The Protection of Personal Information (POPI) Act was first announced in November 2013 and will be enacted during 2018.
The Act applies to all South African businesses that collect personal information of clients and service providers.
When the Act becomes law your business will have 12 months to become compliant. After that you must keep personal information regarding clients and service providers secure or face fines and jail time if you publish or lose it.
The Protection of Personal Information Act supports everyone's right to privacy. It protects you by requiring that all personal information that's held by any business is managed responsibly.
Personal information is legally regarded as the personal 'property' of a client. It includes information that can be used to identify someone such as:
Photo by Alejandro Escamilla
The Act controls what you can do with this personal information. It also gives you the right to take action if your information is not managed responsibly.
Advocate Pansy Tlakula was appointed as the Information Regulator in 2016. Her role is to enforce the protection of personal information Act.
The Information Regulator can take action against South African businesses that don't take reasonable steps to protect personal information.
There's a global movement to protect data so this Act is not unique to South Africa. The POPI Act is similar to the General Data Protection Regulation (GDPR) which came into force in Europe on 25 May 2018. Australia introduced the Notifiable Data Breaches (NDB) laws in February 2018.
I’ve managed a practice as a psychologist for 16 years. Collecting the names, addresses, emails and telephone numbers of all my clients is an important part of my business.
Healthcare professionals also acquire other personal information about their patients. In my case it might be mental health diagnoses while other health providers keep personal medical histories.
As a healthcare professional I have an existing obligation to maintain client confidentiality and could lose my registration if I share information without consent.
But what about unintentional loss of data? This can happen if your laptop or cell phone is stolen.
If your patient's personal information is accessed or published from a personal electronic device (such as an ipad, laptop, or smartphone) or digital storage devices (such as an external hard drive, or Dropbox or iCloud) it may result in harm or defamation for patients.
In such a case you, as the healthcare professional or staff member, will be held responsible, whether the loss was intentional or not! As the responsible party, healthcare professionals need to ensure that personal information is protected.
As healthcare professionals we already adhere to the HPCSA’s guidelines (Booklet 10) regarding patient confidentiality. One implication of the POPI Act is that healthcare professionals will not only need to satisfy the HPCSA regarding the loss of personal information, but will also be liable to answer to the Information Regulator who can recommend additional sanctions such as fines or jail time.
Once the Act is in place small business owners will have to tell the Government where we keep personal information, how we keep it safe - and we’ll have to tell them if we lose it.
The law applies to every business that collects personal information of clients and service providers.
That’s all of us in the healthcare industry. Doctors, dentists, psychologists, psychiatrists, and all allied healthcare providers.
Whatever business you run, even if you work alone or employ staff, we all have to comply.
If you own a business you should take action to make sure you manage the personal information that you get from clients according to the Act.
You should do two things:
The first thing I did was to read the Act. You can get your copy of the Protection of Personal Information Act here. A word of warning: it's complex.
While trying to understand POPI I found an excellent free online training course that helped me understand the new Act. It saved me time and money and gave me real food for thought regarding the security of client information.
Have a look at the course here or click on the picture below. It's a good investment and you can complete it in your own time.
If I keep your personal information I want to ensure that it is safe - and I want to be able to tell my client's that their information is safe.
For these reasons my practice will be fully compliant with the Protection of Personal Information Act.
There is still a lot of time but I don’t want to stress at the last minute.
PS: Have you ever had your laptop or cellphone stolen? Unfortunately, the reality is that it’s easy to have your laptop stolen in South Africa. It's even easier to lose your cell phone or tablet.
If you don't comply with POPI and your unprotected laptop (or tablet or smart phone) gets lost or stolen then you face real trouble. You're facing fines up to R10 million and/or 10 years in jail.
There is no way my business can survive this. Will yours?
Keep the reputation of your business intact and attract new customers who can trust you will keep their information safe and protected.
Leave your thoughts below and keep in touch by visiting our Facebook Page and clicking 'Like' to join the community.