Understanding the Level of Compliance by South African Institutions to the Protection of Personal Information (POPI) Act

Privacy entails controlling the use and access to place, location and personal information. In South Africa, the first privacy legislation in the form of the Protection of Personal Information (POPI) Act was signed into law on 26 November 2013. The POPI Act promotes the protection of personal information by South African public and private institutions and specifies the minimum requirements in twelve chapters, which includes eight conditions for lawful processing of personal information. In 2012, CIBECS as part of their State of Business Data Protection in South Africa survey assessed, amongst other aspects, how prepared South African institutions were to comply with the then forthcoming protection of personal information legislation. Since that survey, the POPI Bill progressed to an Act and, more recently, in 2015 processes commenced to appoint the Information Regulator (in terms of the legislation), who would be responsible for enforcing the POPI Act. Due to the aforementioned developments and looming enforcement date associated with the POPI Act, this paper assesses the level of understanding of the POPI Act by participants from South African institutions as well as the current level of compliance to the POPI Act. Specifically, the current level of compliance to Condition Seven of the POPI Act, relating to the confidentiality and integrity of electronic personal information, is explored. Furthermore, a view is provided of the financial value associated with electronic personal information maintained as well as the potential impact a data breach of electronic personal information may have on an institution.