Almost all organisations are faced with the challenge of achieving and maintaining compliance with the POPI Act. This handy Self-Assessment allows you to quickly identify the areas you need to focus on to be compliant with the POPI Act. Score one point for each “Yes” answer and then read the rating scale for your score below.
*Protection of Personal Information Act No. 4 of 2013 (POPI Act).
|Item #||Self-Assessment Item||Yes/No|
|1||Have we appointed an Information Officer? (Accountability)|
|2||Do we have a policy for dealing with Personal Information protection issues? (Accountability)|
|3||Can we prove we have trained our staff in their duties and responsibilities under the Act, and are they putting them into practice? (Accountability)|
|4||Can we show the Personal Information gathered is not excessive? (Minimality)|
|5||Do we know what we are going to use the Personal Information for? (Specific purpose)|
|6||Can we prove that the people whose Personal Information we hold know that we’ve got it, and are they likely to understand what it will be used for? (Consent)|
|7||For staff contact details on our website, have we consent for this? (Consent)|
|8||Do we have a POPI-compliant privacy notice on our web site (Consent)|
|9||If we want to monitor staff, for example by checking their use of email, have we told them about this, explained why and got their consent? (Consent)|
|10||Can we prove we are respecting the rules about Special Personal Information? (Special Personal Information)|
|11||Can we prove the Personal Information is accurate and up to date? (Information Quality)|
|12||Would my staff know what to do if one of my employees or other individuals asks for a copy of Personal Information we hold about them? (Openness)|
|13||Can we prove the Personal Information is being held securely, whether it’s on paper or on computer or any other format? (Security safeguards)|
|14||Do we have an up-to-date PAIA manual on our website? Openness)|
|15||Can we prove access to Personal Information is limited only to those with a strict need to know? (Security safeguards)|
|16||If we are asked to pass on Personal Information, are my staff clear when the POPI Act allows them to do so? (Further processing)|
|17||Do we delete/destroy Personal Information as soon as we have no more need for it? (Effective destruction & Retention Periods)|
|18||Do we have a process to handle Data Subject requests? (Information Officer)|
|19||Can we prove we are complying with the rules about Electronic Direct Marketing?|
|20||Can we prove we are complying with the rules about Trans-border flows?|
|0 – 5: DANGER ALERT: This indicates you fail to reach compliance to a very great extent. Recommendation: act now by completing a full assessment and implement a remedial action plan.|
|6 – 10: HEALTH-CHECK ALERT: You have made some progress but there are still lots of areas that are non-compliant. Recommendation: act now by completing a full assessment and implement a remedial action plan.|
|11 – 15: YOU ARE GETTING THERE: Well done, you are on the road to achieving compliance. Recommendation: focus on those areas which scored zero.|
|16 – 20: WELL DONE. You are in good shape but still have some work to do. Recommendation: make sure you have all the proof needed to justify your score and focus on achieving the same performance level in the remaining areas. And remember, achieving and maintaining compliance is a journey, not a destination.|
Acknowledgement: This self-assessment was developed by Dr Peter Tobin & Mr John Cato.
For more information and practical advice please contact the authors of this self-assessment who have the knowledge, skills and experience to support you in your journey to compliance with the POPI Act:
Or visit www.iact-africa.com/popi.html
This article was submitted by Dr Peter Tobin.