POPI: The Protection of
Personal Information Act

A guide for small business and healthcare professionals

By Mark Connelly       Updated: 24 May 2021

The Protection of Personal Information (POPI) Act was launched in South Africa with an effective date of 1 July 2020.  It's been coming since 2013 and will be enforced as from 1 July 2021. That's just around the corner, so take action now.

The Act applies to all South African businesses that collect the personal information of clients and service providers.  

Don't ignore this. The Protection of Personal Information Act is in-force and your business has until 30 June 2021 to become compliant.

As from 1 July 2021 you must keep personal information regarding clients and service providers secure or face fines and jail time if you publish or lose it.

What is the Protection of Personal Information (POPI) Act?

The Protection of Personal Information Act supports everyone's right to privacy. It protects you by requiring that all personal information that's held by any business is managed responsibly.

Personal information is legally regarded as the personal 'property' of a client. It includes information that can be used to identify someone such as:

  • race, gender, sex, pregnancy, marital status, ethnic origin, sexual orientation, age, physical or mental health, disability, religion, culture, language and birth (date, place, time, etc.);
  • education and employment; 
  • any identifying number, symbol or address; and
  • biometric information.

The Act controls what you can do with this personal information. It also gives you the right to take action if your information is not managed responsibly.

Advocate Pansy Tlakula was appointed as the chairperson of the Information Regulator in 2016. The Information Regulator is an independent body established by the Act and is responsible to monitor and enforce compliance with the provisions of the POPI Act.

The Information Regulator can take action against South African businesses that don't take reasonable steps to protect personal information.

There's a global movement to protect data and this Act is not unique to South Africa. The POPI Act is similar to the General Data Protection Regulation (GDPR) which came into force in Europe on 25 May 2018. Australia introduced the Notifiable Data Breaches (NDB) laws in February 2018.

Get more detailed information about POPI sent directly to you.  Sign up for this valuable email series that outlines important aspects of the Act for small businesses.

Small Business and Healthcare Professionals

I’ve managed a practice as a psychologist for more than 18 years. Collecting the names, addresses, emails and telephone numbers of all my clients is an important part of my business.

Healthcare professionals also collect other personal information about their patients. In my case it might be mental health diagnoses while other health providers keep personal medical histories.

As a healthcare professional I have an existing obligation to maintain client confidentiality and could lose my registration if I share information without consent.

But what about unintentional loss of data? What if your laptop or cell phone is stolen?

If your patient's personal information is accessed or published from a personal electronic device (such as an ipad, laptop, or smartphone) or digital storage devices (such as an external hard drive, or Dropbox or iCloud) it may result in harm or defamation for patients.

In such a case you, as the healthcare professional or staff member, will be held responsible, whether the loss was intentional or not!  As the responsible party, healthcare professionals need to ensure that personal information is protected.

As healthcare professionals we already adhere to the HPCSA’s guidelines (Booklet 10) regarding patient confidentiality. One implication of the POPI Act is that healthcare professionals will not only need to satisfy the HPCSA regarding the loss of personal information, but will also be liable to answer to the Information Regulator who can recommend additional sanctions such as fines or jail time.

Read about the implications of the POPI Act for healthcare professionals in this article published in the South African Medical Journal (SAMJ) in November 2017.

The author concludes that there is a need for “…a significant change in the mindset of the medical fraternity, as the time-honoured sharing of information between colleagues cannot continue given the new legislation. Should personal patient information be leaked or published from a personal data-storage device, the responsible party or physician who acquired that information can be held liable for damages incurred.” (p 956).

In order to comply with the POPI Act small business owners will have to tell the Government where we keep personal information, how we keep it safe - and we’ll have to tell them if we lose it.

The law applies to every business that collects personal information of clients and service providers.  

That’s all of us in the healthcare industry. Doctors, dentists, psychologists, psychiatrists, biokineticists and all healthcare providers.

Whatever business you run, even if you work alone or employ staff, we all have to comply.

Do I need to do anything now?

If you own a business you should take action now to make sure you manage the personal information that you get from clients according to the Act.

You should do two things: 

  1. Find out HOW the Protection of Personal Information Act affects you and WHAT you must do to comply, and 
  2. Find out HOW to reach full POPI compliance.

Learn how to comply with the Protection of Personal Information Act

The first thing I did was to read the Act. You can get your copy of the Protection of Personal Information Act here. A word of warning: it's complex.

While trying to understand POPI I found an excellent free online training course that helped me understand the new Act. It saved me time and money and really helped me to think about the security of my client's information.

Have a look at the course here or click on the picture below.  It's a good investment and you can complete it in your own time.

Four ways The Protection of Personal Information Act affects you: 

  1. You must adopt it. It's not optional. If you lose a laptop, cellphone or an external drive that contains client, staff or supplier details that information must be secure.

  2. Pleading ignorance will not help you.  If information is stolen you face jail-time or a fine of up to 10 million Rand.

  3. If the Information Regulator proves you did not protect the information  you are liable for a criminal sentence with jail-time of up to 10 years. 

  4. And finally, if you are found guilty of disregarding the Act the person whose information you shared/lost will sue you. They cannot lose. The government has already done the hard work. As a healthcare professional you will also face action from the HPCSA.

If I keep your personal information I want to ensure that it is safe - and I want to be able to tell my client's that their information is safe. 

For these reasons my practice will be fully compliant with the Protection of Personal Information Act.

There is still time to comply by 30 June 2021, but I don’t plan to stress about this at the last minute.

How about you?


PS: Have you ever had your laptop or cellphone stolen? Unfortunately, the reality is that it’s easy to have your laptop stolen in South Africa. It's even easier to lose your cell phone or tablet. 

If you don't comply with POPI and your unprotected laptop (or tablet or smart phone) gets lost or stolen then you face real trouble. You're facing fines up to R10 million and/or 10 years in jail.

There is no way my business can survive this. Will yours?

Keep the reputation of your business intact and attract new customers who can trust you will keep their information safe and protected.

Leave your thoughts below and keep in touch by visiting our Facebook Page and clicking 'Like' to join the community.

Like This Page?