One of the objectives of the Protection of Personal Information Act 4 of 2013 (“POPI”), which has been signed into law, but has not yet fully come into effect, is to regulate the manner in which personal information may be processed. POPI achieves this goal by setting out the minimum standards for the processing of personal information. It should be noted that POPI applies to a specific activity, namely the processing of personal information, rather than to a specific person or organisation. As a general rule, POPI will apply to any person or organisation who (or which) processes the personal information of others and who is defined under POPI as “responsible parties”.
“Personal information” includes any information relating to an identifiable, living, natural person or an identifiable, existing juristic person and can include amongst others any identifying information such as a name, identity number or registration number, contact details or a physical address of a person or business. Information relating to the education, medical, financial, criminal or employment history of a person, as well as their personal views and opinions, are also covered in terms of POPI.
“Processing” according to POPI, refers to any operation or activity whether or not by automatic means concerning personal information, including amongst others the collection, use, storage, retrieval, deletion or destruction of personal information. Therefore, even if a responsible party is only in possession of personal information, they are considered to be processing personal information in terms of POPI.
POPI further applies to the processing of personal information by both automated (electronic) and non-automated (non-electronic) means when such information is entered into a record of a responsible party. Personal information which is processed by non-automated means, for example through mediums such as paper files or other physical or hard copy files, will only be subject to the provisions of POPI in the event that such personal information forms, or is intended to form, part of a filing system. Consequently, in the event that personal information is stored in hard copy format, which does not form part, or is not intended to form part, of a filing system, such processing activity will not fall within the ambit of POPI.
The processing of personal information is thus an ongoing process which requires compliance with the provisions of POPI for as long as a person or organisation is in possession of such personal information. The application of POPI is very broad and will apply to most persons and organisations who (or which) are in possession of the personal information of others.
In your situation, the fact that your information is in hard copy format, does not exclude POPI from applying to you. In addition, the fact that you retain your client’s information in physical files will qualify as processing personal information and will thereby also fall under POPI. To comply with the requirements of POPI we would advise that you enlist the help of a specialist to assist you in identifying the necessary measures to implement to ensure that you are compliant.