If you’ve ever signed a legal contract, you might have noticed they often start by clearly defining the most critical terms. The POPI Act is no different.
Below I've pulled out the key definitions you need to know to have a practical understanding of the Protection of Personal Infomation Act in South Africa.
These will help you understand what the personal information act aims to accomplish and who the role players are.
Key definitions from POPIA
In privacy law, we are primarily concerned with the personal information of a person (also called a data subject) being processed by an operator.
You can full 76-page Act and definitions here.
Person & Data Subject
‘‘person’’ means a natural person or a juristic person;
‘‘data subject’’ means the person to whom personal information relates;
Eg: You, your potential client, your work colleague, your website visitor, or even your friend.
Personal Information
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) … read the act for more details on this definition.
Eg. Email address, cell phone number, name, address, race, etc.
‘‘consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
Eg: A person voluntarily clicks a button to subscribe to a newsletter.
Processing
‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
Eg: Capturing and storing information on a website contact form. Saving email addresses in your CRM system.
Operator
‘‘operator’’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
Eg: A marketing manager, reviews website contact form submissions and forwards them to the relevant people in a business.
Other useful content
If you want to cover Data Privacy and the Protection of Personal Infomation Act in more detail you might find these articles useful:
POPI Act Compliance for Digital Marketers and Website Owners