University of Cape Town: POPIA must ‘become ingrained in how we do our jobs’
In an online presentation on 7 June 2021, Elizabeth de Stadler, the founder of legal, compliance and risk management consultancy Novation Consulting, addressed more than 400 University of Cape Town (UCT) staff on the implementation of the Protection of Personal Information Act 4 of 2013 (POPIA).
De Stadler was appointed by UCT to analyse and improve the institution’s compliance with the act. An expert in compliance and risk management strategy as well as privacy law, De Stadler spoke about the origins and scope of POPIA and dispelled myths associated with this piece of legislation, to ensure that all staff members can acquire a strong foundational understanding of it.
“As a sector, higher education has been working on its response to POPIA for a very long time; and UCT has been very active in those endeavours.”
While the application of the act may seem daunting, De Stadler said, the higher education sector and UCT are in a favourable position.
“As a sector, higher education has been working on its response to POPIA for a very long time; and UCT has been very active in those endeavours,” she noted.
Compliance is not a single task
Before delving into the “nitty gritty’” of the act, De Stadler repeated a remark made by UCT Registrar Royston Pillay in his introductory statement about the nature of POPIA compliance.
“I want to echo something that the registrar said during his introduction, which is that POPIA compliance is not a single task.
“It’s not a list of things we have to do, and then we are compliant. It’s also not something that is a short-term initiative or project. It has to become part of the way in which the university works with personal information. It has to become ingrained in how we do our jobs,” explained De Stadler.
Although the compliance standards are relatively strenuous, it is in line with international standards.
“It is very consistent with international best practice in that it’s principle-based, which means that it’s not easy to implement; it must be embedded into processing activities and standard operating procedures,” added De Stadler.
Fundamental concepts
In order to understand the act, De Stadler pointed out, there are a few fundamental concepts that are important to understand first. One is personal information.
“The definition of personal information in POPIA is incredibly broad – and purposefully so. It includes any information that you can relate back to a living individual or an existing organisation,” she said.
Examples of these pieces of information include identifiers, such as identity, student or staff numbers; contact details; demographic information; biometric information, such as fingerprints; financial information; background or historical information; and information about behaviours and preferences.
According to the act, this information is generated by a number of ‘data subjects’ ranging from students, researchers, employees and functionaries to affiliated organisations, research participants and other individuals, such as the emergency contacts of students and employees.
Realigning policies
Rather than preventing organisations from processing this information altogether, POPIA aims to define circumstances in which personal information may be handled.
“Many of the misconceptions about POPIA stem from a misunderstanding of what it means to process personal information,” De Stadler noted.
“When you want to become POPIA compliant, you look at the processes by which personal information is created, collected, used, shared, transformed, stored or destroyed. There is this concept that POPIA will inhibit the processing of personal information, whereas in some ways it actually encourages the use of this information – as long as that’s done in accordance with the principles in the act.”
Fortunately, added De Stadler, there are already a variety of policies in place whose provisions can easily be reviewed in order to ensure the university becomes POPIA compliant.
“There is an information security policy that was approved last year, a records management policy that has been in place for many years, [and] research policies that exist. So we are simply realigning these.”
Simple rules of thumb
The act sets out various personal information impact assessments that are required when personal information is planned to be used for a new purpose. In this regard, De Stadler laid down seven “rules of thumb” that data handlers can follow when processing personal information in a novel way:
Less is more: Stop over-collecting and recollecting information, and don’t collect personal information that you don’t plan on using.
No surprises: Transparency is a cornerstone of the legislation. Data subjects should be aware of exactly what their information will be used for.
Don’t share without protection: While organisations may share information for a variety of reasons, there must be mechanisms in place to ensure the continued protection of that information.
Check yourself before you wreck yourself: Data handlers should reassess the impact of processing information each time personal information is dealt with in a new way.
Use it or lose it: Authority to store information will depend on whether this information is actively being used, as well as on the holding organisation’s relationship with the data subject.
Destroy it, don’t spread it: When information is no longer in use and any relevant mandated storage periods have expired, it must be destroyed.
Above all, keep it safe! Whether information is being kept, shared or destroyed, there must be mechanisms in place to ensure that no personal details are inadvertently disclosed.
POPIA is a team sport
In closing, De Stadler outlined the roles and responsibilities created by the act.
“A lot of times, people think POPIA is only the responsibility of the information officer, the deputy information officers and what we are currently referring to as the public compliance officers – the team tasked with advising the university on becoming compliant,” she said.
Contrary to this, POPIA compliance is dependent on the behaviour of every individual at the university.
“At this stage, in public compliance, what we are trying to do is spread the word about the handling of personal information. What we want to instil at this point is that if you are uncertain, reach out for advice. And if you notice an incident, report it so that it can be managed properly,” said De Stadler.