5 ways to handle personal information (and comply with the POPI Act)

South Africa's Protection of Personal Information (POPI) Act officially came into effect two years ago. Despite this, some businesses are still not clear on the dos and don'ts of the act, leaving them vulnerable to non-compliance.

What does the POPI Act cover?

To get an idea of what is required to ensure compliance, it's useful to first understand what is covered by the act.

The POPI Act safeguards citizens by requiring those businesses that process our personal information to take the necessary steps to protect it.

'Personal information' refers to private and publically available data like the race, gender, age or education of a person as well as their medical, financial, criminal or employment history. It also includes contact details like email addresses, telephone numbers or location information.

Although personal information typically relates to an identifiable, natural person, in some circumstances it can also be information that identifies an existing juristic person like a company, close corporation or trust. Information that has been de-identified (all identifying details have been removed) is no longer considered personal information under the POPI Act.

The term 'process' includes any operation or activity (either automated or not) that involves the collection, receipt, recording, organisation, collation, storage, updating, retrieval, dissemination, distribution, merging and degradation or erasing of data.

How do you protect personal information?

How you safeguard the personal information that your organisation handles depends on the format of the information and how it is processed.

Here are 5 ways to handle, store and destroy personal information that comply with the POPI Act:

1. Store electronic documents on systems that are encrypted.
2. Save electronic documents to the cloud. Cloud storage is where data is stored on remote servers that can be accessed using the Internet. Working with cloud storage means that you are not working from a local drive but rather from a central drive that you can access from anywhere.
3. Implement company-wide procedures for how personal information is handled and used, and who is allowed to use it. You will also need a retention policy to state how long documents should be kept and that they should be securely destroyed when no longer needed.
4. File hard copy documents containing personal information in cabinets that are secure and have controlled access.
5. Securely shred confidential documents at the end of life, or outsource this to a reputable shredding service that can handle your documents for destruction when they are no longer needed. Ensure that documents are secured at every stage of the process, from the office to the post-shredded product.

Important points to remember

In terms of the POPI Act, it is the organisation (and not employees or users) that is the responsible party and that must have the correct information policies in place.

Even if you use a professional, outsourced shredding service, the responsibility to secure personal information still remains with you as the organisation.

As an organisation handling personal information, you are required to be completely transparent about how you process, store and destroy personal information. You must be able to provide, on request, descriptions of the subjects on which you hold records as well as the categories of records you hold on each subject. It's for these reasons that using reputable shredding service providers with certified processes are so important.

Remember, by protecting or securely destroying personal information, you stop unauthorised third parties from accessing other people's information and potentially harming those people by misusing their data.