tick tock

POPI Act – the clock is ticking…

The clock is ticking on the new POPI Act. And although the effective commencement date of this new act remains unclear, it is important for travel agents to be prepared and make POPI a priority in 2017.

Here’s what you need to know:

When is the POPI commencement date?

Nobody knows for sure. The President needs to proclaim the exact date.

According to law firm Michalsons, POPI is expected to commence by 24 May 2017 with a one-year grace period.

“This will mean that by 24 May 2018, you must comply with these privacy and data protection laws, whichever applies to you,” John Giles, a legal advisor at Michalsons, was quoted as saying. “There is no time to lose and much of the hard work needs to be done in 2017, especially the implementation action items.”

What is it exactly?

POPI regulates the manner in which personal information may be processed and provides rights and remedies to protect personal information.

Does it apply to travel agents?

The Act applies to every business that processes (collects, disseminates or merges) personal information (passport numbers, names, phone numbers, race, gender, etc.) and special personal information of the ‘data subject’ (client) ‘entered into a record’ (such as e-mails and hard copies) by or for a responsible person (the travel agent) who determines the purpose and means of such processing (to book flights, hotels, car rental).

How will POPI be policed?

The Act has its very own regulator, which was established in December 2016.

The regulator has extensive powers to investigate and fine responsible parties. Fines can range up to R10m and jail sentences of up to 10 years.  Consumers will be able to complain to the Information Regulator and it will be able to take action on behalf of consumers.

The regulator can demand access to a travel agent’s premises to conduct an investigation. He/she can search the premises, inspect, examine, operate and test equipment used to process information. He/she can also stop a travel agent from processing information, which will effectively mean the travel agent will have to close its doors.

For more information on the POPI regulator, the government has established a new website in February 2017: http://www.justice.gov.za/inforeg/index.html.

What should travel agents start doing and when?

Even though the commencement date has not been set yet, travel agents should start getting retting to comply with POPI.

Here’s what you can already start doing:

  • Raise awareness of POPI within your organization
  • Plan what you will do to protect personal information
  • Start implement the changes you need to make as soon as possible

The Basic Rule

You need the consent of the consumer in order to process their personal information!

Appoint an information Officer

An Information Officer is the CEO or equivalent officer or any person duly authorised by that officer. Every company (responsible party) must appoint an information officer to ensure compliance by the responsible party with provisions of the Act, and the officer must be registered with the Regulator.

Get everything in writing

Always notify clients about what type of information you collect about them and why. This notification can be a simple booking form, which reads: “Please refer to our privacy policy and terms and conditions, which deal with the way your personal information is stored. The purpose of collecting, disseminating and merging is contained therein.”

What if it’s a telephone booking?

Send the client an email, preferably with a delivery receipt recording the transaction and stating in the email: “As per our conversation, you confirm having understood and agreed to our privacy policy and standard terms and conditions; and (ii) that we may proceed with your booking/reservations on your behalf in accordance with our privacy policy and standard terms and conditions. We informed you during the telephone call that we do collect information in line with the POPI Act and by doing so you hereby consent to us utilising same for the purpose as set out in our privacy policy and standard terms and conditions etc.”

What about online bookings

Have a cookie policy in that warn your customers that you are collecting their personal information. Include a disclaimer that outlines that by logging onto the site, the client consents to sharing his information.

What to do with children’s information?

Children’s’ information may not be processed unless it falls into a specific authorisation in POPI. However, you have the right to capture the children’s information if a competent person, such as a parent, gives consent.

Can I share information with third parties?

No! Travel agents are not allowed, under the POPI Act, to reveal any personal and/or special personal information to third parties.

For example, agents cannot divulge information to their client’s wife or boss unless the client has signed an agreement that all information can be passed on.

It is advisable to have agreements in place with corporate clients whereby the company gives you the permission to do all future bookings for the company and their employees. Companies must ensure that they have the requisite permission and/or consent from their employees to hand over information on all bookings made by the company irrespective of who the employee is.

Adjust your terms and conditions

Insert clauses into your current terms and conditions that stipulate that your agency will be collecting personal information as well as special personal information as defined by the POPI Act to secure bookings with third party service providers.

Credit Card information

Internal policies and procedures will need to be implemented, especially with regard to safeguarding any credit card information. Ideally the company should appoint an information officer. This should be the only person to access and process payments on behalf of clients.


Destroy information

The Companies Act states that travel agents need to keep documents on file for five years. According to the POPI Act, travel agents can’t keep documents for longer than is necessary to render services.

What to do? Notify the consumer in writing that his/her information will be filed away for five years, after which it will be destroyed. During that period, nobody else will have access to that information.

If the client requests to be removed from the database, comply with this request. Remove his/her file from the computer database and get his/her file offsite with companies such as Metrofile or if you prefer electronic vaults, such as Safe4. 8.


Report any breaches!

Once a breach has occurred the travel agent has an obligation to report the breach to the Regulator as well as the client.

Travel agencies will be held liable for non-compliance with the POPI Act regardless of whether there was an intention to leak information or whether it was negligence.