Background to data privacy in South Africa
The Protection of Personal Information Act, 4 of 2013, (“POPIA”), which came into force on 1 July 2021, is a law which regulates the use and processing of a person and / legal entity’s personal information, this being in response to, and in order to protect and give effect to a person and/or legal entity’s rights to privacy, including the right not to have their / its personal information and related data misused, abused or used for ulterior purposes.
POPIA applies to personal information which belongs to individuals and legal entities (“Data Subjects”) which is processed, be it in an automated or non-automated manner in South Africa, by another (“Responsible Party”) and places on any Responsible Party who is processing a data Subject’s personal information, a duty to use it lawfully and only for a specific and defined purpose(s).
In terms of POPIA, Cross Border Road Transport Agency (C-BRTA) , as a Responsible Party, is required to appoint an Information Officer (“IO”) and Deputy Information Officers (“DIOs”), to be responsible for establishing a POPIA Compliance Framework, and who following this, are required to assess, analyse and understand what types of personal information C-BRTA is processing which belongs to Data Subjects and to thereafter develop certain processes and procedures, including a POPIA Policy, which have to be followed by all C-BRTA employees when they process and use another’s personal information.
A Personal Information Impact Assessment as per the C-BRTA’s POPIA Compliance Framework has been carried out and created, which has indicated that C-BRTA , during the course of its business activities does and will continue to collect, store and process personal information about C-BRTA employees, its customers, suppliers and other third parties.
Furthermore, the Impact Assessment has defined and revealed that C-BRTA processes a large amount of different types of personal information including names, addresses, opinions, financial details, medical details and the like which pertain to current, past and prospective employees and customers, suppliers, and others who C-BRTA communicates and deals with and which processing is carried out for a variety of purposes, including for business, compliance and legal purposes.
C-BRTA also processes special purpose information including gender, sex, marital status, colour, age, race or ethnic origin, religious beliefs, trade union membership and the like for the purposes of recruitment, employment equity statistics, legal compliance and for the facilitation of union fees and memberships.
Following the Personal Information Impact Assessment, C-BRTA is confident that whilst this personal information is held on paper or on a computer or other media, such storage is subject to the prescribed legal safeguards as specified in POPIA and other regulations.
As per the POPIA requirements has implemented a robust POPIA compliance programme which includes various POPIA policies and processes, some of which are internal documents and some are which are available for public access. These documents are available for public access and can be accessed in the menu on the left.