POPIA Page pic

Protection of Personal Information Act No. 4 of 2013

Some words of wisdom

You can’t lose what you don’t have – keep as little PI and SPI as possible!

Start thinking in terms of privacy in your daily life.

Try to protect the environment by minimising printing and doing as much as you can digitally.

What is the Protection of Personal Information Act (“POPIA” or “POPI Act”)?

www.gov.za says that it aims:

  • To promote the protection of personal information processed by public and private bodies
  • To introduce certain conditions to establish minimum requirements for the processing of personal information.
  • To provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000,
  • To provide for the issuing of codes of conduct.
  • To provide for the rights of persons regarding unsolicited electronic communications and automated decision-making.
  • To regulate the flow of personal information across the borders of the Republic.
  • To provide for matters connected therewith.

A Word on Personal Information and Special Personal Information

Personal Information (“PI”) is any and all data you keep on any person or organisation. These people and organisations are called Data Subjects.

Special Personal Information (“SPI”) is any unique identifiers you keep on any person or organisation. For example, identify numbers, company/NPO registration numbers, ethnicity, religious beliefs, and more.

There is a lot more to understand about PI and SPI – it’s all in the POPIA Knowledge and Understanding Article.

Follow These Steps to POPIA Compliance

Step 1: Understand the POPI Act

We analysed the POPI Act chapter-by-chapter, section-by-section part-by-part, even condition-by-condition and compiled an article that explains it in easier English, and terms of an educational establishment.

Read the Knowledge and Understanding of the POPI Act and the Knowledge and Understanding of the PAIA Act articles as many times as you need to until you understand it well.





Click through to get the POPIA article

Step 2: Appoint a POPIA Team

Use for Section 1 (“POPIA Team”) in your POPIA File


Get the Job Descriptions and Appointment Letters

Step 3: Analysis and Planning

Use for Section 2 (“Preparation and Planning”) in your POPIA File

  • Complete a Gap Analysis to understand exactly where your organisation stands with POPIA compliance.
  • From the results of your Gap Analysis, compile a POPIA Implementation Project Plan.
  • Complete a Data Touchpoint spreadsheet – it’s the easiest way to get a clear understanding of the information you keep and why. Thank you to Lauren Kyte of Future Steps for applying her clever mind and creating this spreadsheet for us.

Get the templates here

Step 4: Children and Employees 

Use for Section 6 (“IR Authorisations and Data Subjects Rights”) in your POPIA File

For Employees: In terms of Section 27, if the data subject gives permission to process their SPI, then you do not need to apply for permission. If for any reason it is not possible to obtain permission from the employee, then:

For Children:  Even though you’ll obtain permission from the children’s parents/guardians, the Information Regulator is protecting the children and you should still apply for permission to process children’s information.

There is a special Guidance Note on the Processing of COVID-19 Information. In this case, and this case only, you do not have to obtain permission from the Data Subjects.

Step 5: PAIA Manual

Use for Section 3 (“Promotion of Access to Information”) in your POPIA File

Members can get the PAIA Manual template here

Step 6: Policy and Procedures

Use for Section 4 (“In-house Privacy Policy”) in your POPIA File

  • The POPI Act says that we must implement an in-house Privacy Policy.
  • The Privacy Policy must detail a POPIA-specific complaints procedure. All actions taken to resolve the complaint must be recorded on a Complaints Register, from the beginning until the resolved complaint is signed-off. 


Members can get the Privacy Policy and complaints templates here

Step 7: Data Subject’s Rights

Use for Section 6 (“IR Authorisations and Data Subjects Rights”) in your POPIA File

Storing Consent Letters from Data Subjects: Your POPIA file may get very big if you use it to store the returned permission letters. Perhaps consider storing them digitally or on paper in a separate file.

Members can get their Consent Letters and Registers here

Step 8: Document Management

Use for Section 7 (“Document Management”) in your POPIA File

An important aspect of the POPI Act is:

  • What records do you keep?
  • Why do you keep them?
  • Where they are stored?
  • When will they be deleted?

It is possible to use registers to record this information and to assist with making sure that information and documents are deleted timeously (and not kept for too long). Types of document registers are:

  • A Document Register in which you record all your documents and when they will be destroyed.
  • A Document Change Register in which you record any changes to documents, e.g., an agreement update, a change on a form, or to a policy, etc.
  • A Document Destruction Register in which you record when documents are due to be destroyed, and when it has been done. 
  • To help you establish the length of time a document must be stored you this Document Retention List (available to everybody).

When managing your documents by using registers, please pay close attention to details as there is room for error. Software is available for this purpose and if you decide to buy it, try and get software that has been developed in South Africa and is aligned with our own POPI Act.

Members can get their document registers here

Step 9: Your POPIA File

Section 1: POPIA Team – Refer to Step 2 above

  • Part 1.1 – Information Officer
    • Official Registration Certificate
    • Copy of IO Job Description
    • Copy of IO Letter of Appointment
  • Part 1.2 – Operator and Sub-operators
    • Copy of Operator Job Description
    • Copy of Operator Letter of Appointment and Agreement

Section 2:  Preparation and Planning – Refer to Step 3 above

  • Part 2.1 – Gap Analysis
  • Part 2.2 – POPIA and PAIA Project Plan
  • Part 2.3Data Touchpoint Spreadsheet

Section 3: Promotion of Access to Information (PAIA) – Refer to Step 5 above

  • Part 3.1 – The PAIA Manual
  • Part 3.2 – Form C

Section 4: In-House Privacy Policy (POPIA, the GDPR and PAIA) – Refer to Step 6 above

  • Part 4.1 – The Privacy Policy

 Section 5: Complaints – Refer to Step 6 above

  •  Part 5.1 – POPIA Complaints Register

Section 6: IR Authorisations and Data Subject’s Rights – Refer to Step 4 and Step 7 above

  • Part 6.1 – Information Regulator Authorisations
    • Permission to Process Children’s Information
    • Permission to Process Special Personal Information
    • Prior Authorisation (if necessary)
  • Part 6.2 – Data Subject’s Rights
    • Data subject letters requesting permission to process
    • Data Subject Permission to Process Register
    • Data Subject Requests for Updates Register
    • Data Subject Requests for Deletions Register
  • Part 6.3 – Website Disclaimer

Section 7 – Document Management – Refer to Step 8 above

  • Part 7.1 – Document Register
  • Part 7.2 – Document Change Register
  • Part 7.3 – Document Destruction Register
  • Part 7.3 – Document Retention List

Section 8 – Correspondence and Notices – Refer to Step 9 above

  • Part 8.1 – Correspondence and Notices from the Information Regulator

 Section 9: Guidance Notes and Forms

Buy the POPIA File Table of Contents here

Step 10: Welcome to POPIA Compliance!

Try and arrange for the legal representative that you usually work to the review your POPIA File

Free POPI Act Downloads

Publications and Links 

Gain access free to all Tools for Schools documents

Purchase a full subscription and get free access hundreds of editable Word and Excel templates to manage your Early Childhood Development Centre.

Otherwise, buy Individual POPI Act Templates

Click on the template below to buy them. Perhaps consider purchasing a12-month subscription (for R1280 once-off) as it is by far the most cost-effective way to do it.

    Your Cart
    Your cart is emptyReturn to Shop