The Protection of Personal Information Act 4 of 2013 (the Act) is an important piece of legislation that gives effect to the constitutional right to privacy and regulates the processing of personal information. The Act also provides for data protection, in that it governs access to personal information and prohibits access to such information, if it would lead to a violation of a person’s right to privacy.
The Act applies to all private and public institutions that process personal information – including, but not limited to natural persons, partnerships, juristic persons, state departments, municipalities and any other bodies performing functions in terms of the Constitution. The Act has an extensive definition of personal information, which includes the –
The Act does not apply to, inter alia –
The supervision of the Act and compliance with its provisions is monitored by the Information Regulator established in terms of Chapter 5 of the Act.
The Act is centred around eight core principles, which should be adhered to in the processing of personal information. The core principles are:
1. Accountability – individuals/entities processing the personal information are responsible for ensuring compliance with the Act.
2. Processing limitation – individuals/entities processing personal information must do so in a manner that is lawful and reasonable to avoid infringing on a person’s conditional right to privacy. The information ought to be collected with the consent of the individual, only the required information should be collected, there should be a justifiable reason underlying the collection of the data, and the personal information should be collected directly from the individual unless derived from public records.
3. Purpose specification – individuals/entities collecting personal information must have a clearly outlined and lawful purpose for doing so, and that such purpose should be communicated to the person from who the information is collected. In addition, this information should not be kept by the collector for periods longer than necessary according to the specified purpose.
4. Further processing limitation – collection of additional personal information should be done only when necessary when regard is had to the reason why information is being collected. This rule would not apply if the person whose data is being collected has consented to giving additional personal information, or where the information that is being collected is already in the public domain, or it is in the public interest or necessary for statistical or historical purposes.
5. Information quality – the individuals/entities collecting personal information are expected to take reasonable steps to ensure that the information collected is complete, correct, up to date and not misleading.
6. Openness – the individuals/entities collecting personal data ought to notify the individual from whom data is being collected, that data is being collected, who is collecting the data and why. The individual from whom data is collected should also be notified of where such data can be accessed or corrected.
7. Security safeguards – the individuals/entities that collect personal information must ensure that they secure the integrity and confidentiality of the information collected. This means that internal and external risks should be identified, safeguards against the identified risks should be implemented and maintained and safeguards must be regularly evaluated for effectiveness and updated to address new risks. Where personal information is compromised or accessed by unauthorised personnel, the individual/entity holding such information must, as soon as reasonably possible, notify the regulator and the persons whose information has been accessed.
8. Data subject participation – individuals whose information has been collected, must be given access to the information collected about them and be informed on who has access to their data. They must also have the ability to correct incorrect information or to object to the processing of their information.
The Act grants public and private bodies, to whom its provisions apply, a grace period of one year, which is until 1 July 2021, to comply with its provisions. If after this date, any entity or individual, which processes personal information is found wanting, such entity may be sued by the individual affected or the Regulator, in a civil action for damages incurred as a result of the breach of any provision of the Act. A breach of certain sections of the Act carries criminal sanctions in the form of fines or imprisonment of up to a year – for example breach of confidentiality requirements in s 54. Heavier criminal penalties exist for public or private bodies who, among other things, hinder, influence or obstruct the Regulator in the performance of its duties; in this case perpetrators may be imprisoned for up to ten years or fined or both.
The Act and its provisions are of grave importance currently because most of its sections became effective on 1 July 2020. Specifically, the following sections are now in full force and effect –
Certain provisions of the Act, namely s 1, ss 39 to 54, ss 112 and 113 have been effective since 11 April 2014. These sections deal predominately with the establishment and powers of the Information Regulator.
The remainder of the sections, namely s 110 and s 114(4) are due to come into effect on 30 June 2021. The sections of Act, which are due to come into effect in 2021, deal predominately with the repeal of specific sections of certain identified Acts, which currently provide for the protection of personal information. The effect of this is that until 30 July 2021 the provisions of the Act apply concurrently with any other legislative provisions, which deal with protection of personal information, for example, ss 50 and 51 of the Electronic Communications and Transactions Act 25 of 2002, which contain voluntary principles of how personal data is processed in electronic transactions.
The promulgation of the sections of the Act effective from 1 July 2020, is a welcome and reassuring development. Of concern to many before the promulgation, was the protracted delay in the enactment of all the provisions of the Act. Given the wide-going effect of the Act, public and private entities ought to seriously and sooner rather later, assess their current polices on processing of personal information to bring them into conformity with the Act. An important reminder is that the Act does not prohibit the handling of individual data it, however, seeks to guarantee that it is done reasonably and without infringing the privacy rights of individuals.
Beatrice J Moyo LLB (cum laude) (UKZN) is an LLM candidate and legal practitioner in Cape Town.
This article was first published in De Rebus in 2020 (Nov) DR 5.
