- POPIA sets out eight key conditions:
- Processing limitation - minimality - disassociability
- Purpose specification
- Further processing limitation
- Information quality
- Openness - transparency
- Security safeguards - confidentiality, integrity and availability
- Data subject participation - intervenability
- These conditions should lie at the heart of your approach to processing personal information.
Section 4 of POPIA sets out eight conditions which form the basis for the protection of personal information. These conditions prescribe the minimum threshold requirements for the lawful processing of personal information. The aim is to regulate the manner in which personal information is processed. These conditions should be established in harmony with international standards.
Section 4(1) states that the conditions for the lawful processing of personal information by or for a responsible party are:
- ‘‘Accountability’’, as referred to in section 8;
- ‘‘Processing limitation’’, as referred to in sections 9 to 12;
- ‘‘Purpose specification’’, as referred to in sections 13 and 14;
- ‘‘Further processing limitation’’, as referred to in section 15;
- ‘‘Information quality’’, as referred to in section 16;
- ‘‘Openness’’, as referred to in sections 17 and 18;
- ‘‘Security safeguards’’, as referred to in sections 19 to 22; and
- ‘‘Data subject participation’’, as referred to in sections 23 to 25.”
Section 8 adds that:
“The responsible party must ensure that the conditions, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.”
Section 1 defines "responsible party"
“a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.”
Why are the conditions important?
The conditions lie at the centre of POPIA. They are set out right at the start of the legislation, and inform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime - and as such there are very limited exceptions.
An interference with the protection of the personal information of a data subject consists of a breach of the conditions with the spirit of these key conditions for the lawful processing of personal information. These conditions are therefore a fundamental building block for good data protection practice. It is also key to your compliance with the detailed provisions of POPIA.
Failure to comply with the conditions may leave you open to complaints, claims and substantial fines.