We work hard to keep all our legal mumbo jumbo as simple as possible, but we still have to have it.
The Protection of Personal Information Act No.4 of 2013 (POPIA) is South Africa’s legislation for the protection of individuals’ personal information against unethical use. The preamble to the Act states the intention is to:
“Regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.”
Since its passing into law, the Government has taken an incremental approach to the commencement of different sections of the Act. In terms of a proclamation issued by the President, sections 110 and 114(4) of the Act commenced on 30 June 2020 and the remainder of the Act’s sections commenced on 1 July 2020.
The commencement date denoted the start of a one year grace period for businesses to ensure that they fully comply with POPIA, which in turn ended on 1 July 2021.
The purpose behind POPIA can therefore be seen as the promotion of the constitutional right to privacy by ensuring that responsible parties and operators engage in lawful processing of personal information in accordance with, and with respect for, the rights of data subjects.
The responsible party in respect of POPIA is the public or private body or any other person which determines the purpose of and means for the processing of information.
An operator is a person or entity who processes information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
Putting this into context, you, the customer, are the responsible party for your employees’ (data subjects) personal information. SimplePay is acting as an operator for your benefit, processing your employees’ personal information in order to assist you in your payroll obligations. The relevance of this is that a party’s role determines their rights, obligations and liabilities.
Personal information is information which can be used to identify a data subject – a definitive list can be found in Section 1 of the Act. The data subject is the person to whom the personal information relates and can be either a natural or juristic person. Almost any way that a company interacts with the personal information of a data subject constitutes processing – a definitive list is once again available in Section 1 of the Act.
Under POPIA there are eight principles for the lawful processing of information, aimed at posing a balance between the necessary processing of data for business purposes and protecting the rights of individuals. These are:
More detailed information on each of these principles is provided in Chapter 3 of POPIA.
Whose legal responsibility it is to ensure compliance with POPIA depends on the relationship between the data subject and the organisation doing the processing.
Under POPIA, data subject rights include the right to access what information of theirs is held, the right to correct information, the right to be notified of collection and the purpose of the collection, the right to object to the processing of their information and, in certain circumstances, the right to erasure.
In the case of an alleged infringement of a data subject’s rights, any person has the right to lodge a formal complaint with the Regulator. Pursuant to section 74, complaints can be made to the Information Regulator, by completing and submitting the relevant form found on their website.
Privacy and data protection are cornerstones of the culture at SimplePay, and, as such, we have for some time been largely compliant with the obligations that are now statutorily imposed by virtue of being an operator under POPIA.
These obligations have been codified within POPIA as follows:
The personal information provided to SimplePay by you includes information such as data subjects’ names, dates of birth, nationality, gender, physical address, email address and bank details. On signup and in order to make use of SimplePay, you are required to agree to our Terms of Service. These contain a clause consenting to the lawful collection and processing of personal information.
As was the case before POPIA, SimplePay will continue to make reasonable efforts to assist you in the provision of personal information in line with your obligations to your employees’ (data subjects) rights under POPIA, as laid out in sections 23 to 25 of the Act.
As well as complying with the principles of lawful processing, which for SimplePay includes meeting the three obligations covered above, the following are relevant:
Processing of Special Personal Information – processing of certain data, such as race and philosophical beliefs, is prohibited except in certain circumstances, including where such processing is necessary to meet legal obligations. It is under this exception that SimplePay is allowed to process special personal information with your (and by extension your employees’) consent.