By Johan Moorcroft
This article is intended as an introduction to aspects of the Protection of Personal Information Act 4 of 2013 (the Act), which will come into operation (save for ss 39 to 54, 112 and 113 that came into operation in 2014 in anticipation of the establishment of a regulatory framework) on a date to be proclaimed. Chapter VIII of the Electronic
Communications and Transactions Act 25 of 2002 will be repealed when the Act comes into operation.
The purpose of the Act is to protect privacy and to regulate the use of personal information. In this article the processing of personal information and related matters are discussed and it is envisaged that other aspects of the Act (such as processing of special personal information, the protection of children, and the supervision of the Act) will be dealt with separately.
Of particular importance to the legal profession is the fact that communications between legal adviser and client are not subject to search and seizure. This is provided for in s 86.
What is personal information?
Unless otherwise indicated the definitions appear in s 1 of the Act.
Parties for whose use information is processed are defined as responsible parties in the Act; those whose information is processed are referred to as data subjects. A responsible party may make use of the services of an operator as defined to process information.
Personal information as defined in
s 1 means information relating to a living individual, and an existing juristic person insofar as the Act finds application. De-identified or anonymised data do not fall within the definition of personal information, nor do information relating to the deceased or entities no longer in existence.
Personal information is de-identified, or anonymous, when the data subject is not identifiable from the information and the information cannot be manipulated to identify the subject.
The Act provides for a special category of personal information judged by the legislature to require more comprehensive protection than other personal information. Special personal information defined in s 26 relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information, and to criminal behaviour relating to the alleged commission of an offence or any proceedings in respect of any offence.
The application of the Act: Section 3
The Act applies to the processing of personal information entered in a record by or for a responsible party by making use of automated or non-automated means, but only if the responsible party is domiciled in South Africa (SA), or makes use of means in SA (unless those means are used only to forward personal information through SA).
A ‘record’ means any recorded information ‘in the possession or under the control of a responsible party’.
When the recorded personal information is processed by non-automated means, it must form part of a filing system or be intended to form part of a filing system to fall within the definition.
‘Automated means’ is defined in
s 3(4) to mean ‘any equipment capable of operating automatically in response to instructions given for the purpose of processing information.’ This would be a computer.
A ‘filing system’ is a structured set of personal information, and would typically consist of filing cabinets and other storage units.
The conditions for the processing of personal information are listed in s 4(1) and detailed in ch 3 of the Act, and are discussed below, but these conditions are not applicable to the processing of personal information to the extent that such processing is –
When is the Act not applicable?
The Act does not apply –
– in the course of a purely personal or household activity;
– that is anonymised data, namely, data de-identified to the extent that it cannot be re-identified again;
– by or on behalf of a public body which involves national security or the prevention of unlawful activities to the extent that adequate safeguards have been established in legislation;
– by the Cabinet or its committees or the executive council of a province; or
– relating to the judicial functions of a court.
Exemptions from one or more conditions for the processing of personal information:
Exemptions granted by the Regulator in terms of s 37
The Regulator established in terms of the Act may grant an exemption, when satisfied that –
‘(a) the public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the data subject …, or
(b) the processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.’
The ‘public interest’ includes the interests of national security, the importance of crime prevention, the economic and financial interests of a public body, the importance of fostering compliance with legal provisions, historical, statistical or research activity, and the special importance of freedom of expression.
The ‘improper conduct’ exemption in s 38
Processing of personal information is exempt from certain provisions of the Act when done for the purposes of a ‘relevant function’ of a public body, or for purposes conferred in terms of the law, when the function is performed in order to protect members of the public against financial loss due to improper conduct by, or the unfitness or incompetence of persons authorised to carry on any profession or other activity, or persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate.
The provisions from which exemptions may be granted are –
The search and seizure provisions in ss 85 and 86
Information processed in terms of an exemption is not subject to search and seizure. As already intimated above communications between legal adviser and client are similarly exempt.
The conditions for the lawful processing of personal information in s 4(1) and ch 3
The Act stipulates eight conditions for the lawful processing of personal information. These ‘conditions’ set out in s 4(1) reflect certain principles elaborated on below.
The principle of accountability in s 8: Accepting responsibility
The responsible party must accept responsibility and ensure compliance with the conditions for lawful processing.
The principle of minimality in ss 9 to 11, and 13 to 15: Limiting the scope of processing
The responsible party must not collect and use more information than is needed (s 10) and must not retain it for longer than is necessary (s 14). Processing must not infringe the privacy of the data subject. The further processing of information must be compatible with the purpose of the initial collection of the information (s 15).
Information may only be processed under any one or more of specified circumstances set out in s 11 of the Act. These circumstances are –
The principle of quality in ss 12 and 16
The responsible party must take reasonably practicable steps to ensure data quality.
In terms of s 12 information must generally be collected directly from the source, namely, from the data subject. This principle is qualified by a number of exceptions:
The principle of transparency in ss 17, 18, and 24 to 25
A data subject may require personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully to be corrected or deleted in terms of s 24. Access to information is a prerequisite for the verification of information relating to a data subject and, therefore, for the exercise of this right.
A responsible party is required to inform data subjects of the collection of information in terms of ss 17 and 18. The duty to inform falls away when –
The principle of integrity and security in ss 19 to 22
Section 19 requires a responsible party to take measures to secure the integrity and confidentiality of personal information. The Regulator and the data subject (if identifiable) must in terms of s 22 be informed whenever security has been compromised.
Johan Moorcroft BIur (UP) LLB (Unisa) LLM (UP) LLM (Unisa) is an advocate at the Johannesburg Bar.
This article was first published in De Rebus in 2016 (Oct) DR 32.
De Rebus proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media, which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website at www.presscouncil.org.za or e-mail the complaint to enquiries@ombudsman.org.za. Contact the Press Council at (011) 4843612.
South African COVID-19 Coronavirus. Access the latest information on: www.sacoronavirus.co.za
|