PoPI 101: privacy for civic tech

The headlines

What is the current status of PoPI?

Who does PoPI apply to?

What is the basis for PoPI?

What constitutes ‘personal information’?

Screengrab from Dario’s presentation. SUPPLIED

Okay, so you have personal information from users. But what do you do with it?

  • collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • dissemination by means of transmission, distribution or making available in any other form; or
  • merging, linking, as well as restriction, erasure or destruction
  • The data subject consents to the processing;
  • Processing is necessary for performance of a contract to which the data subject is party;
  • Processing complies with an obligation imposed by law;
  • Processing protects a legitimate interest of the data subject;
  • Processing is necessary ‐ public law duty by a public body;
  • Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
Screengrab from Dario’s presentation. SUPPLIED
  • Enquire — without monetary charge ‐ whether his / her personal information being processed
  • Request description of his / her personal information
  • Request information on the recipients of this personal information
  • Challenge the accuracy of personal information
  • Request correction of information (if inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully)
  • Request deletion

What penalties could you face?

What about the implications of cloud storage?

  • provides for an “adequate level of protection” that effectively upholds the principles that are substantially similar to the conditions for lawful processing; or
  • includes substantially similar provisions relating to the further transfer
  • of personal information to third parties in foreign countries
  • consent
  • other exceptions


  • Does your organisation have an internal or published privacy policy and how far along are you in thinking about your privacy and data security?
  • Is your privacy policy clear and easy to understand?
  • What information do you collect from users and partners? What do you use it for?
  • How do you secure the information you have?
  • What is your data retention policy?
  • How well do you inform the people whose data youhave about your answers to these questions?

Consent: the golden rule

About our expert

Warning: Attempt to read property "post_type" on int in /usr/www/users/civicmvjkp/wp-content/plugins/toolset-blocks/application/controllers/compatibility/wpa-block-editor/wpa-block-editor.php on line 220
Scroll to Top