POPI in 5 Minutes

POPI in a Nutshell

Key points

POPI – the Promotion of Personal Information Act – safeguards personal information when it is processed by public or private bodies, including: solus practitioners, partnerships, companies, municipalities, provincial and national government departments. POPI came into full effect on 1 July 2021.

The head of any such body is automatically deemed to be the Information Officer of the practice or organisation. The head is a sole practitioner, all partners in a partnership, and the Chief Executive Officer or Managing Director of a company. As such, he or she has a legal obligation to ensure that the POPI principles are implemented and maintained.

Any person has the right to submit a complaint to the Information Regulator alleging a failure to protect his or her personal information.

The head of the body may appoint one or more Deputy Information Officers to assist in discharging the duties of the Information Officer.

Recommended steps:

1.  If this has not yet been done, the head of any private or public body must either personally, or through the appointment of one or more Deputy Information Officers, take measures to implement and maintain POPI compliance.

2. The relevant Information Officer or Deputy Information Officer must familiarise themselves with their obligations in terms of POPI.

3. Make sure that you include the POPI Consent Form (Form 3) in your standard patient contract documents.

4. The relevant Information Officer or Deputy Information Officer must conduct an information audit to assess the compliance measures to be implemented.

5. Appropriate processes and procedures to fulfil the POPI obligations must be compiled, implemented and maintained.