Getting to know POPI: Eight Conditions for Lawful Processing
Back to POPIA page
POPI is based on Eight Conditions for Lawful Processing of Personal Information. Each time a Responsible Party processes Personal Information, it must comply with all these conditions. Under each condition, POPI contains key requirements relating to the processing of Personal Information.
The Act outlines conditions in far greater detail, but a simplified summary of these conditions is as follows:
1. Accountability
The Responsible Party must ensure that all seven conditions are upheld throughout the entire journey with the data. This includes ensuring that Operators handle the data with the same due care.
2. Processing Limitation
Personal Information must be processed in a manner that is adequate, relevant and not excessive for the purposes it is being processed. Only the minimal amount of Personal Information must be collected for the purpose it is required and the processing must be in accordance with the reason you collected it. The Responsible party must have one of the Six Legal Grounds for processing this Personal Information.
3. Purpose specification
Information may only be collected for a specific, explicitly defined and lawful purpose relating to the Responsible Party’s function or activity. Information may be retained only for as long as necessary to achieve the purpose for which it was collected or processed (although there are exceptions to this rule).
4. Further processing limitation
The further processing of Personal Information must be in accordance with the purpose for which it was originally collected.
5. Information Quality
A Responsible Party must take reasonable practical steps to ensure that Personal Information is complete, accurate, not misleading and updated.
6. Openness
A Responsible Party must document their information processing operations, as required by POPI’s provisions. It must also ensure that Data Subjects are notified when their Personal Information is processed. In view of this condition, many organisations are compiling privacy policies, which explain their privacy operation.
7. Security safeguards
Responsible Parties must ensure that Personal Information is kept confidential and that the information’s integrity is maintained. Responsible Parties must also take appropriate measures to prevent loss of, damage to or destruction of Personal Information and to guard against unlawful acts. If there has been a data breach, the Responsible Party will also have to comply with POPI’s requirements in this regard.
8. Data Subject Participation
A Responsible Party must ensure that a Data Subject is able to confirm whether the Responsible Party holds any Personal Information about the Data Subject (at no extra cost). A Data Subject must also be allowed to correct their Personal Information and request that the Responsible Party destroy or delete it.
Lightstone has sought formal legal opinion in all matters relating to the POPI Act and we continue to refer to legal counsel while we implement our POPI compliance changes.
POPIA Documents
For ease of use, here are some of the documents referred to in the information prepared to support our Estate Agent and Automotive Industry clients. Please click on the links below.
We welcome your feedback
You are invited to send through your POPIA-related questions or comments to POPIA@lightstone.co.za.
.png)
.png)
.png)
.png)