POPIA for the media: resources and guides

This article does not constitute legal advice.
It is up to media companies to ensure they acquire expert advice and a POPIA policy that meets their requirements.

Introduction

South Africa’s Protection of Personal Information Act (POPIA) will become fully enforceable on 1 July 2021.

The purpose of this note is to briefly explain POPIA in a media context.

The Act applies differently to editorial and non-editorial divisions of media companies, and this note sets out how the different divisions are to go about implementing it.

This guidance note only applies to media entities that subscribe to the Press Code of Ethics and Conduct for South African Print and Online Media.

What POPIA is about

The Act is about protecting personal information. When dealing with it, the Act itself should always be your primary source. However, summaries and notes like this may come in handy.

POPIA and the media

Media companies face a unique challenge in that they have editorial departments that gather news – an activity where a lot of personal information is collected.

Section 7 of POPIA excludes the collection and processing of personal information for purposes of journalism if the processor subscribes to a code such as the Press Code

This means that non-editorial divisions of media companies will be governed by POPIA when gathering and processing personal information at all times. However, when editorial divisions gather and process personal information for the purposes of journalism, they are bound by the Press Code’s safeguards for the protection of personal information (see clause 4).

In practice, media companies will have to take great care to avoid scenarios where personal information gathered for editorial purposes is provided to non-editorial divisions where it may be used for different purposes, such as marketing or sales.

Who is responsible for implementing POPIA?

Each media company must have an Information Protection Officer (IPO), who will be responsible for the company’s implementation of POPIA and the Promotion of Access to Information Act (PAIA). If no person has been assigned that role, the head of the entity will automatically be the IPO.

Information Protection Officers must register with the Information Regulator – the body tasked with monitoring POPIA and PAIA implementation – as soon as possible.

Do this by filling out the form on Page 23 of the document titled ANNEXURE A. This document also contains a summary of information that IPOs should take note of, as provided by the Information Regulator.

Registration can be done via https://www.justice.gov.za/inforeg/, or you can e- mail your completed form to [email protected].

What does an IPO have to do? 

Ensure that your company has a POPIA policy. It is your responsibility to ensure that your company has a proper policy that is tailor-made, in accordance with your company’s functions, operations and needs.

Still not sure where to start?

The document titled ANNEXURE B contains a POPIA policy draft text for your reference and perusal. Those with whom your company interacts must know about your policy, and they must consent to whatever you do with their data – before you do it.

Draft e-mail disclaimers for editorial and non-editorial outgoing mail can be found in ANNEXURE C.

Access and distribute these video discussions on POPIA created by Press Council adjudicator Helene Viljoen to assist you in understanding the Act in a media space.

• POPIA 101 for media companies, and
• POPIA training for newsrooms