The Protection of Personal Information (POPI) Act was launched in South Africa with an effective date of 1 July 2020. It's been coming since 2013 and will be enforced as from 1 July 2021. So don't take your eyes off this ball!
The Act applies to all South African businesses that collect the personal information of clients and service providers.
Don't ignore this. The Protection of Personal Information Act is in-force and your business has until 30 June 2021 to become compliant.
As from 1 July 2021 you must keep personal information regarding clients and service providers secure or face fines and jail time if you publish or lose it.
The Protection of Personal Information Act supports everyone's right to privacy. It protects you by requiring that all personal information that's held by any business is managed responsibly.
Personal information is legally regarded as the personal 'property' of a client. It includes information that can be used to identify someone such as:
Photo by Alejandro Escamilla
The Act controls what you can do with this personal information. It also gives you the right to take action if your information is not managed responsibly.
Advocate Pansy Tlakula was appointed as the chairperson of the Information Regulator in 2016. The Information Regulator is an independent body established by the Act and is responsible to monitor and enforce compliance with the provisions of the POPI Act.
The Information Regulator can take action against South African businesses that don't take reasonable steps to protect personal information.
There's a global movement to protect data and this Act is not unique to South Africa. The POPI Act is similar to the General Data Protection Regulation (GDPR) which came into force in Europe on 25 May 2018. Australia introduced the Notifiable Data Breaches (NDB) laws in February 2018.
I’ve managed a practice as a psychologist for more than 18 years. Collecting the names, addresses, emails and telephone numbers of all my clients is an important part of my business.
Healthcare professionals also collect other personal information about their patients. In my case it might be mental health diagnoses while other health providers keep personal medical histories.
As a healthcare professional I have an existing obligation to maintain client confidentiality and could lose my registration if I share information without consent.
But what about unintentional loss of data? What if your laptop or cell phone is stolen?
If your patient's personal information is accessed or published from a personal electronic device (such as an ipad, laptop, or smartphone) or digital storage devices (such as an external hard drive, or Dropbox or iCloud) it may result in harm or defamation for patients.
In such a case you, as the healthcare professional or staff member, will be held responsible, whether the loss was intentional or not! As the responsible party, healthcare professionals need to ensure that personal information is protected.
As healthcare professionals we already adhere to the HPCSA’s guidelines (Booklet 10) regarding patient confidentiality. One implication of the POPI Act is that healthcare professionals will not only need to satisfy the HPCSA regarding the loss of personal information, but will also be liable to answer to the Information Regulator who can recommend additional sanctions such as fines or jail time.
In order to comply with the POPI Act small business owners will have to tell the Government where we keep personal information, how we keep it safe - and we’ll have to tell them if we lose it.
The law applies to every business that collects personal information of clients and service providers.
That’s all of us in the healthcare industry. Doctors, dentists, psychologists, psychiatrists, biokineticists and all healthcare providers.
Whatever business you run, even if you work alone or employ staff, we all have to comply.
If you own a business you should take action now to make sure you manage the personal information that you get from clients according to the Act.
You should do two things:
The first thing I did was to read the Act. You can get your copy of the Protection of Personal Information Act here. A word of warning: it's complex.
While trying to understand POPI I found an excellent free online training course that helped me understand the new Act. It saved me time and money and really helped me to think about the security of my client's information.
Have a look at the course here or click on the picture below. It's a good investment and you can complete it in your own time.
If I keep your personal information I want to ensure that it is safe - and I want to be able to tell my client's that their information is safe.
For these reasons my practice will be fully compliant with the Protection of Personal Information Act.
There is still time to comply by 30 June 2021, but I don’t plan to stress about this at the last minute.
How about you?
PS: Have you ever had your laptop or cellphone stolen? Unfortunately, the reality is that it’s easy to have your laptop stolen in South Africa. It's even easier to lose your cell phone or tablet.
If you don't comply with POPI and your unprotected laptop (or tablet or smart phone) gets lost or stolen then you face real trouble. You're facing fines up to R10 million and/or 10 years in jail.
There is no way my business can survive this. Will yours?
Keep the reputation of your business intact and attract new customers who can trust you will keep their information safe and protected.
Leave your thoughts below and keep in touch by visiting our Facebook Page and clicking 'Like' to join the community.