POPIA - How to be compliant?
Non-Compliance with the Act would expose the School to a penalty of up to R10 million and/or imprisonment up to 10 years.
The Act contains 8 key conditions that an entity which intends to process personal information lawfully, must comply with:
1. Processing Limitation
Information must be processed in accordance with the law. It must be managed in a proper and careful manner so as not to intrude on the privacy of the person / entity whose information is being processed
2. Purpose Specific
The information must be collected for a specific purpose, which is properly defined and for legitimate reasons. It may not be kept for longer than is necessary (i.e. must suit the purpose).
3. Further Process Limitation
Must not be processed beyond the initial purpose i.e. which makes it incompatible with the original purpose.
4. Information Quality
The person collecting the data must take proper steps to ensure that the data is complete, accurate, current and not misleading in any way.
The information may only be collected by someone who has given notice to / disclosed the requirements, the purpose and the reason to the person / entity concerned and must obtain their consent.
6. Security Safeguards
This ensures that appropriate technical and organizational measures have been taken to ensure integrity of the data / information as well as safeguarding it from unauthorized access.
7. Individual Participation
Details of which data / information is collected must be made available to the person / entity that is the subject, free of charge. They must understand what data is being collected, why it is being collected and that they have the right to request that it gets discarded after using the data for the initial purpose (within reason).
The responsible party (The School) will be held accountable for the management / implementation of the items mentioned above