POPIA compliance for South African legal practices
The Protection of Personal Information Act 4 of 2013 (POPIA) came into full effect on 1 July 2021. Although lawyers may have been very busy assisting clients to become compliant by the deadline of 30 June 2021, every legal practice also need to comply with POPIA. If you are a lawyer, is your legal practice POPIA compliant?
POPIA is not new and follows a number of other statutes governing the processing and protection of information which lawyers already have to comply with. The purpose of this blog is to give very busy lawyers an overview and practical tips on how to check fast that your legal practices comply with POPIA. The nature and operations of legal practices may differ and this blog therefore does not constitute legal advice.
Before providing proposed “5 To Do’s” for legal practices to comply with POPIA, let us briefly review 10 basic legal aspects which all lawyers should know about POPIA.
1. Who does POPIA apply to?
POPIA applies to personal information relating to natural persons and juristic persons (eg companies). Every legal practice (including attorneys, advocates and legal consultants) must comply with POPIA, as a legal practice is a business which collects personal information from inter alia clients and employees.
2. What is the criteria to collect personal information?
POPIA expressly requires that personal information must be collected for a purpose that must be specific, explicitly defined and lawful.
3. How must the person be informed of its protection in terms of POPIA?
POPIA requires transparency and places a notification duty on the data collector to inform the data subject why the data is collected and how it will be processed.
Section 18(1) lists the requirements for the contents of the notice to a new data subject (new clients) before personal information is collected. However, Section 18(4) inter alia provides exceptions to this notification duty, which include that a notification is not required for instance when the personal information is required for court proceedings.
4. Where may personal information be collected from?
Section 12 states that personal information must only be collected directly from the data subject. However, there are certain exceptions which will allow a data collector (you as lawyer) to share personal information with a third party. These include (a) consent, or (b) if it will not prejudice a legitimate interest of the data subject or (c) if the personal information is required in court proceedings. These are grounds to consider when applying scenarios where you need to share personal information of your clients with other legal practices, for instance, like a correspondent) or Counsel.
It is further very important to know, when you share personal information you collected with a sub-contractor (like a cloud hosting company), service provider or a consultant, in course of outsourcing services, you will automatically remain responsible for POPIA compliance for the activities of such sub-contractors relating to the personal information. However, your responsibility can be limited if your sub-contractor agrees in writing to bear some or all responsibilities relating to POPIA compliance.
5. How does POPIA correlate with PAIA (Promotion of Access to Information Act 2 of 2000)?
As legal practices are regarded private bodies in terms of PAIA, each legal practice should have a PAIA manual. Your PAIA manual must be published on your website and be available on request at your office. POPIA will amend certain sections of PAIA and will require that each private body’s PAIA manual must be updated.
According to the authors of the book entitled “A guide to the Protection of Personal Information Act”, reprinted in 2021 by Juta Publishers, the additional aspects to consider including in your PAIA Manual to comply with POPIA are the following:
- The purpose of the processing of the personal information.
- A description of the categories of data subjects and categories of information relating to them.
- The recipients or categories to whom the personal information may be supplied.
- Planned transborder flows of personal information.
- A general description allowing a preliminary assessment of the sustainability of the information security measures to be implemented by the responsible party to ensure confidentiality, integrity and availability of the information to be processed.
6. How must you protect personal information?
Section 19 requires that the responsible person must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction or unlawful use of personal information.
Legal practitioners must further have regard to general accepted information security practices and procedures which may be prescribed by the Legal Practice Council in course.
In particular, legal practitioners must be aware that unlawful acts relating to the use or processing of clients’ bank account numbers in terms of Section 105 are specifically sensitive and will be subject to criminal sanctions.
7. How long may you retain personal information?
Section 14 provides that personal information must be retained only for as long as it is necessary to achieve its purpose, unless it is otherwise required by law or in terms of a contract between the parties. In this regard, it is recommended that lawyers continue to follow the existing professional practice and LPC Rule of keeping records for at least 7 years. (Source: https://lpc.org.za/retention-period-for-documents-and-place-of-retention/)
8. Who will help implement POPIA in businesses?
Section 55 prescribes that each data collector must appoint an Information Officer. This will be the same natural person referred to as the “head” in private bodies for purposes of PAIA.
POPIA requires that information officers and deputy information officers be registered with the Information Regulator. Section 55 lists the duties of an Information officer, but it is currently uncertain if an information officer could personally be found guilty of a criminal offence in case of non-compliance, as no such person has been found guilty in terms of PAIA as yet.
9. How will POPIA be enforced?
Sections 39-54 establish the Information Regulator which will enforce both POPIA and PAIA. This part of POPIA already came into effect on 11 April 2014.
Section 50 provides that the Regulator must establish an Enforcement Committee. Section 93 describes the functions of the Enforcement Committee which include to consider, make findings or recommendations in terms of all matters referred to the Regulator.
Any person (including the public, your client, opposition or competitor) may lay a complaint with the Information Regulator. The Information Regulator may conduct preliminary investigations, a full investigation, act as a conciliator or refer the complaint to the Enforcement Committee. It may therefore decide to investigate or take no action, for instance, if the complaint is frivolous or can be easily settled.
The data subject and the responsible party must be informed of the Regulator’s decision as soon as possible and the complainant will have 180 days to appeal the Regulator’s decision to the High Court.
The Regulator further has powers to conduct full investigations, summon witnesses or obtain warrants. In instances of severe or continuous contraventions of POPIA, the Regulator could issue administrative fines or recommend criminal proceedings with the penalty of imprisonment up to 10 years. The Magistrate’s Court will have the jurisdiction to impose these penalties. Section 99 further makes provision for civil actions for damages resulting from non-compliance with POPIA.
10. What specific aspects of POPIA will apply further to legal practices?
Section 60 allows the Information Regulator to issue codes in respect of inter alia professions, like legal practitioners. The Regulator can issue a code on its own initiative or on application of the Legal Practice Council to do so. Section 65 provides further that the Regulator may provide written guidelines to assist representative bodies to develop codes of conduct.
Remember that if you are already complying with the Legal Practice Act 28 of 2014 and Code of Conduct for legal practitioners, and/or have confidential undertakings in place with your clients as legal consultants, personal information clients share with your legal practice are already regarded as confidential or privileged.
Following the above, the “5 To Do’s” for legal practices to comply further with POPIA are as follows:
- Notify new clients why and for what purposes you collect their personal data, if you do not already do so sufficiently in course of complying with FICA (the Financial Intelligence Centre Act 38 of 2001).
- Assess the internal security and safekeeping measurements of your records in your legal practice. Be aware who exactly have access to personal information you receive and process. If necessary, review and update electronic access, employment contracts and/or firm privacy policies to limit risks.
- Make sure you have written contracts with service providers, subcontractors or consultants with whom you need to share personal information in your possession or under your control, to limit your responsibility for their compliance with POPIA.
- Update your PAIA Manual with additional items (listed above for consideration) prescribed in POPIA.
- Appoint and record an Information Officer with the Information Regulator (which can be done via the online portal accessible at: https://www.justice.gov.za/inforeg/portal.html)
We appreciate that the above is a very brief summary of POPIA aspects for legal practices, but hope this blog is helpful to support busy legal practices to comply faster and keep each other accountable.
If you have suggestions on how “Lawyers Working From Home” can support legal practices further with practice management aspects, you are welcome to email: [email protected]