With the remainder of the Protection of Personal Information Act 4 of 2013 (POPIA) coming into effect on 1 July, South Africans are finally getting some much-needed protection when it comes to the selling and unauthorised use of their personal information. The purpose of the Act is to protect people from harm by protecting their personal data, protecting their privacy, and to stop their money and identity from being stolen. 

The commencement of the provisions of the Act will affect all South African citizens and must be taken seriously. The Act provides protection to individuals whose personal information is gathered and used in any manner, which essentially includes the vast majority of South African citizens and companies, especially those dealing with the processing and use of personal information, such as banks, medical aids, telecommunication companies, internet service providers, etc.

POPIA was promulgated in November 2013 after an investigation into privacy and data protection by the South African Law Reform Commission. The objective of the Act is to give effect to the right to privacy, as provided for in section 14 of the Constitution of 1996, and aims to regulate the processing and use of personal information by private and public bodies in line with international standards. 

Initially, only certain sections dealing with administrative matters (such as definitions, the establishment of the Information Regulator and the procedure for making regulations, etc.) came into operation in 2014. The commencement date of the remainder of the Act was scheduled for 1 July 2020, and public and private bodies are provided one year from this date to ensure that their practices comply with the provisions of the Act.

Compliance with the Act is extremely important. Less serious offences, such as obstructing an official in the execution of their duties, could lead to a fine or imprisonment of up to 12 months or both. More serious offences could lead to a fine of up to R10 million, or 10 years’ imprisonment, or a combination of both.  

‘Personal information’ is defined as information that relates to an identifiable, living, natural person and an identifiable existing legal entity. The Act lists eight specific types of information included in this definition, ranging from your name to your biometric information to your personal opinions. Just as a clarification, though, any information shared on social media is regarded as a publication and will generally not enjoy protection. 

The Act also provides for ‘special personal information’, which can only be processed with the prior consent of the data subject if necessary by law, if it has already been made public by the data subject or if it is done for historical, statistical or research purposes. Section 34 prohibits the processing of the personal information of a child, unless it is required by law, collected with the consent of a competent person (a parent or legal guardian), if it is in the public interest or used for statistical, historic or research purposes without adversely affecting the privacy of the child.

The Act clarifies the rights of the ‘data subject’, which is the being to whom the personal information relates. In this regard, we are afforded the following rights: to have access to personal information that is kept or used by any private or public body; to be informed if someone is collecting or has accessed our personal information; to have any incorrect or obsolete information corrected or destroyed; and to object to any unauthorised use (or ‘processing’) of personal information. The ‘responsible party’ or ‘data controller’ is the public or private body that essentially processes personal information. This includes employers who process the personal information of their employees and clients.

The ‘processing’ of personal information is any operation or activity, whether automated or not, pertaining to the collection, receipt, storage, modification, sharing or destruction of personal information. This may only occur with the consent of the data subject, if required by law, if it protects the legitimate interests of the data subject, or if it is necessary for performance in terms of a contract to which the data subject is a party.

Section 18 prescribes that the following should be shared with the data subject once any personal information is collected: the source from which the information is being collected, the name and address of the party collecting the information, the purpose of the collection, whether the collection occurs in accordance with any law, who will receive the information, the security measures used to ensure the confidentiality and correctness of the information, that the subject has the right to access and rectify any part of the information gathered, and objection to the processing. Any complaints in this regard may be lodged to the Information Regulator, an independent party who oversees the Act and answers to the National Assembly, and whose contact information must also be shared with the data subject.

The Act determines that the information may only be collected directly from the data subject, unless it is contained in a public record, it is required for a public purpose or to protect the interests of the data subject, it is not reasonably possible to obtain it from the data subject, or does not prejudice the subject if obtained from another source. 

The data controller must comply with prescribed duties, which includes: ensuring that all conditions for lawful processing are met (including obtaining the prescribed consent and ensuring confidentiality); collecting information directly from the data subject; informing the subject about the purpose of the processing; providing the subject with access to the information; keeping the information up to date; correcting the information; deleting incorrect or obsolete records; and complying with any information notice or enforcement order served by the Information Regulator.

It should also be noted that the Act prohibits all forms of direct marketing unless a data subject has given their consent. A data subject may only be approached once for consent and must at all times be afforded the right to ‘opt out’ of any future communications.

It is important to note that the provisions of the Act will not apply to the processing of personal information that is collected in the course of a purely personal or household activity, such as keeping a directory of the addresses and phone numbers of friends and family. It will also not apply to the collection of information for the purpose of national security, for the prevention of unlawful activities, if it is collected by the Cabinet, the Executive Council of a province, or by the courts when exercising its judicial function. 

The processing of information as a matter of ‘public interest’ will also be excluded. This is generally where information is processed for journalistic, artistic, or literary purposes. Ethical consideration will apply in these instances, and there will be a weighing of the data subject’s right to privacy versus the data controller’s freedom of expression. As a general rule of thumb, one should always remember that there is an important distinction to be made between ‘public interest’ and what is interesting to the public – the latter will not be exempted from the provisions of the Act. 

In summary, a data controller must carefully collect and process the personal information of their clients, employees, and any other party whose information they are processing, in line with the provisions of the Act as summarised above. Consideration should be given to the appointment of an information officer, otherwise the head of the private or public body will be regarded as such. This individual will register with the Information Regulator and ensure that the provisions of the Act are met within the organisation. South African citizens must be aware of the rights provided by the Act and must be mindful of the transactions they enter into – whether in person, automated, or online. Care must be taken when ‘posting’ information on social media, as this will be viewed as publications and consequently enjoy no protection under this Act.