POPIA

Questions and Answers

In the context of data processing under POPIA, what actions would be defined as 'collection' of personal information (PI)?

• Modifying the PI to correct inaccuracies.
• Gathering PI for a specific purpose. (correct)
• Removing PI from a database.
• Sharing PI with a third-party service provider.

According to POPIA, under which condition is an organization considered to be domiciled in a country?

• The organization conducts occasional business transactions in that country.
• The organization's headquarters are in that country.
• The organization treats that country as its permanent home or has a substantial connection with it. (correct)
• The organization has clients in that country.

According to POPIA what is the core reason why organisations need it?

• To ensure the right to privacy is balanced with access to information and aligned with international standards. (correct)
• To increase international trade by making it easier to share data with other countries.
• Purely to avoid sanctions and fines for non-compliance.
• To give them a competitive advantage over organisations in other countries.

Under what circumstances does POPIA apply to a responsible party processing personal information?

When the responsible party is domiciled in South Africa and processes personal information. (D)

According to POPIA, under what conditions can a responsible party process personal information?

When the data subject consents or when processing is necessary to comply with a contract. (B)

According to POPIA, what constitutes 'special personal information'?

Personal information relating to an individual's race, health, or political beliefs. (B)

Under POPIA, when is a responsible party allowed to process a child's personal information?

With the consent of a competent person or if required by law. (C)

A company suffers a data breach and several clients' personal information is exposed. What immediate steps should the company take, according to POPIA?

Notify the Information Regulator and the affected data subjects as soon as reasonably possible. (D)

What is the potential penalty for an organization that significantly violates POPIA?

A fine between R1 million and R10 million, imprisonment, or both. (A)

What is the 'Accountability principle' under POPIA?

Taking responsibility for ensuring all POPIA conditions and requirements are met when processing personal information. (B)

In the context of POPIA, what is meant by 'Privacy by Design'?

Developing an approach where data protection compliance is considered before processing begins, integrating privacy into IT systems and operational practices. (A)

What is the main requirement of the 'Processing Limitation principle' under POPIA?

Personal information must be processed fairly, lawfully, and only if adequate, relevant, and not excessive for the purpose. (C)

According to POPIA, under what situations can a responsible party collect personal information from a source other than the data subject?

If it is necessary to avoid interference with the law or to comply with legal obligations. (D)

Under POPIA, if a data subject withdraws their consent for processing, what is the responsible party required to do?

Stop immediately, unless the processing is required by law or contract. (B)

According to POPIA, what should a request for consent from a client include?

Sufficient information needed to allow the client to make an informed decision. (A)

According to POPIA, what is the main goal of the Specified Purpose principle?

To guarantee that personal information is collected for a lawful, explicit, and clearly defined purpose. (A)

After personal information has been collected for a specific reason, under what conditions can it be further processed, according to the 'Further Processing Limitation principle' of POPIA?

If this processing is compatible with the original purpose and considers its impact on the data subject. (B)

What is the 'Quality Principle' in the context of POPIA?

Personal information must be complete, accurate, not misleading, and updated as necessary. (D)

What is the 'Openness Principle' in POPIA?

Organizations must document all processing operations and ensure transparency when implementing POPIA. (C)

According to POPIA, what details must a responsible party include in a privacy notice?

Details of parties to whom the data is shared, the purpose of collection, and data subject rights. (B)

Under the Security Principle of POPIA what is a responsible party required to do?

Apply security measures that effectively protect data, aiming for data integrity. (C)

Under POPIA, what is one of the requirements for an operator processing personal information on behalf of a responsible party?

The operator must only process information with the knowledge and authorization of the responsible party. (B)

According to POPIA, what actions needs to be taken in the event of a data breach?

Develop a data breach response plan to manage and minimize losses. (B)

Following a data breach, what type of information is important to include in the notification to the data subject?

A description of the possible consequences of the security compromise. (C)

What is the first step an organization should take when responding to a data breach, according to POPIA?

Alert the response team and establish internal communications. (D)

Under the Data Subject Participation Principle, what rights do individuals have under POPIA?

The right to request responsible party to confirm, free of charge, whether or not the Party holds PI. (B)

What record of information described by the Data Subject Participation Principle be provided in?

A reasonable manner and format that is generally understandable. (D)

POPIA is similar in some ways to the GDPR. What is an important difference between POPIA and GDPR?

POPIA has a specific exemption for journalistic, literary, and artistic purposes. (A)

Under POPIA which of the following is specifically exempt?

Data of a deceased individual. (B)

What is the role of the 'responsible party' under POPIA?

Determines the means of processing PI. (B)

Under POPIA what is an operator?

A person who processes PI for a responsible party under a contract. (C)

Who is responsible for enforcing POPIA and PAIA in South Africa?

The Information Regulator. (B)

What role does an Information Officer play in a South African organization, as per the requirements of POPIA?

To ensure that the organisation complies with POPIA. (D)

Which of the following best describes the role of Data Protection Officers (DPOs) within the European Union's data protection framework, as compared to Information Officers in South Africa under POPIA?

DPOs are intended to entail more of a strategic and governance role than Information Officers. (D)

Article 37 of the GDPR defines specific cases that require the designation of a Data Protection Officer (DPO). Which of the following is NOT one of those cases?

Irregular or unsystematic processes. (A)

What does the draft guidelines confirm about the deputy information officer?

They must have sufficient independence. (A)

According to Section 55 of POPIA, before undertaking their duties, can an information officer be registered?

They cannot take the duties until it's completed. (A)

According to POPIA, How much can a compliance manual be charged to anyone?

No more than R3.50 per page. (A)

How are Information Officers defined under PAIA?

Must be the head of the private body defined in the document. (A)

In South Africa who must the Information Officers register with and follow the law?

The Regulators. (D)

Section 90(2) states it is a crime to miss certain elements, what is the crime relating to under this section?

Fail to create a PAIA manual for a public body in a grossly negligent manner. (B)

Flashcards

What is POPIA

Law that protects individual's personal information and privacy.

What is Personal Information (PI)

Any information that can be used to reveal a person's identity.

What is Processing of PI

Any operation or activity involving personal information.

What is Collection

Gathering PI for a specific reason.

What is Using PI

Using PI to accomplish a task.

What is Storage

Saving Pl on a system for later use.

What is Distribution

Sharing Pl with other recipients.

What is Destruction

Removing or destroying Pl.

What is Responsible Party

Defines the purpose and means of processing PI.

What is Domicile country

Treats a country as their permanent home.

What is the Right to Privacy

The constitutional right to privacy.

What is Balance

Balancing privacy with access to information.

What is Legal Certainty

Providing rights and remedies to impacted individuals.

What is Technological Changes

Protecting personal information in the technological landscape.

What is Globalization

Harmonize South African law with international standards.

What is personal information

Information that can be used to reveal someone's identity.

What is special personal information

Religious/philosophical beliefs, race, ethnic origin, etc.

What is a Children's personal information

Personal info of someone under 18.

What are Penalties for non-compliance with POPIA

Fines from R1 Million to R10 Million and/or jail.

What are Data Protection Principles

Guidelines organizations follow when processing personal information.

What is Accountability

Taking steps to apply all requirements when processing personal information.

What is 'Privacy by Design'

Compliance considered before processing PI starts.

What is Processing Limitation

Process PI fairly, lawfully, with data subject's consent.

What is the General Data Rule

Collect PI directly from the data subject.

What is the Specified Purpose

For lawful, clearly defined, specific purpose.

What is Further Processing Limitation

Processing compatible with original collection purpose.

What is Quality Principle

PI is complete, accurate, not misleading, updated.

What is Openness Principle

Document all processing operations.

What is The Security Principle

Apply security measures that protect data.

POPIA security requirement

Secure the integrity and confidentiality of personal information.

What is Operator

Person who processes Pl for a responsible party.

What is Data breach response plan

Efficiently respond and recover from data breach.

What is Data Subject Participation

Confirm, free of charge, whether a party holds Pl on data subject.

what is Info Officer.

Information officer is an appointed person who ensures compliance with POPIA.

what is Info Regulator.

Authority to enforce both POPIA and PAIA.

Article 37 of the GDPR.

DPO, must be appointed for regular monitoring of data subjects.

Compliance in the EU.

Data protection compliance should be seen as an ongoing process.

What is Data Protabillity

To access and reuse their personal information.

What is section 19 of popia requires

To comply with 8 principles for the processing of data.

what outlaws direct marketing

Electronic communication unless the data subject has given their consent

Study Notes

• POPIA, which stands for the Protection of Personal Information Act protects individual privacy, a fundamental human right, defining personal information (PI) as data identifying individuals like name, gender, address, or health details.
• South Africa recognizes privacy as an integral human need though common law, South African Constitution section 14, and the Protection of Personal Information Act, 4 of 2013
• Certain sections of POPIA were enacted in 2014, while the remaining sections came into force in 2020, section 114 of POPIA provides a grace period of 1 year to ensure full compliance.
• POPIA balances the right to privacy with access to information, considering technological advancements and harmonizing South African law with international standards to ease data transfer.

Understanding the Terminology

• PI is any information revealing a person's identity, such as their name or ID number.
• Processing of PI broadly covers operations/activities like collection, receipt, recording, storage, updating, or modification.
• Collection gets PI for a purpose.
• Use accomplishes a task with PI.
• Storage saves PI on computer/filing systems for later use.
• Distribution shares PI with recipients.
• Destruction removes/destroys PI.
• Record includes writings, recordings, or stored information via computers, tape recorders, labels, markings, or writing identifying/describing part of a book, map, plan, graph, or drawing, all non-automated documents in filing systems are classified as records.
• Responsible party means a public/private body/person determining the purpose and means of processing PI, alone or with others.
• A person/organization is domiciled in a country if it is treated as their permanent home with a substantial connection to it, or if an organization has a registered office or primary business place there.

Primary Reasons for POPIA

• Aims to enforce constitutional right to privacy as per Section 2(a).
• Balances privacy with information access and flow as detailed in Sections 2(a)(i) and (ii).
• Ensures legal certainty by providing rights and remedies for those negatively impacted, detailed in Section 2(c).
• Responds to technological changes by protecting citizens' data with updated rights and remedies, according to Section 2(c).
• Harmonizes South African law with global standards, supporting international data transfers, outlined in Sections 2(a)(ii) and 2(b).

Application of POPIA

• POPIA applies to processing of PI entered into a record by (or for) a responsible party domiciled in South Africa or using automated/non-automated methods of processing information within South Africa.
• POPIA doesn't apply when a responsible party only transfers information through South Africa.
• All organizations use PI of staff, clients, and suppliers, POPIA affects every South African business.

Types of Personal Information and Processing Requirements

• Distinguishing personal, special, and children's information is important, children's and special personal information demands the most strict requirements when processing.
• Personal information is data revealing identity, a name/ID number, per POPIA section 1.
• A responsible party can process PI if the data subject consents and POPIA section 11 conditions apply.
• Processing is allowed if necessary for contract compliance, legal requirements, data subject protection, public law duty performance by a public body, or to pursue responsible/third-party legal interests, and consent is one condition.
• Special personal information includes sensitive details like religious/philosophical beliefs, race, trade union membership, political beliefs, health/sex life information, biometrics, or criminal behavior, it generally requires regulator exemption or sections 27-23 conditions.
• Special personal information processing is allowed with data subject consent, to establish/defend legal rights, comply with international public law, or for historical/statistical/research purposes serving public interest with privacy safeguards.
• It's okay to process special personal info made public by the data subject, information regulators also authorize special personal information processing.
• Children's PI involves data of individuals younger than 18, processing requires POPIA section 35 conditions.
• A responsible party can process a child’s PI with competent person consent, to establish, exercise, or defend legal rights, comply with international public law, or if the child has made the info public with competent person consent.
• Historical, statistical, or research processing of children's PI is also allowed if serving public interest, with protections for privacy.
• The information regulator can authorize processing children's PI if it's in public interest and safeguards are present.

Penalties for Non-Compliance

• Penalties include fines between R1 million and R10 million, along with jail time, ranging from 1 to 10 years.
• Non-compliance may lead to vulnerabilities in civil claims/liability, loss of company reputation/client trust, decreased millennial interest, and difficulty in securing international contracts/ business.

POPIA Compliance Guidelines

• POPIA requires eight data protection principles are to be followed, functioning as compliance guidelines based on OECD guidelines, covering data collection, quality, purpose, use, security, openness, participation and accountability.

The Eight Data Protection Principles

• Require application when processing to align with POPIA.
• The Accountability principle require taking steps for all compliance processing.
• Requires the responsible party ensures lawful information processing under POPIA Section 8.
• A Privacy by Design approach means responsible parties need to consider compliance before processing, incorporating privacy into IT and operational design.
• With the ‘Accountability’ principle, an org aims to documents what PI collected and where stored, indicators to show where PI is stored and what security used, service agreements with suppliers including internal guidelines, ongoing training and awareness, and review of PI/security measures on an individual level.
• The Processing Limitation requires processing fairly, lawfully, and with consent, only if "adequate, relevant, and not excessive".
• In excessive processing, like a courier needing health information for delivery, a responsible party must collect PI directly from the data subject and not surprise the data subject about why they are collecting their PI.
• Consent allows data subjects to retract consent and have data subjects knowledgeable about why their PI is being collected.
• Exception to direct collection occurs only when a third party can access the PI. and the responsible part ensures data subjects consent to share.
• Exceptions to the general rule includes consent by data subject/competent person or data from public records or consent to data collection that serves legal interests.
• A responsible party can collect PI from another source: to avoid legal interference by a public body, enforce revenue collection legislation, for court proceedings, or in national security interests.
• A data subject may object to PI processing or removes consent if the lawfulness is not affected (Section 11(3) POPIA).
• This includes lawful processing requirements for contracts and the law which makes consent withdrawal be unlawful because an organisation is legally required to process.
• Forms to object are based on POPIA Regulations, where data subjects must object in written format to the responsible party (or designated person).
• The form demands data subject /responsible party details, and details on objecting.
• Other lawful processing occurs when collecting race for employment equity or when seeking to promote transparency.
• Request for consents requires separation from any other contract or form, no pre-ticked boxes, providing organization details, 3rd parties involved, and allowing the client to consent independently per data processing use.
• Requests for consent need to to include rights of data protection, withdrawing consent and outlining the withdrawal process.

Specified Purpose Principle

• This principle ensures PI is collected lawfully for declared purposes where clients should know why their data is gathered.
• In a HR background check, HR representatives adhere to the specified purpose principle when using PI to inform Siya of the background check,.
• Following measures show compliance, this principle includes collecting PI for lawful/defined purposes outlining and stating data usage policies are needed in saved notices, contracts and privacy polices.

Furthering Processing Limitation

• Processing ensures it aligns with the initial purpose by ensuring PI processing adheres with initial reason.
• For example a doctor properly transferring your PI to a pharmacy to conduct a delivery.
• Must consider the relationship between current and all previous parties.
• Requires a careful view of data subjected and implications.
• Requires following guidelines and requirements with internal procedures, requires training for all staff, ensuring internal administrative procedures following policy guidelines
• It is compatible with collecting PI if coming from public records, data subject/competent person consents, used for research purposes (never to be published), compliant with Regulator exemptions, prevent public health threat.

Quality Principle

• Requires reasonable steps to maintaining complete, accurate, and updated PI.
• An example adhering to insurance regulations, an employment insurance requires saving personal information into company databases (ensuring that the that all details are updated and current). With that quality is ensures the organization follows quality implemented measurements. And maintains those measures by holding accountability on ensuring the PI follow standards.

Openness Principle

• Demands organization has documentation for processing PI
• By clearly informing clients about data usage, steps must be taken by ensuring full transparent use regarding POPTA polices.

Drafting to Notify

• An organization must explicitly notify data subjects for names, address reasons as to why its mandatory and the possible consequences. For all previously used data collection efforts, following all POPTA guidelines will fully comply.
• Step 1 The notice should authorize / collect PI following Employment standards
• Under step two when drafting a notification it requires telling 3rd parties who the notification is to be transferred to, both it must be applied under the organizational regulations
• The privacy notice must include the recipient, categories, the nature, category and how is the data subject allow to fix their PI
• And the detail to lodge complaint with contacts.

Security

• Security requires measures to protect data by using proper data procedures to follow safeguards and goals.
• Requires regularly verifying the effectiveness and safeguards as well as the register. When applying controls and safeguards to maintained. With its goal being to secure data, minimize data breaches.
• For sensitive situations of compromised information POPTA required: Maintaining and integrity of personal data by following all security measures and processes. While handling the safety of password and storing PI
• Organizations requires due diligence to follow measures in a contract.

Breach Protocols

• Requires authorizing access to those with permission and keep all PI confidential. To prevent disclosure (An operator / anyone requires confidential maintenance)
• This mandates if a breach happens organizations must efficiency respond by establishing all rules towards safely managing tech, personal procedures so that all people follow the procedures and guidelines.
• The breaching parties requires needing to immediately notify regulators while providing all those that was unauthorized.
• All operators must following the timeline of informing those "reasonable steps."
• The written statement must include to the individual in both physical, digital, media form for security measurements as well as those unauthorized.

Data Subject Participation Principle

• Data subject requests confirmation from the responsible party if it holds PI for data subject for no free of charge
• Data subject requests record from the responsible, all 3rd party description require a fee
  • Given all that time it requires an understandable/organized method with POPTA.

Comparing POPTA and GDPR

• Drafters depend heavily on EU framework and GDPR sharing more similarities while understanding EU. Enforcing best practice and applying within organization
• GDPR protecting all residence in Europe by understanding its regulation by south African companies.
• GDPR and POPTA having drawn different well developed systems similar to EU and UK.
• Differences on the framework for both POPIA + GDPR follow the table below:

POPIA	Information management Under sections
The responsible party must ensure that they	PI must be processed lawfully, fairly and in a transparent manner. The data protection officer (DPO) is responsible for compliance and must be able to demonstrate compliance with all of the principles set out in the GDPR
PI must only be processed for lawful	GDPR requires to standardise and develop a "privacy by design" GDPR.
PI collected/retained for specified, explicitly	PI for specified, explicit and legitimate, not further manner which is incompatible purposes
With new processing, is compatible	the PI must be adequate, limited to necessary for the relation
Maintain the right qualities	PI must be accurate and maintained
Data subjects must know their Pl is going to be documented
The Pl must be kept by in forms which follow processes.
security requires following regulations

Personal data be in placed for integrity-protect standards for PIS|PI must in processing and in measures by the controller and process Subject right provides freedom and proof with charged governed by POA|article to subject those in control

POPIA	Information management Under sections
loss/damage due to unauthorized or unlawful process by ensuring measures for control to establish with reasonable foreseeable
An account should process unlawfully and take actions with the risk.
And account is follow guideline and security

Subject right request those in data can with with free under POPTA|The data subjects participation is Article

• Both provide their Right to PI by understanding their notification
• Provide whether the details and proper management to the regulation
• And both should follow the procedure

Exemptions to regulation's

• All PI that have pass or death, and when applying to a body for guarding or security
• Exemptions requires showing interest

Under POPTA who's accountable

• Requires all parties both public/private so those details are in means of proper usage PI. And to use that data
• Requiring duties is to fully indemnity clause, well with contract well in secure format for all parties.
• Requires written format where there's not a relationship between employ and to proper ask. Securing reasonable authority to properly demonstrate.

Operators

• Is to only know and authorize of those who are confidential.

Liabilities

• The information officers it those responsible with fully complies with POPTA. By those in authority for both South Africas, to oversee the right to secure process and laws.

DPO vs Data Protection Officer

• POPIA uses data protection as both frameworks while giving POPIA framework
• Following duty of to the deputy where duty can delegate where those retain responsibilities.
• While having both the EU standards this used to show which officer best to put duty within there role.
• For organization needs the needs that shows that they are both processes by POPTA well with EU to meet the those certain needs of data and personal information.

GDPR

• Under specific cases needs DPO and data from all members

DPO and DPO Deputes

• That following to build good communication with the organization that meet with the risk or compliance.
• Having the well and to be the knowledge that helps comply those all safety process
• Engaged data to work to all sector to work with any changes in technology and to follow measure requirements
• And provide the duty to maintain that power

Information Officer

• To fully process data, to the laws by working to the compliance laws .
• For the information to be fulling understood they can show independence for it to be applied
• That requires a resource to be able properly preform.

Requirements

• Staff have to reach proper levels of authority that they can not follow duty to cause conflicts
• With customers. All information to help in security.
• By stating that those must maintain and meet

Guidelines

• To make sure those in compliance make sure those well organize
• And fully maintain measures 2 create.
• Requires listing detail for all. Make sure the trans are well understood, To help access all proper measures in safeguard and information by those in charge. That shows compliance to POPTA when requesting access to