The responsible person must ensure that the 8 conditions of POPI are followed and adhered to
Must be lawfully processed, in a reasonable manner.
May only be processed if it is adequate, relevant and not excessive.
Must have been consented to and collected directly from the subject (subject to provisions)
Collected for a specific and explicitly defined and lawful purpose – related to the activity or function of the responsible party
Take steps to ensure that the subject is aware of the data collection
Records must not be detained for longer than necessary
FURTHER PROCESSING LIMITATION
Must be in accordance with the purpose for which it was collected
Responsible party must take account of the relationship between purpose of intended further processing and the initial purpose of collection
Responsible party must take reasonable practicable steps to ensure information is complete,
accurate and not misleading.
It must be updated where necessary and take into account the purpose for which collected
Responsible party must maintain the documentation of all processing operations as referred to in section 14 or 51 of PAIA -
Responsible party must take reasonable practical steps to ensure the subject is aware of
the information being collected, the purpose and the source.
If provision of information is voluntary or mandatory and the consequences of the
failure to do so.
Prior collection of data eradicates the need to follow above steps if the purpose
is the same.
Responsible party must secure the integrity and confidentiality of personal information
in its possession or under its control
Take reasonable technical and organisational measures to prevent loss of, damage, unlawful
access or unauthorised destruction
This includes risk management and steps to identify threats
The regulator and subject must be informed if there has been or a reasonable expectation
of a breach of security
DATA SUBJECT PARTICIPATION
A data subject, with adequate proof of identity has the right to request a responsible party
to confirm, free of charge, whether they hold personal information of the subject
Data subject may request the correction or deletion of personal information that is
inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully