Page 28 - Q&A Book.indd
P. 28

Does POPI apply only to electronic records?

            Esmarie Cronjé
            July 2017
            “I’m an accountant and work from home. I don’t have a
            computer  and  have  for  years  been  doing  all  my  work  only
            on paper. My clients have been with me for a long time and
      Commercial  I keep physical files for each of them. I’ve taken note of POPI,
            but I am unsure as to whether it will apply to me, as I don’t
            have any client information in electronic form. Surely I don’t
            need to worry about POPI?”


            One of the objectives of the Protection of Personal Information  Act
            4 of 2013 (“POPI”), which has been signed into law, but has not yet
            fully come into effect, is to regulate the manner in which personal
            information may be processed. POPI achieves this goal by setting out
            the minimum standards for the processing of personal information. It
            should  be  noted  that  POPI  applies  to  a  specific  activity,  namely  the
            processing of personal information, rather than to a specific person
            or organisation. As a general rule, POPI will apply to any person or
            organisation who (or which) processes the personal information of
            others and who is defined under POPI as “responsible parties”.
            “Personal information” includes any information relating to an
            identifiable, living, natural person or an identifiable, existing juristic
            person and can include amongst others any identifying information
            such as a name, identity number or registration number, contact details
            or a physical address of a person or business. Information relating to
            the education, medical, financial, criminal or employment history of a
            person, as well as their personal views and opinions, are also covered
            in terms of POPI.

            “Processing”  according  to  POPI,  refers  to  any  operation  or  activity
            whether or not by automatic means concerning personal information,
            including amongst others the collection, use, storage, retrieval, deletion
            or destruction of personal information. Therefore, even if a responsible
            party is only in possession of personal information, they are considered
            to be processing personal information in terms of POPI.
            POPI further applies to the processing of personal information by both
            automated (electronic) and non-automated (non-electronic) means
            when such information is entered into a record of a responsible party.
            Personal  information  which is processed  by non-automated means,
            for example through mediums such as paper files or other physical or




            23
   23   24   25   26   27   28   29   30   31   32   33