The POPI Act and my ministry: Control or Protection?
By Mike Burnard – on request of LoveGeorge
We are all swamped with unwanted phone calls, emails (usually junk mail), or SMSs from people who want to introduce us to a cause, a service, or a product that we have no interest in. The good news is that the POPI Act (Protection of Private Information Act), which was already endorsed by the government in 2013, was approved on 22 June 2020 and came into effect on 1 July 2020.
Few charities and churches recognised that the law is applicable to them as well and that they are accountable to provide legal documents if and when required.
Why the POPI Act?
It is important to clarify that the law and the subsequent requirements are ways of protection and NOT control. The new law should be applauded and observed – by all, especially the Christian community who places a high value on its witness.
The purpose of this new law is to regulate the processing of personal information. It exists to protect you, as consumer, against identity theft, illegal money exchange, and preventing your personal information from landing in the wrong hands.
In short, what it amounts to is that a responsible party – including businesses, charities, mission organisations, and Churches – must protect the integrity and confidentiality of personal information in their possession or under their control by introducing applicable, fairly technical, and organisational measures.
Does it apply to my ministry?
Yes, the POPI Act applies to everybody who processes any type of records that contain personal information of people. It therefore lays down the minimum standards for the protection of personal information. Processing comprises the collection, receipt, recording, organising, retrieval or use of such information. It also includes the distribution and release of such information (free of charge or against payment).
“Personal Information” broadly means any information relating to an identifiable, living natural person or juristic person (companies, CC’s etc.). This includes, but is not limited to:
- contact details: email, telephone, address etc.
- demographic information: age, sex, race, birth date, ethnicity etc.
- history: employment, financial, educational, criminal, medical history
- biometric information: blood type etc.
- opinions of and about the person
- private correspondence etc.
“Processing” means broadly anything done with the Personal Information, including collection, usage, storage, dissemination, modification, or destruction (whether such processing is automated or not).
Some of the obligations under POPI are to:
- only collect information that you need for a specific purpose.
- apply reasonable security measures to protect it.
- ensure it is relevant and up to date.
- only hold as much as you need, and only for as long as you need it.
- allow the subject of the information to see it upon request.
So, in a nutshell, if your church, charity, or organisation is in possession of a database with names that you contact, send newsletters or news bulletins to, then you are legally required to comply with the POPI Act.
According to the Act, there are cases where POPI does not apply. Exclusions include where names are acquired for purely household or personal activity.
How do I do this?
All charities will have the responsibility to comply with the Protection of Personal Information Act No. 4 of 2013 (POPI Act). When required, a detailed account should be provided about members of a database, subscribers, and supporters. Sending our newsletters and news bulletins should therefore be reviewed in the context of permission given by recipients and proof of subscriptions.
Here are some guidelines:
- Appoint a POPI Information Officer (IO) – If you are a small organisation or church this can be a volunteer but there needs to be a designated person, legally employed – with or without remuneration – that can maintain and control your database and give an account of every member when and if required.
- Complete the formal appointment process with a document and therefore making it legal.
- Make sure the IO is aware of the legal requirements and is in close communication with the director, CEO or Pastor. The appointed IO should review the current Privacy Policies of the organisation/ Church and ensure your manual follows the prescribed layout and includes the necessary details.
- Every subscription should be filed and be available should it be required. Subscription forms, emails, and messages should all be kept together for inspection.
- The IO should review the current database as well as the database lifecycle – acquisition, processing, retention, and destruction practices and develop appropriate measures to ensure ongoing compliance.
- The IO should inform all staff about legal requirements for data acquisition and data storage.
- The IO should identify the types of devices used where data is stored – and complete a security analysis to limit security risks.
- The IO should review existing relevant policies and ensure that these policies are appropriate, obtainable, and enforceable.
- The IO should review all media platforms such as website, Facebook, WhatsApp, Instagram, Twitter, etc, and implement a “best practice” policy such as Cookie notifications, subscription policies, and privacy guidelines.
- Newsletters and news bulletins should always include an opt-out message should subscribers decide to unsubscribe.
Understand that the new requirements are ways of protection and not control. Approach it as “Business-As-Usual” and ensure ongoing monitoring of the data protection. Build POPI into your everyday operations.
The list above contains guidelines only and is not a comprehensive list for legal compliance. For bigger institutions and businesses, a more detailed list is provided at:
For more information and assistance contact: https://popi-compliance.co.za/contact/
You can also visit: