A law is about to come into effect which aims to help people protect their reputations, and was based on a similar law passed in Europe. Popi – or the Protection of Personal Information Act – is setting its sights on jailing companies’ executives in South Africa who fail to secure data.

Although the act is yet to be implemented, the legislation specifies jail time up to 10 years and a fine of around R10 million.

If one breaches the following sections of the Act, 100, 103(1) and 104(2), 105(1) and 106, which deal, among other things with the powers of the Regulator to enforce compliance with its provisions, obstructing the Regulator in the performance of the Regulator’s duties, the selling, disposing or processing of a person’s account number in a manner not authorised by the Act, a prison sentence of up to 10 years can be imposed.

Although contravening Popi will result in consequences, outright fraud will more likely to result in jail time as the actions are more likely to be frowned upon by society.

Popi is modelled on Europe’s EUDPD [EU Data Protection Directive]. Popi gives ‘data subjects’ (SA citizens) control over their personal information relating to criminal activity or negative and damaging behaviour they may have committed in the past or are suspected to have committed.

Popi categorises this type of personal information as ‘special personal information’ under S26 of Popi and can only be processed by a “responsible party” in certain circumstances.

The Act does provide for a 12 month compliance period from the date that certain provisions become effective – which is only likely to happen once the office of the Information Regulator is established (which has commenced). Given the length of time that the act has been in the public arena, our view is that it is very unlikely that the 12 month compliance period will be extended.

[source: fin24]