The Protection of Personal Information Act (POPIA)

    South Africa

    The Protection of Personal Information Act (POPIA)

    Act No. 4 of 2013 on the Protection of Personal Information (PoPI Act)

    South Africa signed the Protection of Personal Information Act (POPIA) into law on 19 November 2013. The purpose of the Act is to elevate the level of data protection and privacy standards in South Africa. However, only a few provisions have been actually implemented. Although the current applicability of the POPIA is limited, it is expected the Act will be fully enacted in the near future.

    Last Updated: July 30, 2019


  • Introduction

    The South Africa Protection of Personal Information Act (POPIA) is one of the laws that regulate the protection of personal data in South-Africa.

    Scope

    Material Scope: Section 3.1(a) stipulates that the Act applies to the processing of personal data entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof.

    Territorial Scope: Section 3.1(b) states the Act applies to (i) controllers (“responsible party”) established in South Africa, and to controllers established abroad who use process personal data in South Africa.

    Key differences between the POPIA and the GDPR are outlined below.

    Definitions

    The terms that the POPIA uses are summed up in Section 1 of the act. The following definitions are referenced frequently within this Section:

    • Child
      Any natural person under the age of 18 years who is not legally 10 competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him or herself
    • Consent
      Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
    • Data Subject
      Is defined as the person to whom the personal data relates;
    • Processor
      Processors are called “operators” and are defined as a person (natural or legal) who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that responsible party.
    • Personal information
      Information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing legal person. The definition of Personal Data is almost identical to the one laid down in the GDPR, but in the case of South Africa, the POPIA includes legal persons in its scope.
    • Processing
      Any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
    • Special personal information
      The Act refers to special categories of data as “special personal information” (Section 26), which is any information revealing: (a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or (b) the criminal behaviour of a data subject to the extent that such information relates to— (i) the alleged commission by a data subject of any offence; or (ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
    • Regulator
      The Information Regulator as established in Section 39 of the Act.
    • Responsible party
      A public, private or any other party who, alone or together with others, determines the purpose and means of the processing of personal information;

    Exceptions

    Section 6 excludes the following processing operations from the scope of the Act:

    • purely personal or household activity
    • anonymised data;
    • processing carried out by a public body for national security reasons; for the prevention detection, and combating crime, money laundering and criminal offences; and for the enforcement of judicial decisions;
    • Processing operations carried out by the Cabinet or Executive Council;
    • Processing activities related to judicial functions;
    • Terrorist related activities;
    • Processing for journalistic purposes.

    Key differences between POPIA and the General Data Protection Act (GDPR)

    • Obtaining personal information directly;
      The POPIA imposes the requirement of directly obtaining personal data from a data subject unless the collecting party can rely on a ground that justifies indirect collection.
    • Communication to data subjects in the event of a breach;
      The POPIA obligates companies to notify Data Subjects of a breach if it is likely that their data was accessed or acquired. This notification can only be delayed under limited circumstances. Instead, under section 35 of the GDPR, Data Subjects only need to be informed if the breach is likely to form a high risk to their rights of freedoms. This seems to be a higher threshold to meet. Furthermore, the POPIA mentions that the notice must contain the identity of the person who breached the company’s security (if known), and the GDPR does not require this information to be conveyed.
    • Privacy notice
      Under the POPIA, giving a privacy notice is required, but there are exemptions available for certain circumstances. For example, data subjects can waive this right by giving their consent. Under the regime of the GDPR this is not possible, and therefore the rules on privacy notices are more strict in Europe when compared to South-Africa.
    • Right of access by data subjects;
      The POPIA contains a legal obligation to inform data subjects of their intent to transfer data to a third country. Furthermore, the transfer to a third country is only allowed when using mechanisms that are adequate. However, the POPIA does not specify whether it is necessary to notify data subjects when their data is transferred abroad.
    • Privacy by design;
      The principle of Privacy by Design requires companies to take appropriate technical and organizational measures to ensure that company processes are built around the understanding that privacy considerations are key. Although the GDPR imposes this threshold, the POPIA does not.

    Regulatory framework

    Although the POPIA is the focus of this Section, the legislation does not operate in a vacuum. POPIA interacts with several other laws, two with far-reaching implications for businesses.

    The first law is The Protection of Personal Information Act: Regulations: Information register. In accordance with section 112(2) of POPIA, the information register regulation lays down rules with respect to the following:

    • The data subject right to object to the processing of personal information;
    • The procedure according to which a data subject may submit a request;
    • Rules around the processing of health information;
    • The responsibilities of information officers;
      (known as Data Protection Officers under the General Data Protection Act)
    • Procedure for submitting a code of conduct to the supervisory authority;
    • How to quest consent from a data subject;
    • How to submit complaints;
    • How South-Africa’s regulatory authority may act as a conciliator in disputes;
    • How parties will be notified of an investigation;
    • How complaints will be settled;
    • How an assessment of the processing of personal data must be made;
    • How the results of an investigation will be communicated to the relevant parties.

    The second law is the Promotion of Access to Information Act 2000. This law gives effect to the South-Africa’s constitutional right of access to any information held by public and private bodies. The law effectively implements section 23(1)(b) of South-Africa’s constitution, which contains a right of access to information held by another person to everyone who may need it to protect his or her rights:

    • Individuals have a right of access to records of private bodies (ss 50 and onwards);
    • But there are grounds for refusal as well (ss 62 and onwards).
  • Lawfulness, Fairness and Non-discrimination

    In its preamble, the POPIA indicates that the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information. As such, the lawful processing of personal data is governed by several criteria. Fairness is not explicitly mentioned in the POPIA. However, the wording of the law seemingly put an emphasis on the rights of data subjects and the ‘reasonable’ processing of personal information. This indicates that fairness may play an implicit role, especially because the POPIA uses terminology such as ‘reasonable’ and ‘practicable’.

    This entry focuses on four areas:

    • What are the lawful processing criteria (i.e. legal bases)?
    • How is consent regulated when used as a legal basis? What kind of consent is required?
    • How does the Act address special categories of data?
    • How does the Act address the processing of personal data relating to minors?

    Lawful processing criteria

    Chapter 3 of the POPIA lays down the conditions required to process personal data lawfully. The POPIA lists a series of cumulative criteria that are rather similar to the criteria laid down in the GDPR:

    • Accountability (ss. 8 POPIA)
      Controllers subject to POPIA must ensure they comply with the legislation.
    • Processing limitation (ss. 9 to 12 POPIA)
      First, the processing must be lawful and done in a reasonable manner that does not infringe the privacy of the data subject. Second, the processing must be adequate, relevant, and not excessive. Third, the processing must be justified on one of the following legal bases:

      • The Data Subject has consented;
      • Processing is necessary for the performance of a contract;
      • Processing is necessary to comply with a legal obligation;
      • The processing protects a legitimate interest of the data subject;
      • Processing is necessary to perform a public duty;
      • Processing is necessary to pursue a legitimate interest.
    • Fourth, the collection of data must be directly obtained from the data subject, unless:
      • The information is from a public record or the data subject made it public;
      • The data subject or competent person has consented;
      • The collection of personal data would not prejudice a legitimate interest from a data subject;
      • The collection of personal data is necessary to maintain or comply with the law;
      • Compliance would prejudice a lawful purpose of the collection;
      • Compliance is not reasonably practicable.
    • Purpose specification (ss. 13 & 14 POPIA)
      This condition ensures that the processing of personal data is restricted to a specific and lawful purpose(s), it also mandates the compatibility of any further processing with the purpose for which it was originally collected. For more information, please refer to the “Purpose Specification, Use Limitation and Suitability” entry.
    • Further processing limitation (ss. 15 POPIA)
      Section 15.1 stipulates that any further processing of personal information must be in accordance or compatible with the purpose for which it was collected. For more guidance in assessing whether further processing activities are compatible, please refer to the “Purpose Specification, Use Limitation and Suitability” entry.
    • Information quality (ss. 16 POPIA)
      The information must be complete, accurate, not misleading and updated where necessary.
    • Openness (ss. 17 & 18)
      This principle requires companies to maintain a Records of Processing and to provide Data Subjects with a fair processing notice. Please refer to the “Transparency” header for more information.
    • Security Safeguards (ss. 19 to 22 POPIA)
      This principle prescribes taking reasonable technical and organisational measures, Comply with safeguards when delegating processing tasks to third parties, and send notifications in case of a data breach. Please refer to the ‘Security and Prevention’ header for more information.
    • Data subject participation (ss. 23 to 25)
      According to the principle of data subject participation, all data subjects have the right to access, as well as the right to rectify any details that are inaccurate, misleading, outdated, etc. For more information, please refer to the ‘Security and Prevention’ header.

    Consent

    Section 1 of POPIA defines consent as any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.

    The consent must be voluntary, meaning that consent obtained through coercion is not valid. Consent must be specific as well, and therefore a data subject’s consent cannot be used to process his personal information in any given situation. Additionally, data subjects must be informed about what their consent will be used for. Data subjects must be informed before they give their consent. Another condition for consent to be valid (besides the ones listed above) is that consent may be withdrawn at any time (provided it does not affect the lawfulness of the processing operations carried out prior to the withdrawal) [Section 11.2(b)].

    According to section 11.1(a) of the Act, consent must be obtained either from the Data Subject or from a competent person where the Data Subject is a child. Further, section 11.2(a) states that controllers must be able to prove that they have obtained consent.

    In addition to section 11 of POPIA, the Information Register Regulation lays down further specifications of what constitutes valid consent. In accordance with section 6 of this regulation, consent for direct marketing by electronic communication must be obtained through a specific form (‘Form 4’). It requires data subjects to write out their name and signature, and therefore this type of consent can be described as ‘express’. Furthermore, the form requires companies to specify for which goods and services they are seeking consent. This illustrates that the consent has clear boundaries, and that consent ought to be sought again for any further processing that is incompatible with the purpose for which data was initially collected and processed.

    Although Section 12.2(b) lays down a general prohibition to obtaining personal information from indirect sources (not directly from the data subject), data subjects can consent to the indirect collection of their personal data. In this case, controllers may collect personal data from other sources.

    Special categories of data

    Section 26 defines special personal information as any information revealing:

    • Religious or philosophical beliefs;
    • Race or Ethnic origin;
    • Trade Union membership;
    • Political Persuasion;
    • Health or sex life;
    • Biometric information of a data subject
    • Criminal behaviour of a data subject to the extent that such information relates to:
      • the alleged commission by a data subject of any offence, or
      • any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

    Section 26 stipulates a general prohibition to the processing of special categories of data. However, Section 27 lists 6 exceptions to this general prohibition:

    • processing is carried out with the consent of a data subject;
    • processing is necessary for the establishment, exercise or defence of a right or obligation in law;
    • processing is necessary to comply with an obligation of international public law;
    • processing is for historical, statistical or research purposes to the extent that—
      • the purpose serves a public interest; or
      • it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;
    • information has deliberately been made public by the data subject; or
    • the processing is based on authorisations issued by the Regulator that allow the processing of information revealing religious beliefs, race or ethnicity, trade union membership, political persuasion, health or sex life, and criminal behaviour or biometric information.

    These lawful grounds on which sensitive data may be processed (overriding the general prohibition) do not cover the processing of sensitive data based on a contractual obligation, on the pursuit of a legitimate interest, or in the process of performing a public duty carried out in the public interest.

    The Act also lays down five specific exceptions that override the general prohibition. The exceptions concern specific processing activities regarding:

    The processing of data revealing religious or philosophical beliefs (ss. 28)

    Spiritual or religious organisations (or independent sections of those organisations) may process this information as long as the processing is necessary to achieve its aims, or if the information concerns members or employees of the organisation, and the processing is necessary to protect the religious welfare of the data subjects concerned. In this case, Section 28.2 stipulates that these organisations may also process data revealing religious or philosophical beliefs of family members of the data subject provided that: (a) the association concerned maintains regular contact with those family members in connection with its aims; and (b) the family members have not objected in writing to the processing.

    Personal information revealing a data subject’s religious or philosophical beliefs may only be shared with third parties if the data subjects concerned have consented to such disclosure.

    The processing of data revealing the racial or ethnic origin of data subjects (ss. 29)

    This type of information may be processed if it is used to (a) identify data subjects and only when this is essential for that purpose; and (b) to comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination.

    The processing of data revealing trade union membership (ss. 30)

    Trade Union membership information may be processed when the processing is done by the union itself (or the trade union federation to which the union belongs), provided that the information relates to its members. Personal information revealing a data subject’s trade union membership may only be shared with third parties if the data subjects concerned have consented to such disclosure.

    The processing of data revealing political persuasion (ss. 31)

    This information may be processed if the processing is done by (or on behalf of) a controller (political party or institution), provided that and the information relates to (a) its members or employees or other persons belonging to the institution, if such processing is necessary to achieve the aims or principles of the institution; or (b) a data subject if such processing is necessary for the purposes of:

    • forming a political party;
    • participating in the activities of, or engaging in the recruitment of members for or canvassing supporters or voters for, a political party with the purpose of engaging in:
      • an election of the National Assembly or the provincial legislature;
      • municipal elections as regulated in terms of the Local Government; or
      • a referendum.
    • campaigning for a political party or cause.

    Personal information revealing a data subject’s political persuasion may only be shared with third parties if the data subjects concerned have consented to such disclosure.

    The processing of data revealing health, sex life or sexual orientation

    Health or sex life information may be processed by certain institutions (see list below) provided the person in charge is bound by a professional duty of confidentiality. If the person processing this information is not bound by a professional obligation of secrecy (e.g. a clerk) must treat the information as confidential, unless the responsible party is required by law or in connection with their duties to communicate the information to other parties who are authorised to process such information. The processing of this type of information may be carried out in the following contexts:

    • by medical professionals, healthcare institutions or facilities of social services if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned.
    • by insurance companies medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for:
      • assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing;
      • the performance of an insurance or medical scheme agreement; or
      • for the enforcement of any contractual rights and obligations
    • by schools, if such processing is necessary to provide special support for pupils or making special arrangements in connection with their health or sex life;
    • by any public or private body managing the care of a child if such processing is necessary for the performance of their lawful duties;
    • by any public body, if such processing is necessary for the proper implementation of prison sentences or detention measures; and
    • by administrative bodies, pension funds, employers or institutions working for them, if such processing is necessary for:
      • the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject; or
      • the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.

    Personal information concerning inherited characteristics may not be processed in respect of a data subject from whom the information concerned has been obtained, unless— (a) a serious medical interest prevails; or (b) the processing is necessary for historical, statistical or research activity. The Regulator may prescribe more detailed rules concerning the processing carried out by insurance companies, administrative bodies, or pension funds. It is worth keeping an eye on any rules issued by the South African DPA.

    The processing of data revealing criminal behaviour or biometric information

    With regards to criminal or biometric information, processing is allowed when it is carried out by law enforcement agencies, or if it is done by parties who have obtained the criminal information legally.

    Protection of minors

    Section 1 defines a “child” as a natural person under the age of 18 years who is not legally competent to take any action or decision in respect of any matter concerning him or herself, without the assistance of a competent person (e.g. legal guardian).

    Section 4.4 stipulates a general prohibition to the processing of personal data relating to minors, which is then confirmed in Section 34. However, there are a few exceptions to this general prohibition listed in Section 35:

    • consent of a competent person;
    • the processing is necessary for:
      • the establishment, exercise, or defence of a legal claim;
      • complying with an obligation of International Public Law;
      • historical, statistical or research purposes, as long as such purpose
        • serves a public interest,
        • it would be disproportionate to seek consent,
        • the processing does not adversely affect the privacy of a child to a disproportionate extent;
      • the personal information relating to the minor has deliberately been made public with the consent of a competent adult.

    Section 4.4(b) and 35.2 – stipulate that authorisations issued by the regulator are another exception to the general prohibition to process personal data relating to children. The regulator may issue authorisations if the processing of data relating to children is in the public interest. The processing is still subject to appropriate safeguards, and, to compliance with the conditions laid down by the regulator upon granting the authorisation.

    Section 35.3 stipulates that the regulator may issue certain conditions for the lawful processing of personal data relating to children that are carried out in the public interest. Said conditions include the obligations of controllers regarding the right to access, the obligation to issue a notice, the prohibition to persuade children to disclose more information, and the establishment of reasonable procedures aimed at protecting the integrity and confidentiality of the information provided.

  • Transparency and Free Access

    Transparency

    “Openness” is a pre-requisite for the lawful processing of personal data (equivalent to the principle of transparency under the GDPR) as stipulated in Section 4.1(f) and a constitutional value in South Africa (as stated in the POPIA preamble).

    As part of the openness condition, Section 18 of the Act imposes on controllers the obligation to take reasonably practicable steps to ensure that the data subject is aware of:

    • the information that is collected and, where the information is not collected directly from the data subject, the source from which it is collected;
    • the name and address of the responsible party;
    • the purpose for which the information will be processed;
    • whether or not the supply of the information by that data subject is voluntary or mandatory;
    • the consequences of failure to provide the information;
    • any particular law authorising or requiring the collection of the information;
    • where applicable, that the responsible party intends to transfer the information to a third country or organisation, and the level of protection afforded to personal data by that third country or international organisation;
    • any further information if applicable, such as:
      • recipient or category of recipients of the information,
      • nature or category of the information (e.g. sensitive data, basic personal information, financial information, etc.),
      • the existence of the rights of access and the right to rectify the information collected,
      • the existence of the right to object to the processing of personal information as referred to in section 11(3), and
      • The contact details of the data protection authority and information about the right to lodge a complaint with the authority.

    Providing data subjects with the aforementioned information is a condition for the processing of personal data to be considered reasonable and fair.

    Data subjects have the right to receive this notice free of charge, although there is no explicit mention of this in the Act. However, the fact that this is an obligation of controllers (instead of a right that has to be exercised by data subjects), combined with the fact that the notice is a requirement sine qua non of the openness condition, make it clear that it is fair for such notice to be provided free of charge.

    A further exercise of a right to access by data subjects (“data subject participation”) could be subject to a fee (as laid down in Sections 23.1(b)(ii) and 111)

    When does the notice have to be provided?

    • Before collection, if the personal information is collected directly from the data subject; or
    • before collection or as soon as possible if the information is being indirectly collected.

    Exceptions

    It is not necessary for a controller to comply with privacy notice obligation if:

    • the data subject or a competent person where the data subject is a child has provided consent for non-compliance;
    • non-compliance would not prejudice the legitimate interests of the data subject;
    • non-compliance is necessary:
      • to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      • to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue;
      • for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
      • in the interests of national security;
    • compliance would prejudice a lawful purpose of the collection;
    • compliance is not reasonably practicable in the circumstances of the particular case; or
    • if the information:
      • has been anonymised; or
      • will be used for historical, statistical or research purposes.

    Records of Processing

    Section 17 of the Act stipulates that controllers must maintain records for all their processing operations. This record must describe what each processing activity entails and why it is necessary.

  • Purpose Specification, Use Limitation and Suitability

    The POPIA does not recognise the terminology “use limitation” or “suitability”. The GDPR uses these terms, but under the POPIA the terms “purpose specification” and “further purpose specification” are used instead. The rules lay down several requirements that relate to specifying a purpose for the processing and ensuring that further processing is not incompatible with the original purpose. The ground rule is that personal information may only be collected for a specific, explicitly defined and lawful purpose that must be related to a function or activity of the collecting party.

    Section 15.1, which stipulates that Further processing of personal information must be in accordance or compatible with the purpose for which it was collected. In addition, Section 15.2 provides guidance for assessing whether further processing of personal data is compatible with the purpose for which it was initially collected stating that, in particular, controllers must take into account:

    • the relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
    • the nature of the information concerned;
    • the consequences of the intended further processing for the data subject;
    • the manner in which the information has been collected; and
    • any contractual rights and obligations between the parties.

    In addition, the Act lays down some conditions based on which the original purpose of processing is to be regarded as compatible with further processing activities (i.e., further processing is allowed):

    • The data subject or a competent person has consented;
    • The information is from a public record or the data subject made it available;
    • Further processing is necessary to maintain or comply with the law;
    • The processing is necessary to mitigate or prevent a serious threat to public health, the health of a data subject or individual;
    • Anonymized information for historical, statistical or research purposes.

    Restriction of processing

    Section 14(6) states that the processing party must restrict its processing in the following situations:

    • The accuracy of the data is contested by the data subject;
    • The responsible party no longer needs to process the personal data;
    • The processing is unlawful and the data subject requests restriction;
    • The data subject requests to transfer the information to another system.
  • Data Minimisation, Storage Limitation and Accuracy

    Data minimisation

    This principle is explicitly mentioned in the law but rather vaguely. Section 10 provides that personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive. However, there is no further guidance or requirements concerning data minimisation.

    Storage limitation

    Section 14.4 stipulates that controllers must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record.

    Section 14.1 stipulates that personal data may not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:

    • retention of the record is required or authorised by law;
    • the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
    • retention of the record is required by a contract between the parties thereto; or
    • the data subject or a competent person where the data subject is a child has consented to the retention of the record.
    • if those data are used for historical, statistical or research purposes and provided the controllers has implemented appropriate safeguards to prevent misuse of the data (Section 14.2).

    Section 14.3 lays down another exception. A controller that has used a record of personal information must:

    • retain the record for such period as may be required or prescribed by law or a code of conduct; or
    • if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.

    Accuracy

    “Information quality” is the 5th condition for the lawful processing of personal data. Section 16.1 indicates that controllers must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. Section 16.2 indicates that in doing this, controllers must have regard to the purpose for which personal information is collected or further processed. In addition, data subjects have the right to access any personal data relating to them and to rectify any inaccurate, outdated or misleading information (see section on Data Subject Rights, below).

  • Security and Prevention

    Security is the 7th condition for the lawful and fair processing of personal data. Section 19.1 Stipulates that controllers must secure the integrity and confidentiality of personal information in their possession or under their control. Specifically, controllers ought to implement appropriate and reasonable technical and organisational measures to prevent:

    • loss of, damage to, or unauthorised destruction of personal information; and
    • unlawful access to or processing of personal information.

    To achieve this, Section 19.2 stipulates that controllers must take all reasonable measures to:

    • identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
    • establish and maintain appropriate safeguards against the risks identified;
    • regularly verify that the safeguards are effectively implemented; and
    • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

    In addition, Section 20(b) imposes on processors (anyone processing data on behalf of a controller) the obligation to treat those personal data as confidential. Controllers must ensure, by means of a legally binding agreement, that processors implement and maintain security measures.

    Best practices

    Section 19.3 indicates that controllers must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations. In combination with Section 19.2, it is clear that controllers must implement an iterative security strategy and the details for a proper security strategy are to be found on standards developed by groups of experts and professional rules such as ISO-27001 or the Cloud Security Alliance’s Code of Conduct.

  • Accountability and Recordkeeping

    Accountability is listed in Section 4.1(a) as the first condition or principle for the lawful processing of personal information. Section 8 stipulates that controllers must ensure that the conditions (principles) and all the measures that give effect to such conditions are complied with at the time of the determination of the purpose and means of the processing and during the processing itself. The burden of the proof to demonstrate compliance with the conditions lies on controllers (for example Section 11.2(a) regarding the obligation to demonstrate valid consent).

    Record keeping is part of the “openness” (transparency) condition. Section 17 indicates that controllers must maintain the documentation of all processing operations under their responsibility, and they ought to comply with the Promotion of Access to Information Act. The POPIA is not too specific concerning the recordkeeping obligations of controllers, but it is clear that controllers ought to keep records in order to be able to demonstrate compliance with the conditions, obligations, and rights of data subjects.

  • Data Protection Officer

    The POPIA does not seem to explicitly require a Data Protection Officer. The POPIA re-directs to the Promotion of Access to Information Act, which only provides a definition of Information Officer acting on behalf of a Public Entity. Nevertheless, Section 55 of the POPIA lays down the tasks to be carried out by what seems to be a DPO that can act as such for both public and private entities. Moreover, Section 56 stipulates that Information officers may designate as many Deputy Information Officers as needed to carry out the tasks specified in Section 55. In conclusion, having DPO does not seem to be a requirement but is feasible and even recommendable.

    Section 55.2 stipulates that an information officer can carry out their duties only after the controller has registered him or her with the Regulator. Hence, controllers MAY designate a DPO (who can in turn designate deputies), but controllers MUST register the DPO with the Regulator prior to the commencement of their functions.

    Tasks of the DPO

    Section 55 provides an open-ended list of responsibilities for DPOs:

    • the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
    • dealing with requests made to the body pursuant to this Act;
    • working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
    • otherwise ensuring compliance by the body with the provisions of this Act; and
    • as may be prescribed (by the body or the regulator).

    In relation to the last point, Article 112.2(d) indicates that the Regulator may make regulations relating to the responsibilities of information officers as referred to in Article 55.1(e). This means that it is recommendable to keep an eye on any guidance or regulations issued by the data protection authority concerning the responsibilities of DPOs.

  • Privacy by Design

    The POPIA does not recognize the principle of Privacy by Design and there are no provisions governing this particular aspect.

  • Privacy Impact Assessment

    The POPIA does not seem to have an equivalent to a Data Protection Impact Assessment. However, the Act does mention that taking reasonable technical and organizational measures is a risk-based approach. Therefore, the assessment described under the principle of  ‘Security Safeguards’ is likely to be the closest related concept when compared to a DPIA under the GDPR.

    For more information, please reference the ‘Security Safeguards’ entry.

  • Data Subject Rights

    The Right to Access

    In addition to the privacy notice that ought to be provided by controllers, data subjects have the right to access their personal data if they provide the company with proof of their identity. The Data Subject has the right to request from controllers:

    • confirmation of whether the company holds information on the data subject, which has to be provided free of charge;
    • the record or a description of the personal information about the data subject held by the controller, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information.

    A response to the subject requesting access has to be provided (a) within a reasonable time; (b) at a prescribed fee, if any; (c) in a reasonable manner and format; and, (d) in a form that is generally understandable.

    Section 23(2) of POPIA states that, at the same time of providing the foregoing information, companies must also inform the Data Subject of his right to ask for the correction of the information if it is incorrect.

    Exceptions

    Section 24.4 indicates that controllers may refuse, or must refuse, as the case may be, to disclose any information requested based on the applicable articles of the Promotion of Access to Information Act (Chapter 4, Parts 2 and 3, and Articles 30 and 61 when the data relates to health records). If only certain data cannot be disclosed as per the Promotion of Access to Information Act, all other data not falling within the restrictions laid down therein must be disclosed to the data subject.

    The Right to rectification, restriction, or deletion

    Second, the Data Subject has the right to request controllers to:

    • correct or delete personal data that is inaccurate, irrelevant, excessive, irrelevant, outdated, incomplete, misleading or that was unlawfully obtained; or
    • destroy or delete personal information that a company is no longer authorised to retain (because it is not needed, illegal, or otherwise).

    When a controller receives such a request, they must:

    • rectify the information, or
    • destroy or delete the information, or
    • provide the data subject with information to support that it is valid, or
    • inform users that a request for correction was made and that it was denied.

    In all cases, the company must inform the data subject of its decision.

    Right to the restriction of processing

    Instead of deletion, a data subject may request the data processing activities to be restricted as well. This right can be found in Section 14(6) of the Act and can be invoked under certain specific circumstances. These are:

    • When the data’s accuracy is contested. The restriction of the processing will last for as long as it takes to verify whether the data is accurate;
    • The data is no longer needed for achieving the purpose for which the information was collected or processed;
    • The processing is unlawful and the data subject opposes the destruction or deletion of the data.
    • The Data Subject requests the data to be transferred to another automated processing system.

    Section 14.7

    stipulates that personal information subject to a processing restriction may only be processed for:

    • storage;
    • proof;
    • for the protection of the rights of another natural or legal person;
    • in the public interest; or
    • for other purposes if the data subject has consented.

    Controllers ought to inform data subjects before lifting the restriction.

    Right to erasure

    It is mentioned in the catalogue of rights laid down in Section 5(c) and could be interpreted as embedded within the right to rectification, which includes erasure and destruction. Section 23 stipulates that data subjects may request a controller to delete information that is inaccurate, irrelevant, excessive, irrelevant, outdated, incomplete, misleading or that was unlawfully obtained.

    Right to data portability

    Not explicitly mentioned, but Article 14.6(b) could be interpreted as the baseline of a right to data portability. However, there aren’t any guidelines or requirements for such a right to be exercised.

    Right to object

    Section 5 grants data subjects the right to object on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information. Article 11.3stipulates that a data subject may object, at any time:

    • to the processing of personal information based on a legitimate interest,
    • to the processing for the purpose of direct marketing,
    • to unsolicited e-communications, and
    • to the processing in the context of a printed or electronic directory (Article 70.2).

    Automated individual decision-making

    Section 5(g) stipulates that data subjects have the right not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of Section 71. Section 71 indicates that data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including his or her performance at work, or his, her or its creditworthiness, reliability, location, health, personal preferences or conduct.

    Exceptions to the exercise of the right not to be subject to automated decision-making

    Section 71.2 stipulates that data subjects cannot exercise this right if the decision:

    • has been made in connection with the conclusion or execution of a contract, and
      • the request of the data subject in terms of the contract has been met; or
      • appropriate measures have been taken to protect the data subject’s legitimate interests (i.e., give data subjects the opportunity to have a say), and
      • require the controller to provide the data subject with the underlying logic of the automated processing;
    • or when such decision is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.

    Right not to be subject to processing of personal data for the purpose of direct marketing

    Section 5(f) stipulates that data subjects have the right not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications. In addition, Section 69.1 prohibits the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMS or e-mail.

    Exceptions to the right not to be subject to processing of personal data for the purpose of direct marketing

    Section 69 lays down the following exceptions:

    • Data subject’s consent;
    • the data subject is an existing customer, in which case, the controller may only process the information of the data subject if:
      • the controller has obtained the contact details of the data subject in the context of the sale of a product or service,
      • is for the purpose of direct marketing of the controller’s own similar products or services, and
      • the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details. This opportunity ought to be provided:
        • at the time when the information was collected, and
        • on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.

     

  • Vendor Management

    Section 21 indicates that, by means of a binding contract, controllers must ensure that processors implement and maintain security measures (in terms of Section 19). In addition, processors can only process personal data with the knowledge or authorisation of the controller, and such data ought to be treated confidentially (Section 20). These obligations also have to be stipulated in a contract.

  • Cross-border Data Transfers & Data Localisation

    Chapter 9 of POPIA is devoted to section 72 of the act. This article specifies the conditions under which data may be transferred outside South Africa.

    Transborder information flows

    The first subsection of section 72 imposes a general prohibition on any data transfer to a third party in a foreign country. However, there are certain circumstances in which such a transfer is allowed:

    • When the third party is subject to a law, binding corporate rules or binding agreements that provide for an adequate level of protection;
    • When the data subject consents to the transfer;
    • The transfer is necessary for the performance of a contract;
    • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data subject and the responsible party;
    • The transfer is necessary for the conclusion or performance of a contract concluded between the responsible party and a third party;
    • The transfer is for the benefit of the data subject, and it is not practical to obtain consent, and the data subject would be likely to give consent regardless.

    In this respect, whether binding corporate rules and binding agreements have an “adequate level” of protection when they effectively uphold principles for reasonable processing. POPIA does not detail or mention an official mechanism for the designation of adequate countries, in fact, it seems that it is up to controllers to evaluate whether a country has adequate data protection regulations. Article 72.1(a) shines a light concerning the key elements to consider:

    • it effectively upholds principles for reasonable processing of personal data;
    • that the principles are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
    • the laws include provisions that are substantially similar to Chapter 9 of the POPIA.

    Intention to transfer must be included in a privacy notice

    Section 18(1)(g) of the POPIA imposes on controllers the obligation to inform data subjects of their intention to transfer the information to a third country or international organisation.

  • Incident and Breach

    If a company thinks that there has been a data breach, it must notify the regulator as well as the data subjects that were involved unless they cannot be identified. The notification itself must take place as soon as possible to ensure that law enforcement can respond to the breach as well. According to section 22(3) of POPIA, the notification to data subjects can only be delayed if that is necessary for a criminal investigation. In addition, POPIA imposes on processors the obligation to notify controllers of any breach incident.

    Form requirements for the notification

    The notification must be in writing, and communicated either by mail, e-mail address, on the company’s website or published in the media. Further, it must provide a Data Subject with enough information to take measures against the breach, such as:

    • A description of the possible consequences of the breach;
    • A description of the measures that the company takes;
    • A recommendation to the data subject on how to mitigate any harm that may arise from the breach;
    • The identity of the person who breached the company’s security (if known).

    Breach notification under the POPIA compared with the GDPR

    Article 33 of the GDPR mentions that companies must notify the respective regulator within 72 hours. The POPIA does not impose such a time limit. However, the phrase ‘as soon as possible’ might mean an even stricter obligation for companies. This will depend on how the Information Regulator intends to exercise its discretionary power.

    A second difference between the GDPR and the POPIA is the threshold applicable to notifying data subjects. The POPIA requires the notification of data subjects as soon as companies have grounds to believe that their personal information has fallen in the wrong hands. Instead, under the GDPR, notification to data subjects is only required if the breach is likely to result in a high risk for data subjects.

  • Enforcement (governance)

    The POPIA has an extensive framework for handling complaints and investigating processing activities on their own initiative. Furthermore, the Information Regulator has a variety of different powers to assist it in determining whether to issue a fine or an administrative measure. Therefore, this header discusses the following topics:

    • The jurisdiction, powers and duties of the Information Regulator
    • The Information Regulator’s investigatory powers
    • The enforcement notice
    • Assessments of processing activities
    • Offences, penalties and other administrative fines

    The jurisdiction, powers and duties of the Information Regulator

    Section 1 of the POPIA states that the South-African supervisory authority, also known as the data protection authority (DPA), is mandated with supervision and enforcement of POPIA and is called ‘the information regulator’ (IR).

    Section 39 of POPIA ‘officially establishes’ the body of the information regulator, and establishes its main governing principles:

    • The IR has jurisdiction throughout South Africa;
    • Is independent and impartial;
    • Must exercise its powers in accordance with the POPIA;
    • Is accountable to the National Assembly.

    The powers and duties of the IR can be found in section 40 of the POPIA. The section distinguishes the powers to:

    • Raise awareness and educate;
    • Monitor and enforce compliance;
    • Consult with interested parties, cooperate at an international level, and mediate between opposing parties;
    • Handle complaints;
    • Conduct research (e.g. on the desirability of accepting certain international instruments);
    • Provide prior authorisation to a controller who wants to process unique identifiers of data subjects (e.g. ID numbers), information concerning criminal behaviour, credit reporting, transfer of sensitive data to third countries, or personal information of children.

    Of these powers, the complaint handling and reporting powers are likely most relevant to companies, as the IR has the power to investigate any matter reported to them and ask companies to provide them with information if that is necessary.

    The Information Regulator’s investigatory powers

    According to Chapter 7 of POPIA, the Information Regulator has the power to start an investigation. The conclusion of such an investigation may be that a company has committed an offence, and the IR may impose a penalty or an administrative fine on the offender.

    First, the Information Regulator may start an investigation either:

    • When, according to section 74 of POPIA, a data subject submits a complaint to the Information Regulator;
    • When, according to section 74(3) of POPIA, the IR decides on its own initiative to assess a processing activity.

    According to section 76 of POPIA, when a data subject submits a complaint to the Information Regulator, it may decide to undertake one of the following actions:

    • Conduct a pre-investigation;
    • Conduct a full investigation;
    • Mediate between the data subject and the party subject to the complaint;
    • Refer the complaint to an Enforcement Committee;
    • Decide to take no action.

    In any case, the IR will inform the complainant and the data subject of the decision it has decided to take.

    If the IR decides to conduct a pre-investigation, it will determine on the findings of the pre-investigation whether to conduct a full investigation.

    According to section 81 of POPIA, if the IR decides to conduct a full investigation, it may make use of the following powers:

    • Summon persons and take evidence under oath;
    • Administer Oaths;
    • Receive and accept evidence;
    • Subject to a warrant, enter and search any premises occupied by the responsible party;
    • Conduct private interviews with anyone on the entered premises.

    According to section 92 of POPIA, once the regulator has completed the investigation, the IR may decide to refer the matter to the Enforcement Committee. The Enforcement Committee has the following functions:

    • Review the findings of the investigation of the regulator, and compile its own findings;
    • Making any recommendations as to the actions that should be taken against the responsible party.

    The Enforcement Notice

    According to section 94 of POPIA the regulator will review the recommendations of the Enforcement Committee. The IR will then issue an enforcement notice if it is satisfied that a responsible party has interfered or is interfering with the protection of personal information of a data subject. That is the case when:

    • There is ‘any’ breach of the conditions of lawful processing of personal information;
    • A company does not report a data breach;
    • A person acting on behalf or under direction of the regulator breaches his duty of confidentiality;
    • There is a breach of the rules on direct marketing by means of unsolicited electronic communications;
    • There is a breach of a code of conduct.

    The enforcement notice may require a company to:

    • Take specified steps within a period of time, or to refrain from those steps;
    • To completely stop processing personal information, or to stop processing for a specific purpose.

    Furthermore, the enforcement notice contains:

    • A description of the breach that lead to the notice;
    • The company’s right of appeal against the notice.

    The enforcement notice is clear evidence that a company has breached the law, which attracts various liabilities. Essentially, the enforcement notice opens up the way for the regulator to issue fines and other administrative measures to the responsible party. Furthermore, it enables the regulator as well as individual data subjects to commence civil action against the company.

    Assessments by the Information Regulator

    Furthermore, the Information Regulator may also assess whether a processing activity is compliant with POPIA:

    • When, according to section 89 of POPIA, a data subject asks the IR to assess a processing activity;
    • When, according to section 89 of POPIA, the IR decides to assess a processing activity on their own initiative.

    Section 90 of POPIA states that, if the Information Regulator requires more information to make the assessment, it may issue an information notice. The responsible party must then provide the information requested to the IR. Companies may appeal to an information notice as well.

    The regulator will then inform the parties of the outcome of the assessment in the form of a report. According to section 91(3), such a report outlines all the measures that the IR recommends, and has the same status as an enforcement notice.

    Offences, penalties and administrative fines

    Chapter 11 of the POPIA specifies the offences under the act. They are:

    • Obstruction of Regulator (ss. 100);
    • Breach of confidentiality (ss. 101);
    • Obstruction of execution of warrant (ss. 102);
    • Failure to comply with enforcement or information notices (ss. 103);
    • Offences by witnesses (ss. 104);
    • Unlawful acts by responsible party in connection with account number (ss. 105);
    • Unlawful acts by third parties in connection with account number (ss. 106);

    Section 107 of the POPIA also specifies the penalties that may be imposed on companies. For certain offences, most notably for noncompliance with an enforcement notice, individuals may be imprisoned for up to three years and companies may be fined an unspecified amount.

    Furthermore, according section 109 of POPIA the regulator may issue administrative fines as well by issuing an infringement notice. This notice will be delivered to the responsible party and will specify the exact amount that must be paid. The responsible party has 30 days to pay for the fine.

    Finally, the responsible party is also liable for civil damages under section 99 of the POPIA. Data subjects may go to court and claim restitution for the damage caused by the breach of the responsible party.

    How big the fine will be depends on a variety of factors. The regulator will take the following into account:

    • The nature of the personal information involved;
    • The duration and extent of the contravention;
    • The number of data subjects affected;
    • Whether the breach raises an issue of public importance;
    • The likelihood of damage or distress, including injury or feelings of anxiety;
    • Whether the responsible party could have prevented the breach;
    • Whether the responsible party carried out a risk assessment;
    • Whether it is the party’s first offence under the act.
  • DataBreachPedia

    Overview

    In South Africa, based on Section 22 of the PoPI Act, it is mandatory for the data controllers (responsible party) to notify where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorized person.

    Is it Mandatory to Notify Individuals?

    Yes.

    Is it Mandatory to Notify Regulator?

    Yes.

    Notification Deadline

    As soon as reasonably possible.

    Responsible Regulator

    The Information Regulator (South Africa)
    SALU Building,
    316 Thabo Sehume Street,
    PRETORIA

    Phone: 012 406 4818
    Fax: 086 500 3351
    E-mail: [email protected]
    Website: http://www.justice.gov.za/inforeg/index.html

    Breach Notification Format

    Breach notification to the individuals should be communicated either through post, email, on a website, published in news media, or as directed by the regulator. The content of the notification should include sufficient information to allow the data subject to take protective measures against the potential consequences of the breach. There is no prescribed content for the breach notification to the regulator.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.