“With all the talk of POPIA coming into effect and businesses having to get ready to comply, I was wondering whether government and municipalities also need to comply with POPIA. Surely, government entities have a lot of personal information in their possession that they must protect.”
The Protection of Personal Information Act 4 of 2013 (“POPIA”) has been enacted to give effect to the constitutional right to privacy as enshrined in section 14 of the Constitution of the Republic of South Africa, 1996. POPIA does this by putting measures in place to safeguard personal information when such is processed by a public or private body or any other person which alone or in conjunction with others determines the purpose of and means for processing personal information. Any such body processing personal information is referred to as a ‘responsible party’.
To answer your question. Yes, government must comply with POPIA. POPIA determines that a public body is also deemed to be a responsible party for purposes of POPIA. A public body is any department of state or administration in the national, or provincial sphere of government or any municipality in the local sphere of government, or any functionary or institution when exercising a power of performing a duty in terms of the Constitution or provincial constitution, or exercising a public power or performing a public function in terms of any legislation.
POPIA therefore applies equally to a public or private entity when it comes to the processing of personal information. That said, POPIA does create certain exceptions, and excludes public bodies from the application of POPIA where these bodies process personal information that involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public safety, or the purpose of the information is the prevention, detection, including assistance in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures to the extent that adequate safeguards have been established in legislation for the protection of such personal information.
However, unless exempted, government will need to comply with POPIA in the same way as any other responsible party.