of section 8. It goes without saying that if a “NPO” puts in the time to bring themselves compliant with the “POPI Act” they would have no difficulty to demonstrate that they have taken such reasonable steps.

Penalties

The Act gives the magistrate courts the jurisdiction to penalise anyone found guilty of the offences in the Act. Insofar as the offences listed items 1 to 5 above, the magistrate courts could sentence a “NPO” (the CEO and/or member(s) of the governing body) as follows:

1.      In respect of an offence under section 100 and 103 (1) to a maximum period of 10 years imprisonment or a fine or both; and

2.      In respect of offences under section 103(2) to a maximum period of imprisonment of 12 months or a fine or both.

Administrative fines

Section 109(1) provides that, the “Regulator” may deliver an Infringement Notice in the case of an alleged offence under the Act to an “NPO”. This notice must contain:

1. The  name and address of  the “NPO”;
2. Specify the alleged offence;
3. Specify an administrative fine payable;
4. Inform the infringing “NPO” in that notice that, not later than 30 days after service, they may:

i.                     Pay the administrative fine;

ii.                   Make arrangements with the regulator to pay the administrative fine installments; or

iii.                  Elect to be tried in court on the mentioned alleged offence

The said notice must also inform the “NPO” that failure to comply with the notice within the specified period will result in the “Regulator” filing with the clerk/registrar of a competent court a statement certified as correct, reflecting the administrative fine payable. That statement will then have all the effects of a civil judgement lawfully given in that court. However, when an “NPO” has been charged with an offence, the “Regulator” may not impose the administrative fine. [See Section 109(6)]

Such an administrative fine must be paid into the National Revenue Fund. [See section 109(9)]. Such payment does not constitute a previous conviction. [See section 109(8)]. Once paid, the NPO may not be prosecuted for that alleged offence [See Section 109(7)].

Conclusion

Hopefully the section on offences, penalties and administrative fines alone has driven the message home to "NPOs" that this is a serious piece of legislation with regard to legal compliance. These offences, penalties hold devastating consequences to them.  

Fortunately, "NPOs" have until 30 June 2021 to bring their personal information processing within the boundaries of the “POPI Act”. The writer suggests that NPO leaders deal with the risks posed rather early then later. They can do so by:

1. Taking the necessary steps to familiarise themselves with the content of the Act and Regulations;
2. Ensure that they identify to what extent the act applies to their organisation;
3. Identify the requirements that their “NPO” should meet in terms of the Act; and
4. Ensure that the "NPO’s" operational staff meet these requirements.

We believe that doing these things, whether in-house or getting assistance from an external service provider, will go a long way to ensure NPO Governance excellence.