The New Protection Of Personal Information (POPI) Act
– PART 2 –
As mentioned in the first part of this series, the POPI is based on eight principles – let’s look more closely at the first principle namely accountability.
POPI requires the responsible person (that is the person who determines the purpose and means of processing the personal information – ‘PI’) (‘the RP’) to appoint an Information Protection Officer (‘IPO’).
Accordingly whether you are a travel agent, tour operator, PCO, venue, agent of any of these or in any other business and you process (i.e. ‘collect, disseminate or merge’) PI, you need to appoint an IPO, train him/her and register your IPO with the Information Protection Regulator (‘IPR’).
As a number of statutes require you to appoint a compliance person, you may as well appoint such a person as your IPO.
The duties of the IPO are:
- Submitting reports to the IPR
- Drafting a data protection policy which must be (a) understandable and (b) address especially high risk information
- Provide or arrange staff training and create a culture of compliance.
- Accordingly it is suggested that business’s should do the following with immediate effect, which tasks, other than the first, should be carried out by the IPO:
- Ensure that they have a ‘general compliance person’ as per other statutes and entrust that person with the IPO duties as required by POPI
- Draft an information security, usage and retention policy (This is already a requirement in terms of RICA and has now become imperative)
- Assess all the information dealt with by the business and categorize same so as to ascertain how to deal with each category
- Train all employees at all levels.
Disclaimer: This article is intended to provide a brief overview of legal matters pertaining to the travel and tourism industry and is not intended as legal advice. © Adv Louis Nel, BENCHMARK, June 2013.