DLA Piper Intelligence

Data Protection
Laws of the World

Law

South Africa
South Africa

The right to privacy is recognised and protected as a fundamental human right in the Bill of Rights of the Constitution of the Republic of South Africa.

The Protection of Personal Information Act ("POPI"), which introduces an overarching regulatory framework for the processing of personal information, was signed into law on 19 November 2013. POPI intends to promote the protection of personal information processed by public and private bodies and introduces minimum requirements for the processing of personal information. The Act also provides for the establishment of an Information Regulator ("Information Regulator"), a body tasked with monitoring compliance with, and enforcement of, the provisions of POPI.

The first members of the Information Regulator were appointed with effect from 1 December 2016.

To date, only certain sections of POPI (including the definitions section and the provisions dealing with the establishment of the office of the Information Regulator) have come into effect. The remaining sections will come into effect upon proclamation of commencement by the President of the Republic of South Africa.

Last modified 27 Jan 2017
Law
South Africa

The right to privacy is recognised and protected as a fundamental human right in the Bill of Rights of the Constitution of the Republic of South Africa.

The Protection of Personal Information Act ("POPI"), which introduces an overarching regulatory framework for the processing of personal information, was signed into law on 19 November 2013. POPI intends to promote the protection of personal information processed by public and private bodies and introduces minimum requirements for the processing of personal information. The Act also provides for the establishment of an Information Regulator ("Information Regulator"), a body tasked with monitoring compliance with, and enforcement of, the provisions of POPI.

The first members of the Information Regulator were appointed with effect from 1 December 2016.

To date, only certain sections of POPI (including the definitions section and the provisions dealing with the establishment of the office of the Information Regulator) have come into effect. The remaining sections will come into effect upon proclamation of commencement by the President of the Republic of South Africa.

Last modified 27 Jan 2017
Definitions

Definition of personal data

POPI applies (subject to certain exclusions discussed below) to the processing of 'personal information' which is defined as information relating to an identifiable, living, natural person, and where applicable, an identifiable juristic person, including:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin; colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief; culture, language and birth of the person;
  • information relating to the education, medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

POPI does not apply to the processing of 'personal information':

  • in the course of a purely personal or household activity;
  • in a way in which it has been de-identified to the extent that it cannot be re-identified again;
  • by or on behalf of the State with regard to national security, defence or public safety, or the prevention, investigation or proof of offences;
  • for the purposes of the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in specific legislation for the protection of such personal information;
  • for exclusively journalistic purposes by responsible parties who are subject to, by virtue of office, employment or profession, a code of ethics that provides adequate safeguards for the protection of personal information;
  • for bona fide literary or artistic expression;
  • by Cabinet and its committees, the Executive Council of a province and a Municipal Council of a municipality (this option may be deleted in the final version of the PPI Act when it is promulgated);
  • for purposes relating to the judicial functions of a court referred to in section 166 of the Constitution;
  • solely for the purposes of journalistic, literary or artistic expression to the extent that such exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression; and
  • under circumstances that have been exempted from the application of the information protection principles by the Information Regulator in certain circumstances.

Definition of sensitive personal data

Personal information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information or criminal behaviour (to the extent that such information relates to the alleged commission of an offence or any proceedings in respect of any offence allegedly committed, or the disposal of such proceedings) is defined as "special personal information".

Subject to certain prescribed exceptions, the processing of special personal information is prohibited.

Last modified 27 Jan 2017
Authority

The first members of the Information Regulator have been appointed, with effect from 1 December 2016.

The powers, duties and functions of the office of the Information Regulator include providing education regarding the protection and processing of personal information; monitoring and enforcing compliance with the provisions of POPI; consulting with interested parties and acting as mediator; receiving, investigating and attempting to resolve complaints; issuing enforcement notices and codes of conduct; and facilitating cross-border cooperation.

Last modified 27 Jan 2017
Registration

Data protection officers (referred to in POPI as "information officers") must be registered with the Information Regulator prior to taking up their duties in terms of the Act.

No registration is required to process personal information, however, prior authorisation must be obtained from the Information Regulator before processing of personal information in certain circumstances, prescribed in section 57 of POPI.

Last modified 27 Jan 2017
Data Protection Officers

In terms of POPI the duties and responsibilities of a body's data protection officer (information officer) include encouraging and ensuring compliance, by the body, with POPI; dealing with any requests made to that body in terms of POPI; and working with the Information Regulator in relation to investigations by the Information Regulator in relation to that body.

Last modified 27 Jan 2017
Collection & Processing

"Processing" of information is defined in POPI as any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:

  • The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • Dissemination by means of transmission, distribution or making available in any other form; or
  • Merging, linking, as well as blocking, degradation, erasure or destruction of Information.

POPI prescribes eight conditions for the lawful processing (which includes collection) of personal information namely accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.

Various requirements are listed under each condition. These include that:

  • the processing is performed in a reasonable manner that does not infringe the data subject's privacy and is adequate, relevant and not excessive
  • all necessary notifications and consents (as prescribed) are obtained
  • personal information is collected for a specific, explicitly defined and lawful purpose and, except in certain prescribed exceptions, is collected directly from the data subject
  • appropriate steps are taken to secure the integrity and confidentiality of personal information
  • data subjects may request that their personal data be corrected or deleted.
Last modified 27 Jan 2017
Transfer

POPI caters for two scenarios relating to the transfer of personal information, namely where a responsible party in South Africa sends personal information to another country to be processed and where a responsible party in South Africa processes personal information which has been received from outside South Africa.

Receiving personal information from other countries

The requirements for the processing of personal information prescribed in POPI will apply to any personal information processed in South Africa, irrespective of its origin.

Sending personal information to other countries for processing

A responsible party in South Africa may not transfer personal information to a third party in another country unless:

  • the recipient is subject to a law, binding corporate rules or a binding agreement which:
    • upholds principles for reasonable processing of the information that are substantially similar to the conditions contained in POPI, an
    • includes provisions that are substantially similar to those contained in POPI relating to the further transfer of personal information from the recipient to third parties who are in another country;
  • the data subject consents to the transfer;
  • the transfer is necessary for the performance of a contract between the data subject and responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party, or the transfer is for the benefit of the data subject and:
    • it is not reasonably practicable to obtain the consent of the data subject to that transfer, and
    • if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
Last modified 27 Jan 2017
Security

Section 19 of POPI places an obligation on a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage to, or unauthorised destruction of; and unlawful access to, personal information.

To comply with this obligation, the responsible party must take reasonable measures to:  

  • identify all reasonably foreseeable internal and external risks to personal information under its control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The responsible party must also have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Last modified 27 Jan 2017
Breach Notification

In terms of section 22 of POPI, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and the data subject, unless the identity of such data subject cannot be established.

The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.

The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines that notification will impede a criminal investigation by the public body concerned and must be in writing and communicated to the data subject a prescribed manner.

The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—

  • a description of the possible consequences of the security compromise;
  • a description of the measures that the responsible party intends to take or has taken to address the security compromise;
  • a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
  • if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.

The Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Information Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

 

Last modified 27 Jan 2017
Enforcement

Any person may submit a complaint to the Information Regulator alleging non-compliance with POPI. The Information Regulator may also initiate and investigation into interference with the protection of personal information.

Upon receipt of a complaint, the Information Regulator may, inter alia, conduct a pre-investigation or full investigation of the complaint, act as conciliator, refer the complaint to another regulatory body if the Information Regulator considers that the complaint falls more properly within the jurisdiction of the other regulatory body, or decide to take no further action.

 The Information Regulator's powers, for purposes of investigating a complaint include the power to summons and enforce the appearance of persons before the Information Regulator to give evidence or produce records or things; enter and search the premises occupied by a responsible party; and conduct interviews and inquiries

If the Information Regulator is satisfied that a responsible party has interfered or is interfering with the protection of the personal information of a data subject it my issue an enforcement notice prescribing action to be taken by the responsible party to remedy the situation.

A responsible part who fails to comply with an enforcement notice is guilty of an offence and is, liable, on conviction, to a fine or imprisonment (or both) for a period of no longer than ten years (in terms of section 107), or alternatively to an administrative fine (in terms of section 109) . Currently, the maximum fine which may be imposed in terms of both sections 107 and 109 is ZAR10 million although this may change once the regulations are promulgated.

Section 99 also makes provision for a civil action for damages resulting from non-compliance with POPI.

Last modified 27 Jan 2017
Electronic Marketing

The Electronic Communications and Transactions Act and the Consumer Protection Act empowers consumers to restrict unwanted direct marketing.

In terms of POPI, the processing of a data subject's personal information for the purposes of direct marketing is prohibited unless the data subject has given its consent, or the email recipient is a customer of the responsible party. When sending emails to a data subject who is a customer, the responsible party must have obtained the details of the data subject through a sale of a product or service, the marketing should relate to its own similar products or services and the data subject must have been given a reasonable opportunity to object to the use of its personal information for marketing when such information was collected.

Last modified 27 Jan 2017
Online Privacy

There are no sections of POPI which regulate privacy in relation to cookies and location data. These issues may be dealt with in subsequently regulations or codes of conduct to be issued by the Information Regulator.

Last modified 27 Jan 2017
Contacts
Janine Simpson
Janine Simpson
Director
DLA Piper
T 0027 (0) 11 282 0797
Last modified 27 Jan 2017