Conditions prescribed by the Protection of Personal Information Act

The Protection of Personal Information Act will require every public and private body to comply with the eight conditions that prescribe the minimum threshold requirements for lawful processing of personal information in South Africa. Public and private bodies should be mindful of the rights and remedies of persons to protect their personal information from processing that is not in accordance with the Protection of Personal Information Act. Fire Risk S A subscribes o compliance with the POPI Act.There are 8 conditions which area prescribed. 


 The responsible party must ensure that the conditions for lawful processing of personal information set out in the Act, and all the required measures, are complied with.  

Processing limitation

 Business processes provide the context for processing personal information – i.e. the specific purpose Data collection must be proportionate to purpose – minimal Data processing must be for a legitimate purpose Data subjects must give consent  Collection of personal data must be directly from the data subject unless it is contained in a public record Data models prevent inference of prohibited data elements Limit the transfer of personal data to service providers Data subject must be able to object, in prescribed manner. 

Purpose Specification

 Collection of personal information must be for a specifically defined, lawful purpose related to a function of the responsible party Data subject must be aware of the purpose of collecting data The purpose for processing personal information must be clear Record retention must not be longer than necessary unless required by law, a contract or the data subject has consented A record of the use of personal data to make a decision must be retained for such period required by a law or long enough for the data subject to request access to the record Destroy, delete or de-identify as soon as practically possible Destruction of personal information must be in a manner that prevents reconstruction in an intelligible form. 

Further Processing Limitation

 Further processing must be compatible with original purpose Be aware of the potential consequences of further processing Take note of any contractual rights and obligations Take steps to prevent further processing of personal data Data mining must not exceed original purpose  Allow retention for historical, statistical or research purposes Stop unlawful processing 

Information Quality

 Maintain the accuracy of collected personal information Check that personal data is not misleading  Ensure that personal data is up-to-date Be aware of the impact the integrity of personal data has on the purpose for collecting personal data Note: master data must exclude unnecessary records Note: master data must be secured, and accessed only on the need-to-know basis. 


 Only process personal data after updating PAIA manual The data subject must be aware of the collection of the data and the name and address of the responsible party, whether voluntary or mandatory, and of any law authorising collection, except if  data subject is already aware all particulars are stated in PAIA information manual data subject consents to non-compliance information will be used without identifying data subject personal information is already in the public domain. 

Data Subject Participation

 Establish communication processes with data subjects (via the Information Officer) Provide data subjects with access to personal information  Enable data subjects to request correction of personal data  Manner of access to information is defined in PAIA manual. 

Business controls for maintaining integrity:

 Identify personal data (structured and unstructured) in all business processes (formal and informal) Identify business processing manual controls Identify application systems and IT processes that support the business processes Identify programmed procedures supporting the complete and accurate processing of personal data Maintain appropriate granularity in user access controls Maintain appropriate application level security Maintain appropriate information resource protection Prevent data leakage (structured and unstructured data) Maintain the capability to detect security breaches Regularly review contractual obligations of third parties  Prohibit the processing of special personal information Comply with the requirements of Information Officer and/or Information Regulator. 

Action Plan

Identify the legitimate business purposes for processing data Establish a register of processing personal data  Obtain prior authorisation from the Information Regulator of processing of personal data when required Contact and communicate with data subjects Obtain consent from data subjects Enable data subjects to object to processing of personal data Perform risk assessment for the protection of personal data Educate staff Implement a system of internal control to maintain integrity Secure structured and unstructured data Reduce record retention, destroy unnecessary personal data  Change contracts and obligations of service providers (additional costs of outsourcing for increased security) Appoint an Information Officer for data subjects to liaise with Respond to requests of the Information Officer Comply with requirements of the Regulator.