The POPI Act
The Protection of Personal Information (POPI) Act (No. 4 of 2013) is a governmental regulation designed to protect the personal information of South African citizens, similar to the General Data Protection Regulation (GDPR) in Europe. If you are collecting personal information of SA citizens (for instance, through interviews or focus groups, or surveys that collect identifiers such as names, contact information, etc.), you need to ensure compliance with the POPI Act.
The core focus of POPI in a research context is ensuring that if personal identifiers must be collected, they need to be stored in a secure, access-controlled location to prevent the data being harvested and used by third parties. POPI does not prevent open data sharing - in fact, open data sharing, by virtue of the need to remove personal identifiers from shared datasets, complies entirely with POPI. In research, POPI impacts more on research process, such as being strategic in storing only de-identified datasets on cloud storage, and ensuring that on-site storage (personal harddrives, external harddrives, the UCT G Drive) is strictly access-controlled to named and designated individuals to ensure data protection.
Further general reading about the POPI Act are available below:
- http://www.popiact-compliance.co.za/popia-information
- http://www.popiact-compliance.co.za/popia-information/14-transfer-of-personal-information-out-of-south-africa
- https://inforegulator.org.za/guidance-notes/
