POPI: The Protection of
Personal Information Act

A guide for small business and healthcare professionals

› POPI Compliance ⇠ You are here

December 2018

The Protection of Personal Information (POPI) Act has taken a back seat as South Africa focuses on other important issues, such as a national election in 2019.  However, it's been in the pipeline since 2013 and will be enacted in the near future. So don't take your eyes off this ball!

The Act applies to all South African businesses that collect personal information of clients and service providers.  

When the Act becomes law your business will have 12 months to become compliant. After that you must keep personal information regarding clients and service providers secure or face fines and jail time if you publish or lose it.

What is the Protection of Personal Information (POPI) Act?

The Protection of Personal Information Act supports everyone's right to privacy. It protects you by requiring that all personal information that's held by any business is managed responsibly.

Personal information is legally regarded as the personal 'property' of a client. It includes information that can be used to identify someone such as:

  • race, gender, sex, pregnancy, marital status, ethnic origin, sexual orientation, age, physical or mental health, disability, religion, culture, language and birth (date, place, time, etc.);
  • education and employment; 
  • any identifying number, symbol or address; and
  • biometric information.

The Act controls what you can do with this personal information. It also gives you the right to take action if your information is not managed responsibly.

Advocate Pansy Tlakula was appointed as the Information Regulator in 2016. Her role is to enforce the protection of personal information Act.

The Information Regulator can take action against South African businesses that don't take reasonable steps to protect personal information.

There's a global movement to protect data and this Act is not unique to South Africa. The POPI Act is similar to the General Data Protection Regulation (GDPR) which came into force in Europe on 25 May 2018. Australia introduced the Notifiable Data Breaches (NDB) laws in February 2018.

Get more detailed information about POPI sent directly to you.  Sign up for this valuable email series that outlines important aspects of the Act for small businesses.

Small Business and Healthcare Professionals

I’ve managed a practice as a psychologist for 16 years. Collecting the names, addresses, emails and telephone numbers of all my clients is an important part of my business.

Healthcare professionals also acquire other personal information about their patients. In my case it might be mental health diagnoses while other health providers keep personal medical histories.

As a healthcare professional I have an existing obligation to maintain client confidentiality and could lose my registration if I share information without consent.

But what about unintentional loss of data? This can happen if your laptop or cell phone is stolen.

If your patient's personal information is accessed or published from a personal electronic device (such as an ipad, laptop, or smartphone) or digital storage devices (such as an external hard drive, or Dropbox or iCloud) it may result in harm or defamation for patients.

In such a case you, as the healthcare professional or staff member, will be held responsible, whether the loss was intentional or not!  As the responsible party, healthcare professionals need to ensure that personal information is protected.

As healthcare professionals we already adhere to the HPCSA’s guidelines (Booklet 10) regarding patient confidentiality. One implication of the POPI Act is that healthcare professionals will not only need to satisfy the HPCSA regarding the loss of personal information, but will also be liable to answer to the Information Regulator who can recommend additional sanctions such as fines or jail time.

More information about the implications of the POPI Act for healthcare professionals can be found in this article published in the South African Medical Journal (SAMJ) in November 2017.

The author concludes that there is a need for “…a significant change in the mindset of the medical fraternity, as the time-honoured sharing of information between colleagues cannot continue given the new legislation. Should personal patient information be leaked or published from a personal data-storage device, the responsible party or physician who acquired that information can be held liable for damages incurred.” (p 956).

Once the Act is in place small business owners will have to tell the Government where we keep personal information, how we keep it safe - and we’ll have to tell them if we lose it.

The law applies to every business that collects personal information of clients and service providers.  

That’s all of us in the healthcare industry. Doctors, dentists, psychologists, psychiatrists, and all allied healthcare providers.

Whatever business you run, even if you work alone or employ staff, we all have to comply.

Do I need to do anything now?

If you own a business you should take action to make sure you manage the personal information that you get from clients according to the Act.

You should do two things: 

  1. Find out HOW the Protection of Personal Information Act affects you and WHAT you must do to comply, and 
  2. Find out HOW to reach full POPI compliance.

Learn how to comply with the Protection of Personal Information Act

The first thing I did was to read the Act. You can get your copy of the Protection of Personal Information Act here. A word of warning: it's complex.

While trying to understand POPI I found an excellent free online training course that helped me understand the new Act. It saved me time and money and gave me real food for thought regarding the security of client information.

Have a look at the course here or click on the picture below.  It's a good investment and you can complete it in your own time.

Four ways The Protection of Personal Information Act affects you: 

  1. You must adopt it. It's not optional. If you lose a laptop, cellphone or an external drive that contains client, staff or supplier details that information must be secure.

  2. Pleading ignorance will not help you.  If information is stolen you face jail-time or a fine of up to 10 million Rand.

  3. If the Information Regulator proves you did not protect the information  you are liable for a criminal sentence with jail-time of up to 10 years. 

  4. And finally, if you are found guilty of disregarding the Act the person whose information you shared/lost will sue you. They cannot lose. The government has already done the hard work. As a healthcare professional you will also face action from the HPCSA.

If I keep your personal information I want to ensure that it is safe - and I want to be able to tell my client's that their information is safe. 

For these reasons my practice will be fully compliant with the Protection of Personal Information Act.

There is still a lot of time but I don’t want to stress at the last minute.


PS: Have you ever had your laptop or cellphone stolen? Unfortunately, the reality is that it’s easy to have your laptop stolen in South Africa. It's even easier to lose your cell phone or tablet. 

If you don't comply with POPI and your unprotected laptop (or tablet or smart phone) gets lost or stolen then you face real trouble. You're facing fines up to R10 million and/or 10 years in jail.

There is no way my business can survive this. Will yours?

Keep the reputation of your business intact and attract new customers who can trust you will keep their information safe and protected.

Leave your thoughts below and keep in touch by visiting our Facebook Page and clicking 'Like' to join the community.

Like This Page?

New! Comments

Have your say about what you just read! Leave a comment in the box below.