PAIA Manual


Herein referred to as the FSP

  1. Background to data protection compliance

POPI refers to South Africa’s Protection of Personal Information Act 4 of 2013, which seeks to regulate the Processing of Personal Information.

  1. Aim of the Act

The Protection of Personal Information act will significantly impact on the way in which businesses including Financial Services Providers (FSP’S) collect, store, process and disseminate information from and to clients and employees. The legislation promotes the protection of personal information processed by public and private bodies and aims to introduce certain information on protection principles to establish minimum requirements for the processing of personal information.

The view or opinions of another individual about the person and the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

  1. Personal information

Personal information broadly means any information relating to an identifiable, living natural person or juristic person (Companies, Close Corporations or Trusts) and includes, but is not limited to:

  1. Processing

Processing means anything done with the personal information, including collection, usage, storage, dissemination, modification or destruction (whether such processing is automated or not)

  1. Obligations and Responsibilities of the FSP

The obligations and responsibilities of the FSP are as follows:-

  1. Data protection compliance in terms of the Act

POPI promotes transparency with regard to what information is collected and how it is to be processed. This openness is likely to increase the client’s confidence in the FSP.

  1. Application of the POPI Act

Accountability for compliance lies with a Responsible Party, meaning a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing Personal Information.

Generally the Responsible Person must be a resident in South Africa or the processing should occur within South Africa. (subject to certain exclusions as per Section 3 Act 4 of 2013).

There are cases where POPI does not apply.

  1. Exclusions

(Section 4 of Act 4 of 2013)

  1. Database protection measures

The following measures will be taken by the FSP to improve the overall reliability of its databases.

Database protection measures adopted by the FSP:

Compliance demands identifying Personal Information and taking reasonable measures to protect the data integrity of our client/s. This will likely reduce the risk of data breaches and the associated public relations and legal consequences for the FSP.

  1. Consequences of non-compliance

Non-compliance with the POPI Act could expose the Responsible Party of the FSP to a penalty of a fine and/or imprisonment of up to 12 months. In certain cases the penalty for non-compliance could be a fine and/or imprisonment of up to 10 years. (as per Section 99 of Act 4 of 2013)

  1. Contents of the Act

The Act is sectioned into 12 Chapters as defined as follows:-

Chapter 1

Definitions and Purpose

Chapter 2

Application, Provisions and Exclusions

  • The wide ambit of the Act necessitates certain exclusions as far as its application is concerned

Chapter 3

Conditions for lawful processing of personal information

  • This chapter contains 8 (eight) information protection principles:
  • Accountability
  • Processing limitation
  • Purpose specification
  • Further processing limitation
  • Information quality
  • Openness
  • Security safeguards
  • Data subject participation

Chapter 4

Exemption from information protection principles

Chapter 5


  • This chapter deals with the Information Protection Regulator and Information Protection Officers

Chapter 6

Notification and Prior Investigation

Chapter 7

Codes of Conduct

Chapter 8

Rights of data subjects regards unsolicited electronic communications and

automated decision making

Chapter 9

Trans-border information flows

Chapter 10


Chapter 11

Offences and Penalties

Chapter 12

General Provisions

  1. Data compliance: Internal controls checklist

The following internal controls have been implemented and adopted by the FSP in order to support the FSP to accomplish specific goals or objectives.

The 4 (four) key components considered by the FSP when evaluating internal controls for data security are:


One of the central components of control strength is ensuring there is clear ownership. There must be a clear indication as to who within the FSP is responsible for the control.

The true owner of the control has the knowledge of:


The danger with many internal controls is that they are created to report a “perceived” risk without a real analysis of the inherent threat. Without a clear understanding of both the real threat and its potential impact, it is impossible to design the appropriate control.

Internal controls do not eliminate risk; they only bring it within acceptable tolerance levels. There is always a component of risk, despite the presence of a control.

Risk alignment measures taken by the FSP:


One of the most misunderstood areas in all of internal control management, and perhaps one of the most critical, is that of monitoring and testing.

Control monitoring involves understanding who is overseeing a control on a day-to-day basis to ensure its being used.

The key individuals are responsible for:

Control testing involves a deliberate process of testing. A given control to ensure its being utilized as intended and is typically done periodically.


Staff members need to access data to perform their job functions, the data is inherently exposed. The FSP needs to be aware of what risks are being mitigated through internal controls and what risks still exist.

Control limitations involves

The central theme that runs through this internal controls checklist is that internal controls need to be carefully understood, evaluated and monitored if they are going to truly accomplish what the FSP intend for them, and, taking a deliberate and thoughtful approach to strengthening and regularly reviewing the internal controls is critical to ensuring compliance with legal and regulatory guidelines.