POPI Act 2013

Short notes on the Protection of Personal Information Act, 2013 (POPIA)

What is this Act for?

This law has as its purpose (which is broadly in line with international laws of this sort), the protection of personal information and therefore privacy in the context of data. Privacy extends to how personal information is collected, stored, used or manipulated. Hence, the purpose of POPI is to:

  • give effect to the constitutional right to privacy by safeguarding Private Information;
  • balance the right to privacy against other rights, like the right of access to information;
  • regulate the manner in which Private Information must be processed;
  • provide persons with rights and remedies if POPI is contravened.


Understanding POPI terminology

Your information:

This is anything that can identify who you (the 'data subject') are or who someone else is.

It includes a name, identity number, address, gender, race, religion, medical issues, employment history, email, photograph, social media accounts, biometrics, personal views and opinions or statements, disability, language – anything that could enable someone else to find out something about you or any other person.

Responsible Party:

A person who decides how Personal Information is processed and what this Personal Information is used for. A responsible party can be a natural person, juristic person such as a company or group of companies, or a government body. In the context of SMSPortal's services, you, our customer, are viewed as the Responsible Party.

Operator:

A natural or juristic person that processes Personal Information for the responsible party. SMSPortal would act as the Operator in the process of rendering our services and products.


What is the Act saying about ‘personal information?

What can be done:

Since you (and every other person) are likely to give personal information to many institutions and individuals, this Act restricts how those entities or people can deal with your (and their) information which includes how they (or you) collect, record, store, distribute, share, sell, receive, transmit, destroy and retrieve this.

In short, the Act deals with any of these activities, which it refers to as ‘processing’ your (and their) data. It addresses all data in any form, which it refers to as a ‘record’ – in other words that personal information can be in any form at all (e.g. written or filmed) but will still be a ‘record’. It excludes ‘purely household activities.’


When does it apply?

You need to be fully compliant with all sections of the Act by 1 July 2021 when POPIA will be enforced:

SMSPortal recommends you to act now to ensure that you are aligned with the requirements as soon as possible. WASPA is already seeking to implement these requirements under the WASPA Code.

The key provisions of this Act deal with the rights of people to object to the processing of their data at any time (unless they are required to provide it for a lawful purpose, or to provide it willingly in the course of obtaining a service). They also deal with the obligation to ask for permission to ‘process’ personal information. This means:

  • you ask for only the bare minimum of personal information required;
  • the person understands why they are giving their personal information, how their information will be used, and for what purpose.

Every organisation (company or other entity) must appoint its own Information Officer. The Officer must bring the organisation into line with the requirements of the Act, and liaise, when necessary, with the Information Regulator.


Direct marketing and unsolicited communications

The definition of direct marketing is quite wide, as it refers to communications that are directly targeted at promoting goods or services as well as 'indirect' marketing messages.
Communications required to be sent by law (such as bank statements or a television license renewal notice) along with communications that are necessary for the conclusion or performance of a contract do not have to comply with the regulations relating to direct marketing, even if those communications have an indirect result of promoting products or services of the sender.

POPI distinguishes between new and existing customers when it comes to marketing consent. Section 69(3) of the Act defines existing customers, and while there is no clear definition of what defines new customers, should they not fall into the definition of existing customers, the regulations relating to new customers are applicable.
Section 69(3) of the Act states that the responsible party (you as the sender of marketing messaging) will not have to request marketing consent from an existing customer if the following requirements are met:

Existing Customers:

  • The responsible party must have obtained the customer's contact details in the context of the sale of the responsible party's products or services.

  • The Personal Information must have been collected to market the responsible party's own products and services.

  • The customer must have been given a reasonable opportunity to object to the use of their personal information for marketing purposes, free of charge and without too much formality. This opportunity must have been given to the customer at the time the information was collected and every time marketing is sent to the customer.

    New Customers:

  • If you are contacting someone for the very first time but you want to be able to contact them again, you will need their voluntary, informed, specific, opt in in writing with their full name and signature. You must also record the name and contact information of the contact marketer and their information officer or the deputy information officer (see above), the date and place where consent is given by the person, the type of goods or services you want to contact them about, and the method of future communication (SMS, email or phone).

  • You may only contact people who you have an existing relationship with, or who gave you information when they asked about your product or service, or if you are going to offer them similar products or services to those they asked about or previously bought, and they have been told that they may be contacted for further marketing, and they are always given an opportunity to opt out.

  • Note that no one is automatically opted in – if a person doesn’t tick the opt-in box, they must not be taken to have opted in. You need express consent. You may not pre-populate the box with a tick, the user must tick the box themselves.

  • You will need to prove that you obtained the personal information of any person in your database with their specific consent, or in the circumstances in (a) or (b) above, and having given them information about how to opt out.


Frequently asked questions

1) What is POPIA?

PoPIA is the Protection of Personal Information Act 4, 2013, South Africa. While PoPIA compliance is a hot topic currently, it has been around for quite some time. The Act was fully enacted on the 1st of July 2020 and will be fully enforced after the one-year grace period, on the 1st of July 2021.

2) What is SMSPortal’s role in PoPIA for you as a customer?

SMSPortal have two roles in our PoPIA compliance journey. The first role is our actions as a Responsible Party when dealing with our staff and our customers Private Information. The second role is as an Operator, where we process SMS messages to your customers for you. In both of these roles, we have responsibilities to take all necessary care to ensure that your data remains safe and secure within our platform.

3) So are you PoPIA compliant?

There is no singular regulator issued document that can prove compliance. If you are unsure about what we have in place as an Operator, to protect your data, please reach out to us with questions you may have around our architecture and we can provide more detail. We have a tremendous focus on data security.

4) What does SMSPortal do to ensure we keep our customers data as safe as possible?

SMSPortal are a platform builder with 15 years’ experience in balancing security, throughput and ease of use. But to truly be secure, you need to test yourself and approach all aspects of security with growth and improvement in mind. As a result, we use third party penetration testing companies to put our platform through rigorous testing to highlight area’s we can improve.

5) Does my Private Information leave South Africa?

Yes, in some cases, your private information may leave South Africa. This is a common question, and it’s important to clarify that the Protection of Personal Information Act (POPIA) does not mandate that all data must remain within South Africa. In fact, in modern IT systems, it would often be impractical to keep every piece of data within the country.

POPIA allows for the transfer of data outside South Africa under two key conditions:

  1. Adequate Data Protection: The destination country must have data protection legislation that is similar to or better than POPIA.
  2. Regulated Data Transfers: The destination country must also have regulations that prevent the further transfer of data to a country with less stringent data protection laws. This ensures that your data isn't moved to a location with weaker privacy protections.

With our recent transition from hosting at Iomart in the UK to Teraco Data Centres in South Africa, we’ve made a significant change in where your data is stored. Now, your data is primarily hosted within South Africa at Teraco’s state-of-the-art facilities in Cape Town, where it benefits from robust physical and digital security measures.

However, there may still be instances where data needs to be transferred internationally to meet specific operational needs. For example, in cases where certain services or backups require international processing, we ensure that any data leaving South Africa is handled in full compliance with POPIA. If your data does leave South Africa, we ensure it is transferred to countries with data protection laws that meet or exceed the requirements of POPIA, such as those governed by the General Data Protection Regulation (GDPR) in Europe.

Our use of Teraco Data Centres in South Africa enables us to maintain stringent control over your data while ensuring compliance with both local and international data protection standards.

6) PoPIA allows for data destruction, so can I delete all of my SMS send history?

PoPIA does absolutely allow you to request data destruction. However, its important to note that it also makes provision for other legislation to have an overriding effect on data retention. In South Africa, our commitment to legislation like the Electronic Communications and Transactions Act and the Consumer Protection Act require us to maintain a send history of all SMSs sent on our platform for a period of 5 years. As such, we need to retain account ownership information and history of all SMS sent for the full 5-year period. Should you wish for further detail on our Privacy Policy, please click here for the full document.

7) How do I make sure I am PoPIA compliant?

PoPIA compliance is not only about worrying about compliance of your third-party Operators (like SMSPortal), but also but what you as a business do with your customers data. Where do you send it, how do you store it, who in your business has access to it etc. If you are unsure of where to start, we highly recommend that you speak to a PoPIA consultant or seek legal advice on what you should have in place in your business to protect yourself.

8) What can I do with SMSPortal to protect my Private Information?

Ultimately, PoPIA compliance and good data practise requires both of us to operate in unison in a data aware and secure fashion. We recommend the following steps:

  1. Never ever share your password to your account. We will NEVER ask you for it. An SMSPortal staff member will never call you and ask for it. Be security conscious of people trying to gain access to your account. Make sure you use a secure password that is not shared amongst your other passwords, and make sure to change this password as frequently as is possible.
  2. There is no need to share an SMSPortal user account. We specifically allow you to set up sub-accounts that each user can have a unique identity on our platform, both for your reporting convenience and for improved reduced security risk.
  3. Do not use us as your data-store. Once you have sent your messages to your groups, delete them! We allow the use of temporary groups that automatically delete themselves. These temporary groups will not affect your reports in any way – if you have sent a message to the group, your reports will still have all these detailed records.
  4. Do not email us any data – Our interface allows you to upload data straight into our platform, securely and quickly. Sending us your PI via email adds additional security risks around data mobility that are easily removed by uploading the data directly to our platform.
  5. Always make sure you are attempting to sign into the correct website. Scammers will try impersonating our website to gain access to your account. Check that the address is correct, check that connection is secure (the little lock next to the address), check that our LiveChat button is present and operational.

References

  • de Stadler, E. and Esselaar, P. (2015). A Guide to the Protection of Personal Information Act. Cape Town, South Africa: JUTA