South Africa - Data Protection Overview
1. Governing Texts
The Republic of South Africa has taken significant steps to implement laws and regulations relating to the protection of data and personal information. The Republic of South Africa's first specific data protection law came into effect on July 1, 2021, joining the rest of the world in protecting the right to privacy in this digital age of the Fourth Industrial Revolution.
The Constitution of the Republic of South Africa guarantees the right to privacy. Additionally, certain provisions within the Electronic Communications and Transactions Act, 2002 ('ECTA') regulate the electronic collection of personal information, although compliance with these provisions is voluntary. These provisions of the ECTA pertaining to the protection of personal information were repealed on June 30, 2021 (see below).
The Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') was promulgated into law on November 26, 2013, following the President's signature. With the exception of Section 58, POPIA became fully enforceable on July 1, 2021. Section 58, however, was staggered until February 1, 2022, before it became enforceable. POPIA is wide in its application and impacts all persons processing personal information within the country (or using means from within the country). It also protects the personal information of juristic persons.
Data privacy must also be considered from the perspective of consumer protection law under the Consumer Protection Act, 2008 ('CPA') which was enacted in 2011 and applies to the direct marketing of goods as well as services to consumers telephonically. The provisions under the CPA on direct marketing and unsolicited communications may overlap with the provisions of POPIA, however, POPIA is clear in specifically prescribing rules relating to unsolicited electronic communications while its general provisions apply to the personal information processed in connection with direct marketing and unsolicited communications falling within the ambit of the CPA.
On May 26, 2021, President Ramaphosa signed the Cybercrimes Bill into an Act of Parliament and a law of the Republic of South Africa as the Cybercrimes Act No. 19 of 2020 ('Cybercrimes Act'). The Cybercrimes Act became enforceable on December 1, 2021, and aims to both create new offenses that, for example, criminalize the theft and interference of data, while also modernizing existing criminal offenses to cater for the particular nature with which many cybercrimes are committed. The objectives of the Cybercrimes Act are therefore to:
- create offenses and impose sanctions that relate to cybercrime;
- criminalize the dissemination of harmful data messages; and
- further regulate law enforcement's jurisdiction over cybercrime by granting extensive powers to investigate, search, access, and seize articles used in committing an offense, such as computers, databases, networks, etc.
Specific offenses created under the Cybercrimes Act include a person's unlawful access – the unlawful and intentional access to a computer system or a computer data storage medium (commonly referred to as 'hacking'); unlawful interception, interference, or acquisition of data, a computer program, a computer data storage medium or a computer system. The 'modernized' criminal offences include cyber fraud – being fraud committed by means of data or a computer program or through any interference with data or a computer program, cyber forgery – being the creation of false data or a false computer program with the intention to defraud; cyber uttering – being the passing-off of false data or a false computer program with the intention to defraud; cyber extortion – being, inter alia, the unlawful and intentional interception of data for the purpose of obtaining any advantage from another person or compelling another person to perform or to abstain from performing any act; and the theft of incorporeal property. Of note, however, is the criminalization of malicious or harmful communications. These are communications, or rather 'data messages', which:
- incite or threaten damage to property or violence;
- threaten persons with damage to property or violence; and
- disclose an intimate image.
The Promotion of Access to Information Act 2 of 2000 ('PAIA') regulates access to information and it enables people to gain access to information held by both public and private bodies. In terms of PAIA, an Information Officer ('IO') must be appointed within an organization to manage the requirements to access information held by that organization. IOs are appointed automatically by virtue of their position within a private or public entity. However, the advent of POPIA has now expanded the role of an IO, meaning the role of an IO within an organization is now not only governed by the provisions of PAIA but also by POPIA.
In accordance with its powers under POPIA, the Information Regulator published, in December 2018, the Protection of Personal Information Act, 2013 (Act No. 4 Of 2013): Regulations Relating to the Protection of Personal Information ('the Regulations'). The Regulations are mainly administrative in nature and prescribe several forms to be used in order to take certain types of action under POPIA including:
- the manner in which an objection to the processing of personal information can be made (Section 2 of the Regulations);
- requests for the correction or deletion of personal information or the destruction or deletion of a record of personal information (Section 3 of the Regulations);
- duties and responsibilities of IOs (to be appointed by each responsible party), which includes obligations relating to impact assessments to be undertaken (Section 4 of the Regulations);
- applications for the Information Regulator to issue industry codes of conduct (Section 5 of the Regulations);
- the manner in which consent is requested for the processing of personal information for direct marketing by means of unsolicited electronic communications (Section 6 of the Regulations);
- submission of complaints or grievances (Section 7 of the Regulations);
- the Information Regulator acting as a conciliator during an investigation (Section 8 of the Regulations);
- the notification requirements of the Information Regulator to provide notification and information to all affected parties to a complaint/investigation (Section 12 of the Regulations); and
- the notification requirements of the Information Regulator to provide notification to affected parties of its intention to carry out assessments or relating to a request by a third party to do so (Section 11 of the Regulations).
The Regulations also provide for various prescribed forms which are required to be utilized when requests or complaints are submitted.
The Information Regulator gazetted a Guideline to Develop Codes of Conduct on February 26, 2021. Chapter 7 of POPIA provides for the development of codes of conduct that may apply to certain types of personal information, specific industries, professions, bodies, or specific types of activities.
The Guideline to Develop Codes of Conduct was published in order to explain the process for the development of codes of conduct by the relevant industry bodies in terms of Section 65 of POPIA. The Guideline to Develop Codes of Conduct provides guidance to industry bodies on making and applying for a code of conduct to be approved by the Information Regulator. The codes of conduct which have been approved by the Information Regulator can be found on its website.
On April 1, 2021, the Information Regulator published a Guidance Note on Information Officers and Deputy Information Officers ('the Guidance Note'), which confirmed that the registration of IOs and Deputy IOs is expected to commence on May 1, 2021. In a separate media statement released alongside the Guidance Note on April 1, 2021, the Information Regulator confirmed that such registration will be able to take place via an online portal on the Information Regulator's website.
The Information Regulator has also published a Guidance Note on Applications for Prior Authorisation, which elaborates on the process to be followed by businesses who intend to process personal information which is subject to prior authorization.
Unless a business is subject to an applicable code of conduct, the business has to apply for prior authorization from the Information Regulator if they process or intend to process any personal information specifically falling within the specified categories, as per Sections 57 and 58 of POPIA. These categories are:
- processing of unique identifiers (examples of unique identifiers are included in the Guidance Note, which, among others, include: bank account numbers or any account number; policy number; identity number; employee number; student number; telephone or cell phone number; or reference number) where these are used for a purpose other than the one for which the unique identifier was specifically intended (at collection) and is linked with information processed by another or other responsible parties;
- processing information on criminal behavior or unlawful or objectionable conduct on behalf of third parties (e.g. any person contracted to conduct a criminal record inquiry or reference check pertaining to past conduct or disciplinary action);
- information processed for the purposes of credit reporting (e.g. Including the processing activities of credit bureaus); and
- any transfer of special personal information or the personal information of children from South Africa to a third party in a foreign country, where that country does not provide an adequate level of protection for the processing of personal information (i.e. an adequate level of protection requires the recipient of the information to be subject to a law, Binding Corporate Rules ('BCR') or binding agreement which provides a level of protection that effectively upholds principles for reasonable processing of personal information that is substantially similar to the conditions for the lawful processing as mentioned under POPIA).
A responsible party who carries out information processing activities that are subject to prior authorization without the Information Regulator's express approval will be committing an offense and may be liable to a penalty as set out in Section 107 of POPIA. This would include a fine (of up to ZAR 10 million (approx. $ 529,430)) or imprisonment for a period not exceeding 12 months, or both a fine and imprisonment.
The Information Regulator has also published a Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information in terms of Sections 37 and 38 of POPIA ('the Exemption Guidance Note'). In terms of Section 37(1) of POPIA, the Information Regulator may by notice in the Gazette grant an exemption to a responsible party to process certain personal information, even if that processing is in breach of a condition for the lawful processing of such information, or any measure that gives effect to such condition if the Information Regulator is satisfied that the requirements that are stated therein are met.
In terms of Section 38(1) of POPIA, personal information processed for the purpose of discharging a 'relevant function' is exempt from Sections 11(3) and (4), 12, 15, and 18 of POPIA in any case to the extent to which the application of those provisions to the personal information would be likely to prejudice the proper discharge of that function.
The Exemption Guidance Note provides clarity on the process of submitting an application in terms of Section 37 while also guiding responsible parties on the bounds and meaning of what would be considered a 'relevant function' in terms of Section 38.
On June 28, 2021, the Information Regulator published the Guidance Note on the Processing of Special Personal Information ('the Special Personal Information Guidance Note'). The purpose of the Special Personal Information Guidance Note was to guide responsible parties who are required to obtain authorization from the Information Regulator to process special personal information, as provided for in Section 27(2) of POPIA. In terms of Section 27(2) of POPIA, the Information Regulator may, by notice in the Gazette, authorize a responsible party to process special personal information if the Information Regulator is satisfied that such processing is:
- in the public interest; and
- appropriate safeguards have been put in place to protect the special personal information of the data subject.
In August 2022, the Information Regulator published form SCN1 for the notification of a security compromise in terms of Section 22 ('the Security Compromise Form') together with Guidelines on completing the Section 22 security compromise notification form (the 'Security Compromise Guidance Note'). The Security Compromise Form, as read with the Security Compromise Guidance Note, sets out the specific form for security compromise notifications to the Information Regulator and outlines the process to be followed by responsible parties or IO in submitting these notifications to the Information Regulator. The Security Compromise Guidance Note further provides guidance on how the Security Compromise Form should be completed. The Security Compromise Form consists of five sections:
- Part A: requires the details of the responsible party;
- Part B: requires the details of the IO;
- Part C: requires the details of the security compromise in terms of section 22 of POPIA including, inter alia, the date of the security compromise, the type of personal information that was unlawfully accessed, and a description of the possible consequences of the security compromise;
- Part D: requires a description of the measures that the responsible party will take or has taken to address the security compromise and to protect the data subjects' personal information from further unauthorized access or use; and
- Part E: contains the declaration that the information contained in the security compromise form is accurate, true, and correct.
1.3. Case law
"… it is the Information Regulator's view that the processing of cell phone numbers as accessed on the user's contact list for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties (such as Facebook companies) does not require consent from the data subject, but prior authorization from the Information Regulator."
The matter has not progressed further to date.
In a separate matter, the National Department of Basic Education ('DBE') issued a notice, on January 10, 2022, that it would stray from the traditional process of publishing the national results of the 2021 Grade 12 final examinations in various national newspapers and news sites. The rationale for this decision stemmed from a consultation with the Information Regulator as to the legality of this process in light of POPIA.
However, this decision was met with a significant amount of public outcry and resulted in an urgent application before the North Gauteng High Court which sought to reverse this decision by the DBE. On January 18, 2022, the Honourable Miller J issued a draft order in the North Gauteng High Court, ordering the DBE to ultimately reverse its decision. The order specifically stated that the published results must not reflect the first names and/or surnames of any of the learners. Consequently, the national results were published with the names and surnames of the learners removed.
Most recently, in a court judgment involving a property transaction with a law firm, the property buyer fell victim to a 'business email compromise' (a 'BEC'), a form of cyber attack wherein hackers intercepted an email and manipulated the details therein to their favor. In this instance, the law firm's trust account details were intercepted and the banking details resulted in the victim paying ZAR 5.5 million (approx. $291,202) into the hacker's bank account instead of the law firm. This matter was litigated and went to court where the court, in an order passed on January 16, 2023, ordered the law firm to pay the ZAR 5.5 million (approx. $291,202) lost to the hackers on the basis of the law firm's duty of care to take the necessary steps to safeguard its clients and others dealing with the law firm against incidents of BEC. The court found that there were various mitigating security measures available to the law firm that it had not implemented and by not making use of these measures, the law firm failed to adhere to its duty of care. Although POPIA is not specifically referenced in the judgment, the order and the reasoning are indicative of the court's approach to the implementation of appropriate and adequate security measures to safeguard sensitive or confidential information.
2. Scope of Application
POPIA applies to the processing of personal information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.
POPIA will apply not only to responsible parties domiciled in South Africa but also to responsible parties outside of South Africa that use means to process in South Africa (unless such means are only used to forward the information through South Africa).
POPIA applies to the processing (widely defined under POPIA to include collection, recording, organizing, collating, distributing, modifying, storing, using, and destruction) of personal information by a responsible party (being a public or private body or any other person which alone or together with others determines the purpose and means for processing).
All processing of personal information is covered by POPIA. However, POPIA does not apply to personal information processing:
- which is purely personal or household activity;
- by or on behalf of a public body where it involves national security or where its purpose is to prevent or detect unlawful activities (provided that alternative legislation relevant to such activities provides for safeguards to protect personal information);
- by the Cabinet and its committees or the Executive Council of a province;
- related to a court's judicial functions; and
- which is solely for the purpose of journalistic, literary, or artistic expression.
3.1. Main regulator for data protection
POPIA introduces and provides for the establishment of an independent supervisory authority, namely the Information Regulator, specifically established for the purpose of data protection.
3.2. Main powers, duties and responsibilities
The Information Regulator is responsible for the oversight and enforcement of POPIA and has wide-ranging powers and responsibilities, including in relation to:
- facilitating education, training, and awareness of data protection;
- monitoring and enforcing compliance with POPIA;
- consulting with any interested parties on data protection;
- handling complaints from data subjects and/or other parties in relation to data protection;
- research regarding privacy and data protection;
- issuing codes of conduct; and
- facilitating cross-border cooperation in the enforcement of privacy laws.
Any person may, either orally or in writing (although oral submissions are to be converted to writing as soon as reasonably practicable), submit a complaint to the Information Regulator in the event of alleged interference. POPIA provides that, after receipt of a complaint, the Information Regulator is obliged to investigate the complaint, act as a conciliator where appropriate, and take further action as contemplated by POPIA. In exercising its investigative powers, the Information Regulator may, inter alia:
- summon and enforce the appearance of persons;
- compel the provision of written or oral evidence under oath;
- receive evidence irrespective of whether such evidence is admissible in a court of law; and
- enter and search any premises occupied by a responsible party. Where necessary, the Information Regulator may apply to a judge of the High Court or a magistrate to issue a warrant to enable the Information Regulator to enter and search premises.
4. Key Definitions
Personal data: 'Personal information' is defined broadly in POPIA to include information relating to both an identifiable, living, natural person, and where applicable, an identifiable juristic person or legal entity, and includes:
- information about a person's race, gender, sex, pregnancy, marital status, national, ethnic or social origin, color, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language, and birth;
- information relating to the education, medical, financial, criminal, or employment history of the person;
- any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views, or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Sensitive data: POPIA provides for a separate category of information called 'special personal information' which includes all information relating to a person's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behavior. POPIA also specifically regulates personal information (of a child).
Data controller: A 'responsible party' is a public or private body that determines the purpose and means for processing the personal information of a data subject.
Data processor: An 'operator' is a party that processes personal information on behalf of a responsible party, without coming under the direct authority of the responsible party.
Data subject: Any party to whom personal information relates.
Biometric data: 'Biometrics' means a technique of personal identification that is based on physical, physiological, or behavioral characterization including blood typing, fingerprinting, DNA analysis, retinal scanning, and voice recognition.
Health data: Not applicable.
Pseudonymization: POPIA does not provide a definition for pseudonymization. However, de-identify, in relation to personal information of a data subject, means to delete any information that:
- identifies the data subject;
- can be used or manipulated by a reasonably foreseeable method to identify the data subject; and
- can be linked by a reasonably foreseeable method to other information that identifies the data subject.
5. Legal Bases
In terms of Section 11 of POPIA, personal information may only be processed if:
- the data subject or a competent person where the data subject is a child consents to the processing;
- processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;
- processing complies with an obligation imposed by law on the responsible party;
- processing protects a legitimate interest of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
See the section on legal bases above.
See the section on legal bases above.
See the section on legal bases above.
See the section on legal bases above.
See the section on legal bases above.
See the section on legal bases above.
The processing of a data subject's personal information for the purposes of direct marketing is prohibited unless the data subject has given their consent or the email recipient is a customer of the responsible party. The responsible party must have obtained the details of the data subject through sales of a product or service and the marketing should relate to similar products or services of the responsible party. The data subject must be given an opportunity to object to the use of their personal information for marketing on each occasion that the responsible party communicates with the data subject for marketing purposes.
POPIA prescribes eight conditions for the lawful processing of personal information by or for a responsible party, which are as follows:
The responsible party must ensure compliance with all the conditions under POPIA and is responsible for implementing such conditions. This will include having to ensure that any third party or service providers (defined as 'operators' under POPIA) also comply with the provisions of POPIA.
Processing of personal information must be undertaken lawfully and done in a reasonable manner.
Personal information must be collected for a specific, explicitly defined, and lawful purpose relating to the responsible party's business.
The further processing of personal information must be undertaken in accordance with, or be compatible with, the purpose for which the personal information was originally collected. It is important to note that further processing will be compatible with the original purpose if:
- the data subject consents;
- the information is in a public record or has been deliberately made public by the data subject;
- further processing is necessary to avoid prejudice to the maintenance of the law by any public body, to comply with obligations imposed by the law or in the interests of national security; or
- further processing is necessary to prevent or mitigate a threat to public health or safety or the life or health of the data subject or anyone else.
The responsible party will need to ensure that the personal information it processes about the data subjects is complete, accurate, not misleading and updated where necessary.
This condition seeks to ensure transparency between the responsible party and the data subject.
The responsible party must secure the integrity of personal information in its possession or control with appropriate and reasonable technical and organizational measures to prevent the loss of, damage to or unauthorized destruction of the personal information; and any unlawful access to or processing of personal information.
Data subject participation
A data subject, having provided adequate proof of identity, has the right to request the responsible party to confirm, free of charge, whether or not the responsible party holds personal information about that particular data subject. The data subject may request a description of the personal information, including information about third parties who have had access to the information, within a reasonable time and at a prescribed fee (if any). In addition, the information must be provided to the data subject in a reasonable manner and in a form that is generally understandable. In this regard, it is important to note that PAIA differentiates between records held by public bodies and private bodies and the instances in which access to records may be refused by these respective bodies.
7. Controller and Processor Obligations
The rights and responsibilities of a responsible party are not separately specified and are incorporated in relation to the information protection conditions, in terms of which responsible parties may process (which includes collecting) personal information where inter alia:
- the information protection conditions are met;
- the processing is performed in a reasonable manner that does not infringe on the data subject's privacy and is for a specific, explicitly defined, and lawful purpose related to a function or activity of the responsible party;
- the data subject has been made aware of, inter alia, the nature of the information being collected, the identity of the responsible party, and the purpose of the collection of the information;
- in relation to processing, such processing is adequate, relevant, and not excessive;
- the data subject has consented thereto, or the processing is necessary for the conclusion of a contract, complies with an obligation imposed by law, protects a legitimate interest of the data subject, or is necessary for pursuing the legitimate interests of the responsible party or a third party to whom the information is supplied;
- the personal information is collected directly from the data subject (unless the information has been made public by the data subject, the data subject has consented to collection from another source, the collection would not prejudice the data subject's interests, the collection is necessary per the grounds contemplated in POPIA, and the lawful purpose of the collection would be prejudiced or compliance is not reasonably practicable);
- the data subject will continue to have access to the personal information (subject to certain exemptions); and
- the responsible party has taken appropriate technical and organizational measures to safeguard the security of the information.
POPIA contemplates that a responsible party retains ultimate accountability for an operator and must ensure that an operator or anyone processing personal information on behalf of a responsible party must:
- only do so with the knowledge or authorization of the responsible party;
- meet the minimum-security measures to safeguard the personal information under their control; and
- treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.
Ultimately, a responsible party must ensure a written agreement is concluded with each operator it utilizes to process personal information on its behalf.
The registration for the processing of personal information is not required or prescribed by POPIA. Section 18 of POPIA prescribes the following notification requirements when collecting personal information from a data subject:
- the information being collected and where the information is not collected from the data subject, the source from which it is collected;
- the name and address of the responsible party;
- the purpose for which the information is being collected;
- whether or not the supply of the information by that data subject is voluntary or mandatory;
- the consequences of failure to provide the information;
- any particular law authorizing or requiring the collection of the information;
- the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organization and the level of protection afforded to the information by that third country or international organization;
- any further information such as the:
- recipient or category of recipients of the information;
- nature or category of the information;
- existence of the right of access to and the right to rectify the information collected;
- existence of the right to object to the processing of personal information as referred to in Section 11(3); and
- right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
As mentioned above, if any of the processing activities outlined in Section 57 of POPIA are undertaken by a responsible party, then an application for prior authorization must be made to the Information Regulator.
In this regard, the responsible party must obtain prior authorization from the Information Regulator, in terms of Section 58 of POPIA, if it plans to (Section 57(1) of POPIA):
- process any unique identifiers of the data subject for a purpose other than the one for which the identifier was specifically intended for at collection, and with the aim of linking the information together with information processed by other responsible parties;
- process information on criminal behavior or unlawful/objectionable conduct on behalf of third parties;
- process information for the purpose of credit reporting; or
- transfer special personal information, or information regarding children, to a third party in a foreign country that does not provide an adequate level of protection and/or comply with the provisions of section 72 of POPIA.
Moreover, the responsible party must not carry out processing that has been notified to the Information Regulator in terms of Section 58(1) of POPIA until the Information Regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conducted (Section 58(2) of POPIA).
Special personal information
As described above in the section on guidelines, upon application by a responsible party and notice in the Official Gazette, the Information Regulator can also authorize the processing of special personal information and impose certain conditions, if it is in the public interest and appropriate safeguards are in place (Section 27(2) of POPIA). The Information Regulator can also impose conditions for the processing within its authorization (Section 27(3) of POPIA).
Personal information of children
As a general rule, the processing of personal information concerning children is prohibited, subject to certain exceptions (Section 35(1) of POPIA) being complied with. Further, the Information Regulator can grant authorization to process personal information concerning children, following an application made by the responsible party and notice in the Official Gazette, if it is in the public interest and appropriate safeguards are in place (Section 35(2) of POPIA). The Information Regulator can also impose conditions for the processing within its authorization (Section 35(3) of POPIA).
Responsible parties are exempt from notification requirements to the Information Regulator where a code of conduct has been issued by the Information Regulator, and it has come into force in a specific sector (Section 57(3) of POPIA).
If the responsible party fails to notify the Information Regulator of data processing which is subject to prior authorization, it is guilty of an offense and liable to a penalty consisting of a fine or imprisonment up to 12 months, or both to a fine and imprisonment (Sections 59 and 107 of POPIA).
The Information Regulator has published the Guidance Note on Application for Prior Authorisation ('the Prior Authorisation Guidance Note'), which includes the application form that should be completed by responsible parties. The Prior Authorisation Guidance Note outlines that a prior authorization application and/or notification for processing or intention to process personal information, as referred to in Sections 57(1) and 58(1) of POPIA, must be submitted to the Information Regulator through the following channels:
- email: [email protected]; or
- postal: P.O Box 31533 Braamfontein Johannesburg 2017.
Furthermore, the Information Regulator has issued the Guidance Note on Processing of Special Personal Information, which provides that applications for authorization to process special personal information must be submitted to the Information Regulator through the following channels:
- email: [email protected];
- postal: P.O Box 31533 Braamfontein Johannesburg 2017; or
- hand delivery: JD House 27 Stiemens Street Braamfontein Johannesburg 2001.
Whereas, the Information Regulator's Guidance Note on Processing of Personal Information of Children outlines that applications for authorization to process the personal information of children must be submitted to the Information Regulator through the following channels:
- email: [email protected];
- postal: P.O Box 31533 Braamfontein Johannesburg 2017; or
- hand delivery: JD House 27 Stiemens Street Braamfontein Johannesburg 2001.
POPIA provides that a responsible party may not transfer personal information about a data subject to a third party in a foreign jurisdiction unless:
- the recipient is subject to a law or contract which:
- upholds principles of reasonable processing of the information that are substantially similar to the principles contained in POPIA; and
- includes provisions that are substantially similar to those contained in POPIA relating to the further transfer of personal information from the recipient to third parties;
- the data subject consents to the transfer;
- the transfer is necessary for the performance of a contract between the data subject and the responsible party or for the implementation of pre-contractual measures taken in response to the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
- the transfer is for the benefit of the data subject and:
- it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
- if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
Section 17 of POPIA provides that a responsible party must maintain the documentation of all processing operations under its responsibility as referred to in Sections 14 or 51 of PAIA.
POPIA Regulation 4(1)(b) requires that a responsible party undertake a Personal Information Impact Assessment ('PIIA') to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information. A PIIA must:
- describe the nature, scope, context, and purposes of the processing;
- assess necessity, proportionality, and compliance measures;
- identify and assess risks to data subjects; and
- identify any additional measures to mitigate those risks and ensure compliance with the eight conditions for lawful processing.
Notably, when determining an appropriate fine, the Information Regulator is required to consider, among other things, any failure to carry out a risk assessment or a failure to operate good policies, procedures, and practices to protect personal information (Section 109 of POPIA).
An IO must ensure that a PIIA is conducted to ascertain that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information (Regulation 4(1)(b) of the Regulations).
The IO of a public body is the IO or Deputy IO as contemplated in Section 1 of PAIA, while in a private body, the role is automatically assigned to the 'head' of the private body. In terms of PAIA, the 'head' means:
- in the case of a natural person, that natural person or any person duly authorized by that natural person;
- in the case of a partnership, any partner of the partnership or any person duly authorized by the partnership; and
- in the case of a juristic person, the chief executive officer or equivalent officer of the juristic person, or any person duly authorized by that officer or the person who is acting as such or any person duly authorized by such acting person.
Accordingly, with respect to private bodies, the CEO or equivalent officer is by default the IO. The CEO or managing director of a juristic person may authorize any natural person within the body to act as the IO. Such an authorization must be in writing and substantially similar to Annexure 'C' annexed to the Guidance Note. It is important to note that despite authorization to another person, the 'default' IO still retains the accountability and responsibility for any power or function authorized to that person in terms of PAIA and POPIA. Any person who has been authorized to fulfill the role of an IO should be at an executive level or equivalent position and be an employee of the body itself.
Many organizations have asked if the role of an IO could be outsourced to a non-employee. The Guidance Note now unequivocally states in paragraph 5.9 that only an employee of a private body at a management level and above should be considered for authorization as an IO of that body. To this end, each subsidiary of a group of companies should appoint and register its own IO, while a further obligation is placed on a multinational entity based outside of South Africa, which must now authorize a person within South Africa as an IO.
The application form for registration of IO is available via the Information Regulator's website here and the portal for the same here. The Information Regulator has noted that it has experienced various technical issues with the portal for registration.
The registration form requires the following information:
- name of the IO and designation;
- name of the deputy IO(s), if appointed; and
- official post and street address, phone, fax number, and email address of the IO and any deputy.
Duties of the IO
Regulation 4 of the Regulations relating to POPIA, states that an IO must ensure that:
- a compliance framework is developed, implemented, monitored, and maintained;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with processing conditions stipulated under POPIA;
- a PAIA manual is developed, and copies of such manual are made available to a person upon request and payment of a prescribed fee;
- data subject access measures are developed together with adequate systems to process requests for information or access; and
- internal staff awareness training is conducted on the provisions of POPIA, the POPIA Regulations, Codes of Conduct, if applicable, and information obtained from the Information Regulator.
IOs of a public body are required to submit a report annually to the Information Regulator setting out information such as, for example, the number of requests for access received, the number of requests for access granted or refused, and the number of internal appeals lodged as a result of a request for access being refused. In addition to the responsibilities referred to above, Section 55(1) of POPIA sets out the specific duties and responsibilities of IOs as follows:
- the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information as espoused in Chapter 3 of POPIA;
- dealing with requests made to the body pursuant to POPIA and PAIA;
- working with the Information Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA in relation to the body;
- otherwise ensuring compliance by the body with the provisions of POPIA; and
- as may be prescribed.
Further, the Information Regulator may request, by notice, that IOs of private bodies submit reports detailing the requests for access to records received by that private body. With the above in mind, it is important that any organization policies that relate to POPIA/PAIA are continuously updated and amended to cater to the information related to the IOs and the Deputies appointed by them.
At any time when an employee suspects or becomes aware of any actual or potential data breach, they must report such to the IO of that organization. The IO will then report the same to the affected data subjects and the Information Regulator.
Designation and Delegation of Deputy IO
Section 17 of PAIA provides for the designation of Deputy IO in a public body, while Section 56 of POPIA extends the designation of Deputy IOs to private bodies. The Information Regulator has stressed the utilization of Deputy IOs in organizations with large and complex structures to better ensure the extensive obligations placed on an IO are managed and complied with. The Guidance Note provides that the IO must designate one or more Deputy IOs as may be necessary to allow for the organization to be as accessible as reasonably possible. Such a designation must be in writing as seen by Annexure 'B' annexed to the Guidance Note.
Among other things, Paragraph 7 of the Guidance Note provides that the designation of a Deputy IO should be cognizant of the fact that a Deputy IO should report to the highest management office within the organization. This means that only an employee at a level of management and above should ideally be considered for designation as a Deputy IO (Paragraph 7.9). The Deputy IO should further:
- be accessible, (especially to data subjects);
- have a reasonable understanding of the organization's operations and processes; and
- should have a good understanding of POPIA and PAIA in order to perform their duties (Paragraph 7.11).
Additionally, the Deputy IO should have a reasonable understanding of (Paragraphs 7.11. and 7.12. of the Guidance Note):
- POPIA and PAIA in order to execute their duties; and
- the business operations and processes of the body. Employees with institutional knowledge are preferred as a deputy IO.
Paragraph 8 of the Guidance Note further allows the IO to delegate any of its powers or duties conferred or imposed on them as a Deputy IO. Such a delegation must be in writing and substantially similar to Annexure 'B' annexed to the Guidance Note. However, it is important to note that despite the designation of or delegation to a Deputy IO, an IO retains the accountability and responsibility for the duties and responsibilities in terms of PAIA and POPIA and the IO is entitled to withdraw or amend the delegation at any time.
Notably, the designated Deputy IO (s) of a multinational entity must be based within South Africa (Section 7.13 of the Guidance).
There is a general data breach notification obligation under POPIA.
Under POPIA, where there are reasonable grounds to believe that a data subject's personal information has been accessed or acquired by an unauthorized person, the responsible party, or any third party processing personal information under the authority of the responsible party, must notify the Information Regulator and the data subject thereof unless the identity of the data subject cannot be established. Notification to the data subject must be:
- made as soon as reasonably possible after the discovery of the breach;
- sufficiently detailed; and
- in writing and communicated to the data subject by mail (to the data subject's last known physical or postal address), email to the data subject's last known email address, placement in a prominent position on the website of the responsible party, publication in the news media, or as may be directed by the Information Regulator.
The notification must include such detail as to allow the data subject to take protective measures and must be in the form of the security compromise form. A responsible party may be directed by the Information Regulator to publicize the breach where the Information Regulator has reasonable grounds to believe that such publicity would protect the data subject. POPIA prescribes that an operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person.
The Information Regulator has noted and published the data breach notifications that have been reported to it on its website.
As part of the 'purpose specification' condition applicable to the processing of personal information, section 14 of POPIA provides that it is important to ensure that the records of a data subject's personal information are not retained for any longer than is necessary for achieving the purpose for which the information was collected or processed. Section 14 states that records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
- retention of the record is required or authorized by law;
- the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
- retention of the record is required by a contract between the parties thereto; or
- the data subject or a competent person where the data subject is a child has consented to the retention of the record.
Records of personal information may be retained for periods in excess of those contemplated above for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
The personal information of a child is afforded special protection under POPIA. Section 34 of POPIA places a general prohibition on the processing of personal information concerning a child. Section 35 continues to state that the general prohibition will not apply when:
- carried out with the prior consent of a competent person (i.e. the parent or guardian);
- necessary for the establishment, exercise or defense of a right or obligation in law;
- necessary to comply with an obligation of international public law;
- for historical, statistical, or research purposes to the extent that:
- the purpose serves a public interest and the processing is necessary for the purpose concerned; or
- it appears to be impossible or would involve a disproportionate effort to ask for consent; and
- sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
- of personal information that has deliberately been made public by the child with the consent of a competent person.
Part B of Chapter 3 of POPIA states that one may not process the category of personal information called 'Special Personal Information', which comprises:
- religious or philosophical beliefs;
- race or ethnic origin;
- trade union membership;
- political persuasion;
- health or sex life; or
- biometric information of a data subject.
Information concerning the criminal behavior of a data subject to the extent that such information relates to:
- the alleged commission by a data subject of any offence; or
- any proceedings in respect of any offense allegedly committed by a data subject or the disposal of such proceedings;
- processing is necessary for the establishment, exercise, or defense of a right or obligation in law;
- processing is carried out with consent;
- processing is necessary to comply with an obligation of International Public Law;
- processing is for historical, statistical, or research purposes if it:
- serves a public interest and processing is necessary for the purpose; or
- getting consent is impossible or would involve a disproportionate effort;
- there is sufficient guarantee that processing would not adversely affect the privacy of the data subject to a disproportionate extent; and
- information is deliberately made public by the data subject.
A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party will only do so with the knowledge or authorization of the responsible party, treat the personal information which comes into its knowledge as confidential and establish and maintain the security measures as prescribed under POPIA.
8. Data Subject Rights
POPIA contemplates the collection of personal information directly from the data subject, except in some instances, for example, where the information is already contained in, or derived from, a public record, or has deliberately been made public by the data subject, or where the collection of the information from another source would not prejudice a legitimate interest of the data subject.
See Condition 6 on Openness, specifically Section 18 of POPIA, regarding notification to the data subject when collecting personal information.
A data subject, having provided adequate proof of identity, has the right to request the responsible party to confirm, free of charge, whether or not the responsible party holds personal information about that particular data subject. The data subject may then request a description of the personal information, including information about third parties who have had access to the information, within a reasonable time and at a prescribed fee (if any). In addition, the information must be provided to the data subject in a reasonable manner and in a form that is generally understandable.
Such a request by a data subject may be refused by the responsible party on the grounds for refusal or access to records as set out in PAIA. In this regard, it is important to note that PAIA differentiates between records held by public bodies and private bodies and the instances in which access to records may be refused by these respective bodies. Public bodies and private bodies may refuse access to records where inter alia:
- the disclosure would involve the unreasonable disclosure of personal information about a third party;
- the record contains trade secrets of a third party;
- the record contains confidential information of a third party; or
- the record contains legally privileged documents.
The data subject may also request the responsible party to correct, delete, or destroy personal information about the data subject in its possession or under its control.
See the section on the right to access above.
POPIA allows a data subject the right to request that a responsible party correct or delete personal information that is inaccurate, irrelevant, and excessive, or that the responsible party is no longer authorized to retain.
As it relates to direct marketing, POPIA specifically governs direct marketing activities via electronic communication. Where the consumer is not the customer of the direct marketer, POPIA follows an opt-in approach, in terms of which the direct marketer has to obtain the consent of the consumer before sending a direct marketing communication to such person. In this situation, the direct marketer may only approach the consumer on one occasion in order to obtain the necessary consent (so as to prevent the consumer from being harassed for consent) (Section 69(2) of POPIA).
Where the consumer is a customer of the direct marketer, POPIA follows an opt-out approach, in terms of which the direct marketer must give the relevant customer the opportunity to object to the processing of their personal information (Section 69(3) of POPIA). In this situation, the direct marketer may only send a direct marketing communication to the customer if:
- the direct marketer obtained the customer's contact details in the context of the sale of a product or service;
- such contact details are used for the purpose of direct marketing in relation to the direct marketer's own products or services that are of a similar nature; and
- the customer is provided with a reasonable opportunity to object to the processing of their personal information. In this regard, the opportunity to object should be provided to the customer at the time when the personal information is collected and, if the customer has not objected to this at the time of collection, the direct marketer must provide such an opportunity on every occasion when a direct marketing communication is sent to the customer.
Under the CPA, consumers have the right to pre-emptively block any direct marketing. Any consumer who has been sent any marketing communication may demand that the persons responsible for initiating the communication desist from sending any further communication to them.
In regard to consent, a data subject may withdraw their consent at any time.
While one can make an argument for data portability, such a right is not specifically dealt with in POPIA or law.
POPIA also prohibits automated processing of personal information where the data subject will be subjected to a decision that has legal consequences for the data subject or which affects the data subject to a substantial degree. There are certain exceptions to this prohibition.
The Information Regulator is responsible for the investigation and enforcement of POPIA. Please see the section on 'main powers, duties and responsibilities' above.
Any person who hinders, obstructs, or unlawfully influences the Information Regulator, fails to comply with an information or enforcement notice, gives false evidence before the Information Regulator on any matter after having been sworn in or having made an affirmation, contravenes the conditions insofar as they relate to the processing of an account number (i.e. unique identifier) of a data subject, knowingly or recklessly, without the consent of the responsible party, obtains, discloses, or procures the disclosure, sale, or offers to sell an account number of a data subject to another person, is guilty of an offense. This person is liable on conviction to a fine or imprisonment (or both) for a period of no longer than 10 years or to a fine or imprisonment for a period not exceeding 12 months (or both) in respect of the other offenses created by POPIA. Currently, the maximum fine that may be imposed is ZAR 10 million (approx. $527,340), although this may change once further regulations are promulgated. Responsible parties have a right to appeal against a decision of the Information Regulator and a data subject has the right to institute a civil action for damages in a court against a responsible party for breach of any provision of POPIA.
As of June 2023, the only Enforcement Notice that has been publicized as being issued by the Information Regulator has been the Enforcement Notice issued to the Department of Justice and Constitutional Development ('the Department) on May 9, 2023. In terms of an assessment conducted by the Information Regulator following a security compromise incident in September 2021, the Department had contravened Sections 19 and 22 of POPIA by failing to take reasonable measures to identify or reasonably identify foreseeable internal and external risks for the protection of personal information in its possession as well as under its control and establish and maintain appropriate safeguards against the identified risks.
In terms of the Enforcement Notice, the Department must take certain steps to remedy their compliance with Sections 19 and 22 of POPIA, including the institution of disciplinary proceedings against the officials who failed to renew the licenses which are necessary to safeguard the Department against security compromises. The Department had failed to adhere to the steps stipulated in the Enforcement Notice within the time-frame indicated in the Enforcement Notice and accordingly, the Information Regulator has imposed an administrative fine in the amount of ZAR 5 million (approx. $263,740) against the Department.