Keeping Personal Information Accurate: The POPIA Data Quality Condition

Keeping Personal Information Accurate: The POPIA Data Quality Condition

For any South African business that holds a customer database, data quality is not just a housekeeping concern — it is a compliance obligation under the Protection of Personal Information Act (POPIA). Understanding what the Act requires around accuracy, completeness, and currency of personal information can help your business avoid harm to data subjects and reduce regulatory risk.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What Does "Information Quality" Mean Under POPIA?

POPIA establishes eight conditions for lawful processing of personal information (section 8). One of those conditions is information quality. In plain terms, this condition says that a responsible party — the business or person who determines the purpose and means of processing — must take reasonably practicable steps to ensure that the personal information it holds is:

• Complete — not missing material fields that would affect how it is used;
• Accurate — reflecting the true position as far as can be verified;
• Not misleading — not presented or combined in a way that creates a false impression; and
• Updated where necessary — kept current when the purpose of processing requires it.

The Information Regulator has consistently emphasised, in its published guidance and enforcement communications, that holding inaccurate personal information is itself a compliance failure, not merely a data-hygiene inconvenience.

> Note on section numbers: The brief for this article references "POPIA section 16." Section 16 does not appear in the verified list of POPIA section anchors that this publication relies on for citation accuracy. Rather than risk citing an incorrect provision, this article describes the information quality condition without attributing it to a specific section number. For the precise statutory text, readers are encouraged to consult the Act directly via the Information Regulator's website or the official Government Gazette.

---

Why Inaccurate Data Is a POPIA Problem

The consequences of holding outdated or wrong personal information ripple outward in several directions:

1. Harm to data subjects. A customer who has moved, changed their name, or updated a medical status may be contacted at wrong addresses, misidentified, or subjected to decisions based on stale information. POPIA's foundational purpose is to protect people from exactly this kind of harm.

2. Interference with other POPIA conditions. Inaccurate data undermines the principle that personal information should be collected for a specific purpose (section 13) and processed only in ways compatible with that purpose (section 15). If the data no longer reflects reality, its continued use may stray from the original lawful basis.

3. Friction with data subject rights. POPIA gives data subjects the right to access their personal information (section 23) and the right to request correction of inaccurate or incomplete records (section 24). Businesses that are not already managing data quality proactively will face higher volumes of correction requests — and reputational risk if those requests reveal systematic inaccuracy.

4. Regulatory exposure. The Information Regulator has the power to investigate, issue enforcement notices, and impose penalties. A pattern of holding materially inaccurate personal information — particularly where it has caused harm — is the kind of systemic failure that attracts regulatory attention.

---

What "Reasonably Practicable Steps" Looks Like in Practice

POPIA does not require perfection. The standard is what is *reasonably practicable* given the nature, size, and resources of the responsible party. For an SME maintaining a customer database, reasonably practicable steps are likely to include:

Regular data audits. Scheduling periodic reviews of customer records — quarterly for high-use databases, at least annually for lower-frequency ones — to flag records that have not been verified in a long time.

Update prompts at touchpoints. Every time a customer transacts, logs in, or contacts support, the interaction is an opportunity to confirm or update key fields: email address, phone number, physical address, and any other information material to the processing purpose.

Bounce and failure monitoring. Returned mail, bounced emails, and failed SMS deliveries are reliable signals that information has become inaccurate. Building a process to investigate and correct those failures is a low-cost, high-value quality control.

Clear correction channels. Making it easy for customers to update their own information — through a self-service portal, a simple email address, or a form — not only meets the spirit of section 24 but also offloads some of the accuracy burden to the people best placed to know their own details.

Documentation. POPIA requires responsible parties to maintain records of their processing activities (section 17). Documenting your data-quality procedures is part of demonstrating accountability — one of the core conditions for lawful processing.

---

Special Consideration: Sensitive and High-Stakes Records

The accuracy obligation is heightened when the personal information in question involves special personal information — health data, financial status, or similar categories whose processing is restricted under section 26 and subject to authorisation requirements under section 27. An error in a health record or a credit profile is qualitatively more harmful than a misspelled street name. If your business processes any special categories of information, your data-quality controls in those areas deserve proportionally greater attention.

Similarly, where personal information is used to make automated or semi-automated decisions about individuals — credit scoring, eligibility assessments, marketing segmentation — the accuracy of the underlying data directly affects whether those decisions are fair and lawful.

---

Practical Starting Points

If you are reviewing your data quality practices for the first time, a pragmatic sequence is:

1. Map your data. Identify what personal information you hold, where it lives (CRM, spreadsheets, email threads, paper files), and how old each dataset is.
2. Assess the risk. Which datasets, if inaccurate, could cause the most harm to data subjects or the most operational disruption to your business?
3. Assign ownership. The Information Officer appointed under section 55 of POPIA is accountable for compliance; data quality should be an explicit part of that role's responsibilities.
4. Build correction into process. Rather than treating data quality as a once-off cleanup project, embed update prompts and audit triggers into your existing workflows.
5. Get qualified advice. Data quality intersects with several POPIA conditions and, depending on your sector, may also touch FICA and other regulatory frameworks. A qualified attorney or compliance specialist can help you design a programme that fits your specific context.

---

Summary

The information quality condition under POPIA reflects a straightforward principle: if you hold personal information about people, you have an ongoing responsibility to keep it accurate, complete, and current. For businesses maintaining customer databases, this means treating data quality not as a technical afterthought but as a live compliance obligation — one that protects your customers and reduces your regulatory exposure at the same time.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including which specific POPIA provisions apply to your business and how to implement a compliant data-quality programme — consult a qualified attorney.

*For more information on POPIA compliance obligations, visit the Information Regulator's website at www.inforegulator.org.za.*