The Protection of Personal Information Act (POPI Act) aims to protect an individual’s right to privacy regarding their personal information which may have been collected by a third party during the course of business. The purpose of this legislation is to formalise the manner in which companies store, collect and access private information in order to protect individuals from cybercrimes and identity theft.


The Act has changed the approach of many business owners since its promulgation in 2013 and has placed emphasis on what needs to be implemented within the workplace to ensure that personal information of stakeholders enjoy protection.


The right to privacy is a fundamental right entrenched in Section 14 of the Constitution of the Republic of South Africa. The main purpose of the Act is to strike a balance between the right to access information and the rights of individuals to have their personal information kept private.


Since implementation, the Act has seen numerous amendments and new certain sections were implemented over the course of time. One of these amendments are sections pertaining to the Information Regulator. This statutory body is responsible for overseeing and monitoring compliance with the Act and handling of complaints. Sections dealing with regulations and the procedure for making regulations only came into effect years after the Act first came into effect.


It has been announced that the latest amendments will come into effect on 1 July 2020. All business and organisations have been given a transitional grace period of one year to afford them an opportunity to ensure compliance. This entails that all businesses and organisations should be fully compliant by no later than 1 July 2021. However, it is highly recommended that it is in the best interest of entities to ensure compliance as soon as reasonably possible.


All Businesses and organisations that collect, process and store personal information are legally obligated under The latest amendments, commonly referred to as POPIA, to protect such personal information. This applies not only to clients of these entities, but also to the information of their employees. From a practical perspective, this entails that steps should be taken to avoid unauthorised access to this information. This is crucial in the digital age, where sharing of personal information can be done with ease. The Act will entail that unauthorised sharing of information is strictly prohibited and documentation containing personal information be properly disposed of responsibly.



A Question that many employers may ask is whether the consent of an employee, by way of his contract of employment, is sufficient for the purposes of granting permission to disclosing his/her personal information.


Firstly, regardless of whether the employee had granted general consent, the employer remains obligated to comply with the requirements of POPIA. POPIA defines consent as any “voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. Arguably, contractual consent should suffice for the purposes of collecting personal information for employment purposes.

Information pertaining to an employee’s criminal record is regarded as special personal information. A general prohibition applies to the processing of such information, unless the employee consents thereto.


The Act contains 8 key conditions that an entity which intends to process personal information lawfully, must comply with:

Processing limitation– Personal information must be processed in accordance with the law and should be processed in a careful manner so as not to intrude on the privacy of individuals;

Specific Purpose– The information must be collected for a specific purpose, which is properly defined and for legitimate reasons;

Further process limitation– Must not be processed beyond initial purpose, which makes it incompatible with the original purpose;

Information Quality– The person collecting the data must take proper steps to ensure that the data is complete, accurate, current and not misleading;

Openness– The information may be collected by someone who has given notice / disclosed the requirements of the parties concerned and consent has been given;

Security Safeguards– Ensures that technical and organisational measures have been taken to ensure the integrity of information;

Individual participation– The person disclosing the information/data must be informed what is being collected and why;

Accountability– The responsible party will be held accountable for non-adherence to these principles set out above.

Employer’s responsibilities– In an attempt to safeguard information, business and organisations must as soon as possible update their contracts, appoint information officers, and implement a POPIA manual and policy and provide training to officials who entrusted with this responsibility.


It is of utmost importance that all business take the necessary steps to ensure compliance with this Act, not only to avoid penalties and fines, but also to prevent claims for damage as a result of non-compliance.

Should you require any additional information, kindly contact your closest CEO office.