How does PoPI Act affects

Marketing and Communication

within a Higher Education Space

By: Ms Peterlia Ramutsheli

Table of Contents

• PoPI Background (Definitions, Purpose, Significance)

• What is the Act saying to Higher Education Marketing and Communication?

• What could happen if your institution does not comply with PoPI?

• What could happen to an employee who does not comply?

PoPI Background

Protection of personal information isn’t a choice…

It is the law and … we are all affected

PoPI Background

• The PoPI Act was signed into law by the President of South Africa on 19 November 2013.

• The Government is in the process of appointing the Information Protection Regulator, nominations of potential candidates were made.

PoPI Background

• The effective date for the rest of the sections of the Act will be determined after the Regulator’s appointment.

• We will therefore have only 1 year to get our processes and systems aligned with the conditions of the Act.

What is the PoPI Act?

PoPI is South Africa’s primary legislation dealing with the protection of the personal information of data subjects, ours being:

Students Employees

Service Providers

Alumni

Council Members

Academic Associates

What is personal information? Just few examples, but not limited to these:

Name Gender

Marital Status

Physical Address

Race

Disability

Contact Details Medical

Financial Education

Age

Employment History

Criminal

What is the purpose of the Act?

To balance the legitimate needs of the organisation (Higher Education Institutions) with the constitutional right to privacy of individuals whose personal information is being used.

The Act says as we use the personal information of our data subjects to do our normal business, we should not abuse or use such information unlawfully to infringe their privacy.

What is the purpose of the Act?

Above ALL, the Act requires that we should PROTECT the personal information contained in our:

What is the purpose of the Act?

Above ALL, the Act requires that we should PROTECT the personal information contained in our:

Why is PoPI important?

• Some countries do not want to associate themselves with countries which do not have adequate data protection laws in place.

• Therefore, PoPI aligns South Africa with the international data protection best practices such as EU Data Protection Directive.

Why is PoPI important?

• South Africans are going through excessive abuse and harassment in a form of smses, emails and calls selling various goods and services.

• Therefore, their constitutional right to privacy is being violated.

What is being affected by PoPI?

What is the Act saying to HE Marketing and Communication?

Obtain consent for processing Collect only relevant information Define for what purpose will the information be used

Collect

What is the Act saying to HE Marketing and Communication?

Define organisations with whom you are required to share the information with Communicate the identified purpose and organisations to the data subjects

Collect

What is the Act saying to HE Marketing and Communication?

Consent to Process

Purpose for Collection

Organisations (Third Parties)

Can be done in a form of a declaration inserted in the data collection form

What is the Act saying to HE Marketing and Communication?

Should the information be collected from other sources other than the data subjects… A consent should be obtained from the data subject and the purpose for such needs to also be communicated.

Collect

What is the Act saying to HE Marketing and Communication?

A data subject has the right to object to the processing of his/her personal information at any time for purposes of direct marketing Have opt-out facilities which data subjects can utilise should they wish to change their consent initially given.

Collect

What is the Act saying to HE Marketing and Communication?

The personal information should be used strictly for the exact purpose communicated to the data subject Should “new purpose” and/ or “new organisations” arise later, consent should be obtained from the data subjects

Use

What is the Act saying to HE Marketing and Communication?

Personal information of data subjects should be adequately safeguarded The integrity and confidentiality of the personal information in our possession must be secured to prevent…

Store

What is the Act saying to HE Marketing and Communication?

loss, damage or unauthorised destruction of the information unlawful access to, or processing of the information

Store

What is the Act saying to HE Marketing and Communication?

Records must not be retained for longer than is required Avoid retaining lists containing personal information of students, employees, etc. on your desktop and c-drive which you are no longer using

Retain

What is the Act saying to HE Marketing and Communication?

Destruction or deletion must be done in a manner that prevents its reconstruction in an intelligible form Avoid throwing hard copy documents which contains personal information in the bins, consider shredding to prevent such information from leaking to unauthorized users

Destroy

What is the Act saying to HE Marketing and Communication?

PoPI (obtaining consent) does not apply when…

Just 3 exclusions are shared?

What is the Act saying to HE Marketing and Communication?

• When Journalistic services are rendered for the purpose of public interest

• PoPI agrees that the public has a right to be informed through the free flow of information from the media

What is the Act saying to HE Marketing and Communication?

• When there is legal obligation which needs to be fulfilled

…such as investigations for alleged unethical cases…

What is the Act saying to HE Marketing and Communication?

• When the marketing is done through the Social Media

…data subjects give consents and have options to opt out on these

platforms…

What could happen if your institution does not comply with PoPI?

Your institution may:

• Suffer reputational damage

• Participation of Alumni and other donors in the fund raising projects may be negatively affected

What could happen if your institution does not comply with PoPI?

• Lose current students and fail to attract new ones

• Be fined up to R10 million or face 10 years imprisonment for non-compliance

What could happen to an employee who does not comply?

• A data subject (e.g. student) whose personal information has been leaked will report to the Regulator

• The Regulator will, in coordination with the institution, investigate the matter and if the institution is found guilty, the University will be fined.

What could happen to an employee who does not comply?

• The results of the Regulator’s investigation will point out specific employee(s) involved in the leaking of the information concerned

• The institution will obviously take measures against an employee who leaked the personal information

MY CONTACT NUMBER

072 957 2978

APPRECIATION

For Listening

For Your Time

Thank You