Did you know that hairstylists must comply with the new POPI Act?
Most of the provisions of the Protection of Personal Information Act 4 of 2014 (“The POPI Act”), came into effect on 1 July 2021. What does it mean for you as hairstylist?
The POPI Act defines a “private body” as any natural person or partnership who carries on any trade, business or profession, or any juristic person (i.e., Company or CC). So therefore, even if you are a one-man-band, you must comply with the provisions of the POPI Act.
So, what is the POPI Act about? The aim of the Act is to protect a person’s privacy and force private and public bodies to do the utmost to ensure that any personal information that they hold is protected against theft, loss or misuse.
So, it really is a good thing.
Let us quickly see what kind of information that is typically collected by hairstylists or recorded on their client cards, falls under the POPI Act, e.g.:
- Name & surname
- Contact number(s)
- Address
- E-mail address
- ID number, date of birth and/or age
- Physical condition (i.e., allergies, medical history)
If you have staff working for you, you would also hold additional information such as:
- Trade union membership
- Education and training history
- Employment history
All this information must meet the 8 conditions of lawful processing, as described by the POPI Act:
- Accountability: Someone in the private/public body must take responsibility for and can be held accountable for the safekeeping and protection of personal information in its possession. This person must be registered on the Information Officer registration portal: https://www.justice.gov.za/inforeg/portal.html
- Processing limitation: You must hold only the minimum amount of information that you need to perform your service or supply your products, i.e., if it is not necessary that record your client’s ID number, then don’t.
- Purpose specification: You must tell your client why you are collecting the information, and you may only use it for that purpose. If you no longer need it, it must be destroyed.
- Further processing limitation: You can’t do anything else with that information than what it was originally collected for, which getting prior consent for the person. You may also not share any information with third parties unless you acquire consent or are legally obligated to.
- Information quality: You must ensure that all information that you have is correct and up to date. Any incorrect and outdated information must be destroyed.
- Openness: You must always confer with your client in what information you collect and why. They must have access thereto to ensure that it is accurate and complete.
- Security safeguards: You must do everything in your power to keep the information safe, I.e., manual client cards should be locked away in a safe place, electronic systems must be password protected and regularly backed up, etc. If there is any breach of your security, you must inform the client and Regulator asap.
- Data subject participation: Your clients may request you to change or deleted records at any time and you must comply as far as possible.
So, the crux of the matter is:
- You must obtain consent from your clients to hold certain personal information and
- You must do everything in your power to keep that information safe and secure.
If you need any assistance with regards to the implementation of the POPI Act at your salon, please do not hesitate to contact us. We can send you FREE examples of:
- POPI Checklist
- POPI Manual
- POPI Assessment
- Privacy policy
For assistance please Email us or WhatsApp +27 18 468 1001.