Page 28 - Q&A Book.indd
P. 28
Does POPI apply only to electronic records?
Esmarie Cronjé
July 2017
“I’m an accountant and work from home. I don’t have a
computer and have for years been doing all my work only
on paper. My clients have been with me for a long time and
Commercial I keep physical files for each of them. I’ve taken note of POPI,
but I am unsure as to whether it will apply to me, as I don’t
have any client information in electronic form. Surely I don’t
need to worry about POPI?”
One of the objectives of the Protection of Personal Information Act
4 of 2013 (“POPI”), which has been signed into law, but has not yet
fully come into effect, is to regulate the manner in which personal
information may be processed. POPI achieves this goal by setting out
the minimum standards for the processing of personal information. It
should be noted that POPI applies to a specific activity, namely the
processing of personal information, rather than to a specific person
or organisation. As a general rule, POPI will apply to any person or
organisation who (or which) processes the personal information of
others and who is defined under POPI as “responsible parties”.
“Personal information” includes any information relating to an
identifiable, living, natural person or an identifiable, existing juristic
person and can include amongst others any identifying information
such as a name, identity number or registration number, contact details
or a physical address of a person or business. Information relating to
the education, medical, financial, criminal or employment history of a
person, as well as their personal views and opinions, are also covered
in terms of POPI.
“Processing” according to POPI, refers to any operation or activity
whether or not by automatic means concerning personal information,
including amongst others the collection, use, storage, retrieval, deletion
or destruction of personal information. Therefore, even if a responsible
party is only in possession of personal information, they are considered
to be processing personal information in terms of POPI.
POPI further applies to the processing of personal information by both
automated (electronic) and non-automated (non-electronic) means
when such information is entered into a record of a responsible party.
Personal information which is processed by non-automated means,
for example through mediums such as paper files or other physical or
23