The Protection of Personal Information (POPI) Act

Special features:

  • “Tried-and-tested” in various South African organisations.
  • The “A to Z “ of POPI are covered comprehensively
  • A highly knowledgeable and prominent course facilitator
  • Cross-border transfer of personal information is tackled
  • One-of-a-kind programme

Who should attend?

Company information custodians and professionals such as:

  • Finance Professionals
  • Human Resource Professionals
  • IT Specialists
  • Internal Auditors
  • Risk and Compliance Specialists
  • Information Management Specialist
  • Knowledge Management Specialists
  • Strategic Planning Specialists
  • Sales and Marketing Specialists
  • Business Development Specialists
  • More information

    Course duration: 2 days

    Course dates:

    Available on request

    Venue/s: Pretoria-specific venue to be advised

    Course fee: R6600-00 per delegate

    In-house presentation: Can be arranged at reasonable discounted fees.

    Click here to download course brochure The Protection of Personal Information POPI Act

    Click here to see our course presenters

    The Challenge

    Is it not scary to think that every second, someone is publishing his/her personal information on a public platform such as Google, Facebook or LinkedIn without thinking about his/her exposure to various risks? The next moment you get irritating phone calls promising you that you have just won R5 million or dollars; or you qualify for a free cell phone; or your bank account gets accessed, etc. The advent of technology enables others to process high volumes of data which is then used for various purposes. It is for this and other reasons that the POPI Act has been enacted to protect both companies and individuals' right to privacy and possible abuse of information with effect from 11 April 2014.

    The purpose of the POPI Act is to ensure that all South African institutions and individuals conduct themselves responsibly when collecting, processing, storing and sharing another entity's personal information by holding them accountable in the event that such personal information is compromised in any way. Through the POPI Act you are granted certain rights of protection and the ability to exercise control over your personal information. As a custodian of personal information how do you get your organisation POPI-ready? The POPI Act has not come into operation as yet. Once it comes into operation, all organisations will have a period of 12 months to bring their current practices in line with its provisions.

    Course outline

    Module 1: What is privacy?

    • The right to data privacy
    • International rights
    • Rights in South Africa

    Module 2: What is POPI?

    • Meaning of POPI
    • Objectives and Purpose of POPI

    Module 3: Definitions

    • POPI concepts and definitions

    Module 4 –Application of POPI

    • Application of POPI
    • Exclusions

    Module 5: Principles

    • The 8 international protections of Information Principals

    Module 6 –Lawful Processing

    • Lawful processing of personal information under POPI
    • s5-rights of data subjects
    • s10- minimality.
    • s11-consent, justification and objection
    • s12-collection directly from data subject
    • s13-collection for specific purpose
    • s14-retention and restriction of records
    • s15-further processing to be compatible with purpose of collection
    • s16-quality of information
    • s17-documentation
    • s18-notification to data subject when collecting personal information
    • s19-security measures on integrity and confidentiality of personal information
    • s20-information processed by operator or person acting under authority
    • s21-security measures regarding information processed by operator
    • s22-notification of security compromises
    • s23-access to personal information
    • s24-correction of personal information
    • s25-manner of access
    • Accountability
    • Processing information & limitations
    • Purpose of collected information & applicable principles
    • Information quality, notification & security issues
    • Access, correction and manner of access to personal information
    • How do you lawfully process and collect personal information?
    • Supporting documents required to support POPI principles
    • Revision of existing documents such as credit applications, vendor documents and other information sheets which need to be reviewed within your organisation
    • Developing a processing procedure including the how and the what
    • Further processing – the how to as well as the do’s and don'ts
    • How do you secure personal information and who plays this vital role within the organisation?
    • Contracts with third parties and operators
    • How can one access their personal information- processes and procedures required?
    • The role of PAIA and inclusions under your PAIA Manual

    Module 7-special information

    • Lawful processing of special personal information under POPI
    • s26-Prohibition on processing of special personal information
    • s27-General authorisation concerning special personal information
    • 28-Authorisation concerning data subject’s religious or philosophical beliefs
    • 29-Authorisation concerning data subject’s race or ethnic origin
    • 30-Authorisation concerning data subject’s trade union membership
    • 31-Authorisation concerning data subject’s political persuasion
    • 32-Authorisation concerning data subject’s health or sex life
    • 33-Authorisation concerning data subject’s criminal behaviour or biometric information.
    • 34-Prohibition on processing personal information of children
    • 35-General authorisation concerning personal information of children
    • 36-General
    • 37-Regulator may exempt processing of personal information
    • Prohibition of process special personal information
    • Exemptions concerning religion or philosophical beliefs; race; trade union membership; data subject’s political persuasion; data subject’s health or sexual life; data subject’s criminal behaviour
    • General exemption concerning special personal information
    • What is special personal information?
    • How do you classify it?
    • How do you identify special personal information and what can you do with it under the “exception” rules?
    • Who needs to be notified when this information is processed and how is this done?



    Module 8: Administrative functions

    • s38-exemption in respect of certain functions
    • s39-establishment of information regulator
    • s40-powers, duties and functions of regulator
    • s55-duties and responsibilities of information officer
    • s56-designation and delegation of deputy information officers
    • Authorizations and Justifications
    • How would you apply for an exemption?
    • Information protection regulator
    • Information protection officer
    • Powers & duties of Regulator and Information Protection Officer
    • Roles and duties
    • Appointment of information officer

    Module 9: Authorisations to Process

    • s57-processing subject to prior authorisation
    • s58 -responsible party to notify regulator if processing is subject to prior authorisation
    • s59 -failure to notify processing subject to prior authorisation
    • Notifications of processing
    • Registration process
    • Failure to notify
    • Investigations
    • What can’t you process before a notification is sent to the Regulator?
    • How do you notify?
    • What information must be submitted and when?
    • PAIA inclusions

    Module 10: Codes of Conduct

    • s60 -issuing of codes of conduct
    • Issuing codes of conduct   
    • Proposal for issuing of code of conduct
    • Notification, availability and commencement of code   
    • Amendment and revocation of codes
    • Procedure for dealing with complaints 
    • Guidelines about codes of conduct
    • Register of approved codes of conduct 
    • Review of operation of approved code of  conduct
    • Effect of failure to comply with code    
    • Draft code of conduct

    Module 11: Use of email and direct marketing

    • s69-direct marketing by means of unsolicited electronic communications
    • Impact on current direct marketing procedures
    • Permissions and opt-outs

    Module 12: Directories and Automated Decision Making

    • s70-directories
    • s71-automated decision making
    • What is a directory?
    • What is automated decision making?

    Module 13: Transfer of Personal Information Cross-Border

    • s72-transfers of personal information outside republic
    • How do you identify and control this aspect?
    • Risks of not complying and managing trans-border flow of information.
    • Contracts and processes which should be implemented

    Module 14:Non-compliance Consequences

    • s73-Interference with protection of personal information of data subject
    • s74-s98 Complaints, proceedings and outcome
    • s99-Civil remedies
    • s100-s106 Obstruction of regulator
    • s107- Penalties.
    • s114 -Transitional arrangements
    • How to comply?
    • Consequences of not complying
    • When must the company ensure that it is in compliance with the Act?