Article was written by Megan Brook, Candidate Attorney and checked by Danmari Duguid.
The Protection of Personal Information Act 4 of 2013 (“The Act”) is a piece of data privacy legislation which affects any natural or juristic persons who process the personal information of another individual or company. The Act aims to protect the right to privacy enshrined in the Constitution of the Republic of South Africa, 1996 and introduces certain minimum requirements that must be complied with when processing personal data. The Act purports to ensure that South African institutions conduct themselves in a responsible manner when storing and sharing personal information by holding them accountable should they abuse or compromise this information in any way.
Application
The Act applies to the processing of personal information by a “responsible party” which includes a public or private body, or any other person, which alone or in conjunction with others, determines the purpose of and means for processing personal information.
What is personal information? “Personal information” is broadly defined in The Act to include, amongst many others, information relating to one’s race, sex, age, physical or mental health, personal opinions or views, criminal, educational or employment history and biometric information. The Act, however, does not apply to the processing of personal information “in the course of a purely personal or household activity,” by national security when identifying the financing of terrorist activities or by one when solely for the purpose of “journalistic, literary or artistic expression.”
Compliance
Compliance with the Act is not a one size fits all approach and different organisations will be required to take different measures, depending on what mechanisms they already have in place to protect personal information.
Compliance with the Act will include certain mandatory measures such as appointing an “Information Officer” and the development of internal measures systems to process requests for information.
The Information Regulator
The Act gives an independent government body, namely the Information Regulator, the authority to enforce the Act. The Information Regulator is a supervisory authority who has a wide range of power and responsibilities, including, but not limited to, issuing codes of conduct and handling complaints in relation to data protection.
Any person may, either orally or in writing, submit a complaint to the Information Regulator in the event of misconduct. The Act provides that, after receipt of a complaint, the Information Regulator is obliged to investigate the complaint, act as a conciliator where appropriate and take further action when required. In exercising its investigative powers, the Information Regulator may summons the appearance of a person, compel the provision of written or oral evidence under oath, receive evidence (irrespective of whether such evidence is admissible in a Court of Law) and enter and search any premises occupied by a responsible party.
The Information Officer
Every organisation has an Information Officer by default and they are responsible for ensuring compliance with the Act. Information Officers co-operate with the Information Regulator in respect of any investigations conducted. Private bodies must designate the responsibilities of an Information Officer to perform the duties required in terms the Act.
The data subjects’ rights
Under the Act, personal information may only be processed if the “data subject” expressly consents to the processing, unless the exclusions with regard to consent apply. The consent of the data subject is not required where the processing of personal information:
- is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- complies with an obligation imposed by law on the responsible party;
- protects a legitimate interest of the data subject;
- is necessary for the proper performance of a public law duty by a public body; and
- is necessary for pursuing the legitimate interests of the responsible party, or of a third party, to whom the information is supplied.
It must be noted that a data subject may withdraw his/her consent at any time.
Special personal information
The Act limits the processing of “special, personal information” which includes information concerning the health of a person. It is therefore vital for anyone processing health information related to Covid-19 to consider the Act. Many of the actions undertaken to understand and prevent the spread of Covid-19 will involve the processing of personal information.
Legal penalties for non-compliance
A party can incur a fine or face imprisonment for up to ten years in jail when in breach of the Act. Damages and compensation may also be payable to data subjects in certain circumstances.
For POPIA guidance and advice, please contact our specialist department at [email protected]
Value
This article provides a basic overview and introduction of South Africa’s data privacy legislation, The Protection of Personal Information Act 4 of 2013 or POPI