POPI FROM A CORPORATE GOVERNANCE PERSPECTIVE
The purpose of the Protection of Personal Information Act 4 of 2013 (“POPI”) is to ensure that all South African corporates, state institutions, government departments and other persons who access private personal information, conduct themselves in a responsible manner when collecting, processing, storing and sharing another person’s (“Person” includes “Juristic” persons) personal information by holding them liable should they misuse or compromise your personal information in any way. Your personal information is being elevated to, rightfully so, “divine” status and therefore aims to thrust upon the owner of personal information, defined rights of protection and the ability to exercise control over its usage.
The Companies Act of 2008 has, upon its inception, placed very onerous personal liability obligations on directors of companies (sec. 77) and POPI adds to that bouquet of legislation. To date company Directors (generally) and Management (to some extent) have been reluctant to undertake any form of training on IT governance, which was highlighted in King III as a key pillar of good corporate practise. Now POPI throws the spanner in the works, so to speak, by demanding very stringent compliance requirements relating to the protection of information. The consequence of a failure by an organization to comply with the requirements of POPI is that it may find itself embroiled in lawsuits and embarrassment or both. IT systems are in fact high-risk investments as often the procurers of such systems cannot guarantee the security of information, and I doubt that even the creators of software could guarantee that in toto.
It is therefore critical that organizations go through a massive internal (and external e.g. with suppliers) drive to:
– train staff via workshops and seminars,
– develop proper POPI compliance frameworks,
– revise existing privacy policies,
– embark on a gap analysis exercise, and
– review existing contracts with suppliers
The risk of non-compliance with POPI will no doubt expose companies to nefarious and legitimate risks where information is abused, whether intentionally or negligently. Either way company directors will also be held personally liable in terms of the Companies Act for all “negligent” acts and perhaps even on common law grounds jointly and severally. One would therefore urge directors of companies to make use of sec. 78 and ensure that proper indemnity insurance is in place by way of professional indemnity cover. You will need it at some point and sometimes long after your term as director has lapsed. Directors must also actively seek to educate themselves on IT Governance insofar as understanding investments on IT systems which are the lifeline of all businesses today, IT governance helps organizations to determine what type of IT systems are required, the ROI on such systems, it also highlights and manages IT risk (of which personal information has now officially become a “risk” insofar as spillage or abuse of information is concerned).
Considering that the burden of proof resides with the entity collecting the information to prove that the information was obtained with the data subject’s consent, directors should be more direct in asking the right questions around IT security and specifically information security. The Act says that businesses must “identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control”.
Mkhwanazi Inc is your partner in navigating through POPI in the form of Company-wide workshops, reviewing privacy policies in companies, reviewing Contracts with suppliers. Developing compliance frameworks and Board inductions.