Yesterday President Cyril Ramaphosa proclaimed the commencement of the bulk of the remainder of the Protection of Personal Information Act (POPIA) from 1 July 2020. This sets in motion a number of things, including a requirement for compliance within one year of commencement.
POPIA has profound implications for the way South Africans handle personal information, and particularly for services like identity federation.
SAFIRE was built from the ground up with user privacy and POPIA in mind, and the need for future compliance has informed every step we’ve taken. In the absence of useful regulation in South Africa, we’ve drawn ideas from our counterparts in Europe who were subject to the European Data Protection Directive and later the GDPR, and we have been refining our understanding and implementation of privacy all along. We’ve had South African legal opinion on our Participation Agreement that suggests it covers all the important bases, we ensure that users are always informed about the transfer of their personal information, we have a comprehensive privacy statement that explains how and when we handle personal information, and we remain committed to the core principles of minimality and specificity of purpose when considering attribute release. For these reasons we believe we start from a good place in respect of POPIA compliance and that our federation operations are largely unaffected by this proclamation.
Nevertheless, it is not unlikely that we will need to revisit some of these issues as our own Information Regulator and our courts start to make binding rulings that affect our local context. We fully expect that we may need to make changes to either our policy or implementation, and will make every effort to do this in a timeous and transparent manner.
We also encourage identity- and service-providers who have concerns about the way we handle personal information either to raise them directly with us or in the Participants’ Forum, perhaps via the safire-discuss mailing list.