Send your POPIA related questions to: popia@uct.ac.za.

 

UCT Guidance

The Protection of Personal Information Act 4 of 2013 (POPIA) came into full effect on 1 July 2021. The Act governs all research activities involving identifiable personal information. Whether it's conducting surveys, collecting personal information, or analysing records, compliance with POPIA is essential. To assist with these requirements, we've compiled a list of frequently asked questions and answers regarding the handling of personal information in research.

 

National Guidance

The Academy of Sciences of South Africa (ASSAf) has developed a POPIA Compliance Framework after extensive consultation with other regulatory bodies, higher education institutions, industry and legal consultants. This document is a guideline for researchers and institutions to strengthen their practices and processes as they relate to POPIA implementation and compliance in the context of research. Please download the document using the link on the right-hand side.

 

Popia Information Sessions

A series of engagement sessions for staff and researchers that provide an overview of the UCT Information Security Policy and UCT Privacy and Data Protection Policy are highlighted below:

In an online presentation on 7 June 2021, Elizabeth de Stadler, the founder of legal, compliance and risk management consultancy Novation Consulting, addressed more than 400 University of Cape Town (UCT) staff on the implementation of the Protection of Personal Information Act 4 of 2013 (POPIA). Read the news story and access the slides

A series of InfoSessions followed, in 2022. 

1. Understanding POPIA: A general overview and Q&A session

This introductory workshop provided a high level understanding of POPIA and when it applies. The workshop included some practical tips on how to recognise POPIA red flags and what to do when you do.

  • What is personal information?
  • Who is protected by POPIA?
  • A high level overview of POPIA principles?
  • What are POPIA red flags?
  • Who you should call.
2. POPIA for researchers

POPIA has implications for all research involving human research participants. POPIA is not a threat to research activities, because it balances the right to privacy against the public interest in research activities. However, research activities must be assessed to make sure that the impact on research participants is properly managed by researchers. The draft ASSAf Code of Conduct for Research (CoC) was also covered.

  • What does POPIA and CoC say (and not say) about research?
  • How to assess whether your research is high risk.
  • How anonymous is anonymous enough?
  • Storing and securing research data: Do’s and don’ts.
  • Sharing research data with other institutions or open access repositories.
  • What to do if you are uncertain.
3. New rights in terms of POPIA

POPIA has given all individuals and organisations new privacy rights. It is important to understand these rights for yourself, but also so you know what to do when you receive a ‘data subject request’ from, for example, students, alumni, staff, vendors, research participants, visitors and members of the public.

  • What is a data subject request and where to find UCT’s privacy notices.
  • The right to access personal information (but be careful!).
  • Correcting or deleting personal information: Some tips.
  • The right to object or withdraw consent: It is very limited.
  • Will POPIA stop spam? Probably not.
  • The right to complain to the Information Regulator.
4. When can you share personal information?

In a post-POPIA world, the University has to be very careful when sharing personal information with individuals or organisations outside of the University. We even have to be careful when we share personal information between different business units within the University. Careless sharing of personal information is one of the most common POPIA complaints. What does being careful when you share mean?

  • When are you allowed to share personal information with outsiders? A quick checklist.
  • What contracts need to be in place first?
  • When is it okay to share personal information with others in the University?
  • When can you use personal information you already have for a new purpose?
  • How to share personal information securely.

Download the slides.

5. When the POPIA hits the fan: Who is going to jail?

f the worst come to worst and the University has a data breach, or someone lodges a complaint, what are the consequences? Are there steps we can take now to mitigate those consequences?

  • What are the different things that can go wrong?
  • What are the consequences of non-compliance with POPIA?
  • What can we do to mitigate these consequences?
  • When can the University get fined?
  • When can the VC go to jail?
  • When can a staff member be disciplined for noncompliance?
6. Securing personal information: The basics

Hardly a day goes by without data breaches or cybercrime being in the news. What are the simple behavioural changes that all staff can commit to in order to protect themselves and the University.

  • How do security incidents happen? Some statistics.
  • What is a staff member responsible for?
  • What are the things we can all do to secure information?
  • It is not all about cyber. Physical security is important too.
POPIA webinar to introduce the ASSAf CoC

The Academy of Science of South Africa (ASSAf) has developed a Code of Conduct (CoC) for researchers to assist with compliance with the Protection of Personal Information Act (POPIA) in a research context. Once approved by the POPIA national regulator, the code will be binding on all researchers working with the personal information of South African data subjects.

On 27 September 2022, a webinar introduced the code to UCT researchers and provide information on how researchers can submit comments to the UCT POPIA core working group for collation and submission to the ASSAf drafting committee.