POPI and the legal profession: What should you know?

September 26th, 2016
x
Bookmark

Firewall Protection

 

By Johan Moorcroft

This article is intended as an introduction to aspects of the Protection of Personal Information Act 4 of 2013 (the Act), which will come into operation (save for ss 39 to 54, 112 and 113 that came into operation in 2014 in anticipation of the establishment of a regulatory framework) on a date to be proclaimed. Chapter VIII of the Electronic
Communications and Transactions Act 25 of 2002 will be repealed when the Act comes into operation.

The purpose of the Act is to protect privacy and to regulate the use of personal information. In this article the processing of personal information and related matters are discussed and it is envisaged that other aspects of the Act (such as processing of special personal information, the protection of children, and the supervision of the Act) will be dealt with separately.

Of particular importance to the legal profession is the fact that communications between legal adviser and client are not subject to search and seizure. This is provided for in s 86.

What is personal information?

Unless otherwise indicated the definitions appear in s 1 of the Act.

Parties for whose use information is processed are defined as responsible parties in the Act; those whose information is processed are referred to as data subjects. A responsible party may make use of the services of an operator as defined to process information.

Personal information as defined in
s 1 means information relating to a living individual, and an existing juristic person insofar as the Act finds application. De-identified or anonymised data do not fall within the definition of personal information, nor do information relating to the deceased or entities no longer in existence.

Personal information is de-identified, or anonymous, when the data subject is not identifiable from the information and the information cannot be manipulated to identify the subject.

The Act provides for a special category of personal information judged by the legislature to require more comprehensive protection than other personal information. Special personal information defined in s 26 relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information, and to criminal behaviour relating to the alleged commission of an offence or any proceedings in respect of any offence.

The application of the Act: Section 3

The Act applies to the processing of personal information entered in a record by or for a responsible party by making use of automated or non-automated means, but only if the responsible party is domiciled in South Africa (SA), or makes use of means in SA (unless those means are used only to forward personal information through SA).

A ‘record’ means any recorded information ‘in the possession or under the control of a responsible party’.

When the recorded personal information is processed by non-automated means, it must form part of a filing system or be intended to form part of a filing system to fall within the definition.

‘Automated means’ is defined in
s 3(4) to mean ‘any equipment capable of operating automatically in response to instructions given for the purpose of processing information.’  This would be a computer.

A ‘filing system’ is a structured set of personal information, and would typically consist of filing cabinets and other storage units.

The conditions for the processing of personal information are listed in s 4(1) and detailed in ch 3 of the Act, and are discussed below, but these conditions are not applicable to the processing of personal information to the extent that such processing is –

  • excluded, in terms of ss 6 or 7, from the operation of the Act, or
  • exempted in terms of ss 36 to 38, from one or more of the conditions.

When is the Act not applicable?

The Act does not apply –

  • to information that does not meet the criteria of the definition of personal information;
  • where informed consent is given voluntarily for to the use of the information, as in s 11(1) and other sections;
  • to the extent that an exemption applies;
  • to the use of information solely for journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile the right to privacy with the right to freedom of expression, in terms of s 7; or
  • to the processing of personal information in terms of s 6(1)(a)-(e), namely –

– in the course of a purely personal or household activity;

– that is anonymised data, namely, data de-identified to the extent that it cannot be re-identified again;

– by or on behalf of a public body which involves national security or the prevention of unlawful activities to the extent that adequate safeguards have been established in legislation;

– by the Cabinet or its committees or the executive council of a province; or

– relating to the judicial functions of a court.

Exemptions from one or more conditions for the processing of personal information:

Exemptions granted by the Regulator in terms of s 37

The Regulator established in terms of the Act may grant an exemption, when satisfied that –

‘(a) the public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the data subject …, or

(b) the processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.’

The ‘public interest’ includes the interests of national security, the importance of crime prevention, the economic and financial interests of a public body, the importance of fostering compliance with legal provisions, historical, statistical or research activity, and the special importance of freedom of expression.

The ‘improper conduct’ exemption in s 38

Processing of personal information is exempt from certain provisions of the Act when done for the purposes of a ‘relevant function’ of a public body, or for purposes conferred in terms of the law, when the function is performed in order to protect members of the public against financial loss due to improper conduct by, or the unfitness or incompetence of persons authorised to carry on any profession or other activity, or persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate.

The provisions from which exemptions may be granted are –

  • the right of a data subject to object to the processing of personal information in subs 11(3) and (4);
  • the general obligation to collect personal information directly from the data subject in s 12;
  • the condition that further processing of must be compatible with the purpose of collection of the information in s 15; and
  • the right of the data subject to be notified when personal information is collected in s 18.

The search and seizure provisions in ss 85 and 86

Information processed in terms of an exemption is not subject to search and seizure. As already intimated above communications between legal adviser and client are similarly exempt.

The conditions for the lawful processing of personal information in s 4(1) and ch 3

The Act stipulates eight conditions for the lawful processing of personal information. These ‘conditions’ set out in s 4(1) reflect certain principles elaborated on below.

The principle of accountability in s 8: Accepting responsibility

The responsible party must accept responsibility and ensure compliance with the conditions for lawful processing.

The principle of minimality in ss 9 to 11, and 13 to 15: Limiting the scope of processing

The responsible party must not collect and use more information than is needed (s 10) and must not retain it for longer than is necessary (s 14). Processing must not infringe the privacy of the data subject. The further processing of information must be compatible with the purpose of the initial collection of the information (s 15).

Information may only be processed under any one or more of specified circumstances set out in s 11 of the Act. These circumstances are –

  • when consent is given;
  • when processing is necessary to carry out a contract to which the data subject is party;
  • when the processing complies with an obligation imposed by law;
  • where the processing protects a legitimate interest of the data subject;
  • when processing is necessary for the performance of public duty by a public body; or
  • in pursuit of the legitimate interest of the responsible party or of a third party to whom the information is applied.

The principle of quality in ss 12 and 16

The responsible party must take reasonably practicable steps to ensure data quality.

In terms of s 12 information must generally be collected directly from the source, namely, from the data subject. This principle is qualified by a number of exceptions:

  • When the processing is done for the purpose of a function of a public body or conferred on any person by law in order to protect members of the public against financial loss or improper conduct the exemption in s 38 applies.
  • Information may be obtained from a public record as defined.
  • Information may be made public by the data subject.
  • Information may be used by consent.
  • Information may be collected from another source if such use does not prejudice a legitimate interest of the data subject.
  • Collection from another source may be necessary for the conduct of proceedings in any court or tribunal, in the interest of national security, to avoid prejudice in the maintenance of law by a public body, to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue, or to maintain the legitimate interest of the responsible party or of a third party to whom the information is supplied.
  • Information may also be collected from another source if compliance would prejudice a lawful purpose or is not reasonable practical.

The principle of transparency in ss 17, 18, and 24 to 25

A data subject may require personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully to be corrected or deleted in terms of s 24. Access to information is a prerequisite for the verification of information relating to a data subject and, therefore, for the exercise of this right.

A responsible party is required to inform data subjects of the collection of information in terms of ss 17 and 18. The duty to inform falls away when –

  • the processing is done in terms of s 38 for the purpose of a function of a public body or conferred on any person by law with a view to protecting members of the public against financial loss or improper conduct;
  • information is processed with consent (s 18(4)(a));
  • there is no prejudice to the data subject (s 18(4)(b));
  • non-compliance is necessary to avoid prejudice in the maintenance of law by a public body, to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue, for the conduct of proceedings in any court or tribunal, or in the interest of national security (s 18(4)(c));
  • compliance would prejudice a lawful purpose (s 18(4)(d));
  • compliance is not reasonably practicable (s 18(4)(e));
  • the information is used in such a form that the data subject will remain anonymous (s 18(4)(f)(i)); or
  • the information is used for historical, statistical or research purposes (s 18(4)(f)(ii)).

The principle of integrity and security in ss 19 to 22

Section 19 requires a responsible party to take measures to secure the integrity and confidentiality of personal information. The Regulator and the data subject (if identifiable) must in terms of s 22 be informed whenever security has been compromised.

 

Johan Moorcroft BIur (UP) LLB (Unisa) LLM (UP) LLM (Unisa) is an advocate at the Johannesburg Bar.

This article was first published in De Rebus in 2016 (Oct) DR 32.

X
De Rebus