Document Management and The Protection of Personal Information Act


“Hello, could you please fill in your name, surname and email address”, “Hi there, could you please confirm your physical address, cell number and date of birth”. Throughout your day you are handing over countless pieces of personal information to various entities. What are they doing with this information? Where are they storing it and how can you be sure that no one else will have access to this information?

The Protection of Personal Information Act ensures that your right to privacy is protected against the right to access information and the right to freedom of expression. This means that although people have the right to access information and the right to freedom of expression, these rights are not absolute and are limited to your right to privacy.

This act regulates the way in which personal information may be processed and applies to personal information entered in a record through automated or non-automated means. Automated means refers to any equipment that is capable of operating in response to instructions given to process information.

According to POPI, Companies need to ensure that they implement lawful processing of personal information.

The conditions for lawful processing:

  1. Accountability: The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.
  2. Processing Limitation: personal information may only be processed with consent of the subject, if it is necessary to carry out actions in service of a contract, the processing protects the legitimate interest of the subject or if processing is necessary for the company to pursue its legitimate interests. The purpose for processing the information must be adequate, relevant and not excessive. The information may only be processed lawfully and in a manner that does not infringe the privacy of the data subject. Personal information must be collected directly from the data subject unless it is derived straight from a public record or consent has been given to another source to collect the information.
  3. Purpose specification: Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. Steps must be taken to ensure that the data subject is aware of the reason for collection of this information unless circumstances dictate otherwise. Records of personal information must not be retained any longer than necessary for achieving the purpose for which the information was collected or processed unless other reasons dictate otherwise. This information may not be kept for historical, statistical or research purposes if the responsible company has established appropriate safeguards against the records being used for any other purposes. A responsible party must destroy or delete a record of personal information or de-identify it as soon as the purpose of this information has been fulfilled and this deletion of information must be done in a way that prevents it from being reconstructed.
  4. Further processing limitation: Further processing of personal information must be compatible with the purpose for which it was originally collected for.
  5. Information Quality: A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
  6. Openness: A responsible party must maintain the documentation of all processing operations under its responsibility. If personal information is collected, the responsible party must ensure that the data subject is aware of the information being collected, the name and address of the reasonable party, the purpose for information collection, whether the data subject can choose to supply this information, the consequence of failure to provide this information, any law authorizing/requiring the collection of the information and whether or not the responsible party intends to transfer this information to a third country or international organisation and what level of protection these entities offer to personal information.
  7. Security Safeguards: A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking measures to prevent loss of, damage to or unauthorized destruction of personal information and unlawful processing of this information. Anyone processing this information must treat it with confidentiality and must not disclose it. When there are reasonable grounds to believe that the personal information has been accessed by an unauthorized person, the responsible party must notify the regulator and the data subject – unless they can’t be identified.
  8. Data Subject Participation: A data subject, having provided adequate proof of identity, has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information. The data subject may also request that their personal information is updated or deleted.

A document management system ensures that you, as the company can abide by the conditions, laws and regulations outlined in the act and protect the privacy of customers, clients and employees  whose personal information you have stored. Document management ensures you can find information, sort it, retrieve it, fax it, email, generate information, disseminate it, most importantly – safeguard, and destroy information after the prescribed amount of time as per the Protection of Personal Information Act.

Workflow capabilities are embedded in a document management system, which assists with controlling and managing routine processes. Using a workflow system will allow you to issue commands that destroy documents and personal information within a certain period or they can even prompt you to update this information.

The personal information of your clients, customers and employees has been provided to you in confidence and it is your duty to ensure that there are correct measures in place to maintain their confidence and remain accountable for this information.