The Protection of Personal Information Act, 2013 (Act No. 4 of 2013), otherwise known as POPIA, came into effect on 1 July 2020. Responsible parties were granted a grace period of 12 months to ensure compliance with POPIA by 30 June 2021. This means that responsible parties must be able to prove compliance from 1 July 2021. The Information Regulator of South Africa may not yet be fully geared for monitoring compliance on a regular basis, but the regulator will investigate, if any claims are lodged against responsible parties. The consequences for non-compliance are significant.
The key questions to consider are:
• Who does the Act apply to?
• What needs to be put in place to ensure compliance with POPIA?
• How does this affect auditors?
Who does the Act apply to?
POPIA applies to all South African organisations, both public and private, which collect, create, use, store, share, or destroy personal information. This includes sole proprietors, partnerships, companies and other juristic persons, as well as government.
The Information Regulator may decide to exempt some natural persons, and small to medium-sized entities. However, currently, the only exclusions allowed by the Act include the processing of personal information:
• In the course of a purely personal or household activity
• That has been de-identified to the extent that it cannot be re-identified again
• By or on behalf of a public body –
• which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public safety; or
• where the purpose is the prevention, detection, including assistance with the identification of the proceeds of unlawful activities and the combating of money-laundering activities, investigation or proof of offences; or the prosecution of offenders, or the execution of sentences or security measures, to the extent that adequate safeguards have been established in legislation for the protection of such personal information
• Solely for the purpose of journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.
Audit firms and their clients most definitely fall within the ambit of the Act.
What needs to be put in place?
Employers need to ensure that they lawfully process information, appoint an Information Officer, and implement safeguards to secure the integrity and confidentiality of any personal information in their possession or control.
Key matters to put in place to ensure compliance:
1. Register an Information Officer with the Information Regulator.
2. Hold awareness sessions for staff on POPIA.
3. Update engagement letters to include POPIA consent requirements.
4. Contact all service providers to get updated written agreements.
6. Perform an impact assessment to identify risks and safeguards.
7. Determine what type of personal information is processed, and classify it.
8. Document what steps to follow, should there be a breach.
9. Document retention periods for information stored.
10. Document a compliance framework.
11. Develop or update the PAIA Manual.
12. Include ‘opt-out’ notices in all mailings to clients.
13. Delete or shred personal information no longer needed.
14. Maintain an information access control register.
How does this affect auditors?
The requirement of POPIA apply to audit firms and their clients. Audit firms need to set the example by becoming fully compliant, including updating audit, and other assurance and related services engagement letters to include POPIS consent requirements. The impact on the engagement letters is not that significant, especially since auditors already need to comply with confidentiality requirements, but a paragraph should be included to ensure that clients are aware and provide consent by signing the engagement letter.
Auditors need to consider, as part of their audit engagement, compliance with laws and regulations, in terms of ISA 250 (Revised). This includes verifying their clients’ compliance with POPIA requirements. Responses to instances of non-compliance need to comply with NOCLAR requirements, according to the IRBA Code of Professional Conduct, and may lead to further reportable irregularity considerations, which may have a potential impact on the audit report.
Auditors need to become fully compliant, and need to start evaluating compliance on behalf of their clients as well. LEAF is set to guide you on your compliance journey.
1. Protection of Personal Information Act, 2013 (Act No. 4 of 2013)
2. IAASB: ISA 250 (Revised) Consideration of laws and regulations in an audit of financial statements, effective for audits of financial statements for periods beginning on or after 15 December 2017
3. IRBA: IRBA Code of Professional Conduct for Registered Auditors (Revised November 2018), November 2018