The purpose of the POPIA is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, storing, using, disclosing, processing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way.
How does POPIA affect CPUT?
Under the POPIA, the university is legally required to comply with the POPIA principles. Under the POPIA, institutions are required to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure.
The POPIA legislation basically considers your personal information to be “precious goods” and therefore aims to bestow upon you, as the owner of your personal information, certain rights of protection and the ability to exercise control over:
- when and how you choose to share your information (requires your consent)
- the type and extent of information you choose to share (must be collected for valid reasons)
- transparency and accountability on how your data will be used (limited to the purpose) and notification if/when the data is compromised
- providing you with access to your own information as well as the right to have your data removed and/or destroyed should you so wish
- who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same company, from accessing your information
- how and where your information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised)
- the integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it)
What is “personal information”?
Examples of “personal information” for an individual could include:
- Identity and/or passport number
- Date of birth and age
- Phone number/s (including mobile phone number)
- Email address/es
- Online/Instant messaging identifiers
- Physical address
- Gender, Race and Ethnic origin
- Photos, voice recordings, video footage (also CCTV), biometric data
- Marital/Relationship status and Family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs including personal and political opinions
- Employment history and salary information
- Financial information
- Education information
- Physical and mental health information including medical history, blood type, details on your sex life
- Membership to organisations/unions
Does POPIA only apply to individual’s personal information?
It is important to note though that this right to protection of “personal information” is not just applicable to a natural person (i.e. an individual) but any legal entity, including companies and also communities or other legally recognised organisations. All of these entities are considered to be “data subjects” and afforded the same right to protection of their information. So this means that while you as a consumer now have more rights and protection, you and your company/organisation are considered “responsible parties” and have the same obligation to protect other parties’ personal information. As a company this would include protecting information about your employees, suppliers, vendors, service providers, business partners, etc.
Written by Gugulethu Ndenge, Records and Archives Manager and Adv. Mbongeni Mateta, Compliance Manager in the Registrar’s Office.
