PRESS COUNCIL OF SA – GUIDANCE NOTE V
JULY 2021
POPIA IN MEDIA COMPANIES, NEWSROOMS AND OTHER DIVISIONS
The Protection of Personal Information Act 4 of 2013
This document does not constitute legal advice. It is up to you to ensure that you acquire expert advice and a POPIA policy that meets your company’s requirements.
Introduction
South Africa’s Protection of Personal Information Act will become fully enforceable on July 1, 2021. The purpose of this note is to briefly explain POPIA in a media context.
The Act applies differently to editorial and non-editorial divisions of media companies, and this note sets out how the different divisions are to go about implementing it.
This guidance note only applies to media entities that subscribe to The Code of Ethics and Conduct for South African Print and Online Media (Press Code).
What POPIA is about
The Protection of Personal Information Act is about protecting personal information. When dealing with Act 4 of 2013, the act itself should always be your primary source. However, summaries and notes like this may come in handy.
POPIA and the media
Media companies face a unique challenge in that they have editorial departments that gather news – an activity where a lot of personal information is collected. Section 7 of POPIA excludes the collection and processing of personal information for purposes of journalism (if the processor subscribes to a code such as the Press Code).
This means that non-editorial divisions of media companies will be governed by POPIA when gathering and processing personal information at all times.
However, when editorial divisions gather and process personal information for the purposes of journalism, they are bound by the Press Code’s safeguards for the protection of personal information (clause 4 of the Press Code).
In practice, media companies will have to take great care to avoid scenarios where personal information gathered for editorial purposes is provided to non- editorial divisions where it may be used for different purposes, such as marketing or sales.
Who is responsible for implementing POPIA?
Each media company must have an Information Protection Officer (IPO), who will be responsible for the company’s implementation of POPIA and the Promotion of Access to Information Act (PAIA). If no person has been assigned that role, the head of the entity will automatically be the IPO.
Information Protection Officers must register with the Information Regulator as soon as possible. The Information Regulator is the body tasked with monitoring POPIA and PAIA implementation. Do this by filling out the form on page 23 of the document titled ANNEXURE A (attached).
Registration can be done via https://www.justice.gov.za/inforeg/, or you can e- mail your completed form to [email protected].
Note that the document titled ANNEXURE A contains a summary of information that IPO’s should take note of as provided by the Information Regulator.
What does an IPO have to do?
Ensure that your company has a POPIA policy. It is your responsibility to ensure that your company has a proper policy that is tailor-made in accordance with your company’s functions, operations and needs.
Not sure where to start? The document titled ANNEXURE B contains an example of a POPIA policy draft text. It is attached hereto for your reference and perusal.
Those with whom your company interact must know about your policy, and they must consent to whatever you do with their data - before you do it. An example of draft e-mail disclaimers for editorial and non-editorial outgoing mail has been attached hereto. It is titled ANNEXURE C.
Discussion on POPIA
You may access and distribute this video discussion on POPIA on the Press Council’s website. It will assist you in understanding the act in a media space and go a long way towards explaining it.
NOTICE
|
POPIA IN MEDIA COMPANIES, NEWSROOMS AND OTHER DIVISIONS
ANNEXURE B
This document does not constitute legal advice. It is up to you that you acquire expert advice, and a POPIA policy that meets your company’s requirements.
1. What POPIA is about
The Protection of Personal Information protects personal information from misuse and abuse.
Visit https://popia.co.za/ to access the act.
You will note that it has an elaborate definition clause. Because it is so voluminous, this notice cannot possibly feature all aspects of the act. Remember that Act 4 of 2013 is your primary source on all things POPIA.
2. Where to find key definitions:
Click here for a list of key definitions: https://popia.co.za/section-1-definitions/ .
3. What are your rights as a data subject?
It includes, but is not limited to:
4. Our newsroom and POPIA
We have an editorial department. In terms of Section 7 of the act, a Responsible Party who processes Personal Information for exclusively journalistic purposes, and who is subject to the Press Code, is excluded from the working of the act.
Such a journalist or editor is subject to clause 4 of The Press Code of Ethics and Conduct for South African Print and Online Media:
“4. Protection of Personal Information The media shall:
4.1. take reasonable steps to ensure that the personal information under their control is protected from misuse, loss, and unauthorized access; 4.3. take steps to verify the accuracy of their information and, if necessary, amend it where a person requests a correction to be made to his or her personal information; 4.4. only disclose sufficient personal information to identify the person being reported on as some information, such as addresses, may enable others to intrude on their privacy and safety; and 4.5. inform the affected person(s) and take reasonable steps to mitigate any prejudicial effects where it is reasonably suspected that an unauthorized person may have obtained access to personal information held by the media.” |
Any alleged interference with the protection of the personal information of a data subject
that may arise as a result of such processing must be adjudicated as provided for in terms of the Press Code. Report such instances at www.presscouncil.org.za.
5. Our non-newsroom divisions fall within the ambit of POPIA
We undertake to:
We follow the principles of lawful processing when dealing with personal information. This means, among other things, that we take reasonable steps to ensure that our personal information records are updated and accurate. We are open about our practices and implement reasonable security safeguards when dealing with personal information.
Our company’s Information Protection Officer is _______________. You can contact him/her at _______________.
You can contact the Information Regulator at [email protected].
POPIA IN MEDIA COMPANIES, NEWSROOMS AND OTHER DIVISIONS
ANNEXURE C
This document does not constitute legal advice. It is up to you that you acquire expert advice, and a POPIA policy that meets your company’s requirements.
EXAMPLE: DISCLAIMER FOR NON-EDITORIAL EMPLOYEES
The Company complies with the Protection of Personal Information Act (POPIA) and has adopted a policy to this effect (hyperlink to policy). If you submit your personal information to the sender of this correspondence, you confirm that you have read and understand the company’s POPIA policy, and that you are aware of your rights as a data subject. You agree, and make the informed decision, that your personal information may be recorded and processed by the Company in executing its day-to-day activities, being… (Insert daily activities such as printing, publishing and distribution).
EXAMPLE: DISCLAIMERS FOR EDITORIAL EMPLOYEES
This journalist voluntarily subscribes to the Press Council of South Africa’s Press Code of Ethics and Conduct for South African Print and Online Media. The collection and/or processing of personal information is done in accordance with this code.