On 1 July 2021, the deadline for all businesses to be fully POPIA compliant expired.
Companies now need to ensure that all their information processing activities comply with POPIA and that their Information Officers take up their responsibilities in accordance with the Act. Any organisation found lacking or failing to adhere to all provisions of the Act, may find themselves in the predicament now experienced by the Gauteng Department of Education.
In short, the Gauteng Department of Education has been using a digital information processing and sharing system, which did not adhere to the requirements of the Act, in that there were no adequate or sufficient security measures in place to ensure the protection and integrity of the personal information contained therein. As a result, the personal information, including ID numbers, email addresses, names and physical addresses of more than 11 000 pupils, parents and guardians were accessed by unauthorised individuals. Consequently, the Federation of Associations of Governing Bodies of South African Schools (FEDSAS) lodged a complaint against the Department with the Information Regulator.
The Act prescribes steep fines and even possible imprisonment for contravention of any of the provisions of the Act. Information Officers therefore need to take cognisance of the immense responsibility resting on their shoulders to ensure that their institutions are compliant with the Act.
All businesses need to implement processes and policies which will ensure that all forms of personal information processed by them, as responsible parties, of all their categories of data subjects, including but not limited to, their employees, clients, customers, members and suppliers, are indeed fully POPIA compliant.
This means that both automated and non-automated means of information collection, storage, processing and distribution, among others, have to comply with the eight conditions of lawful processing. Failing to do so may have dire consequences for a business and for the Information Officer in his/her personal capacity.
NEASA therefore urges all businesses to actively take stock of their information processing activities and systems and to carefully evaluate their compliance. For any assistance in ensuring the compliance of your organisation with the Act, please contact your regional NEASA branch.
We will keep employers abreast of any developments and updates from the Information Regulator with regards to the POPI Act.