South Africa - Data Protection Overview
The Republic of South Africa has taken significant steps to implement laws and regulations relating to the protection of data and personal information. The COVID-19 pandemic has emphasised the need for laws that regulate the proliferation of data and personal information that have resulted from the utilisation of digital services. The Republic of South Africa is in the process of seeing its first specific data protection law come into effect and 1 July 2021 saw the country join the rest of the world in protecting the right to privacy in this digital age of the Fourth Industrial Revolution.
1. GOVERNING TEXTS
The Constitution of the Republic of South Africa guarantees the right to privacy. Additionally, certain provisions within the Electronic Communications and Transactions Act, 2002 ('ECTA') regulate the electronic collection of personal information, although compliance with these provisions is voluntary. These provisions of the ECTA pertaining to the protection of personal information will, however, be repealed on 30 June 2021 (see below).
The Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') was promulgated into law on 26 November 2013, following the President's signature. POPIA is wide in application and impact, subject to certain exclusions detailed therein, all persons processing personal information. POPIA will only be fully in force on 1 July 2021, however, the majority of its provisions have commenced in anticipation of the date. Certain sections of POPIA, on the proclamation by the President of the Republic of South Africa, came into effect as of 11 April 2014. The provisions of POPIA which entered into effect on 11 April 2014 relate to the definitions section under POPIA, the provisions dealing with the establishment of the office of the Information Regulator as well as its powers, duties and functions, and the sections pertaining to the procedure for making regulations. On 26 October 2016, the office bearers of the Information Regulator effective from 1 December 2016 for a period of five years were officially appointed and the Information Regulator held its inaugural meeting on 1 December 2016. Advocate Pansy Tlakula has been appointed as the Chairperson of the Information Regulator.
On 1 July 2020, by virtue of Proclamation No. R21 of 2020 on the Commencement of Certain Sections of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) ('the POPIA Commencement Proclamation of 22 June 2020'), the majority of the operative provisions of POPIA came into effect. Accordingly, as of 1 July 2020, the following provisions of POPIA are now in force:
- Chapter 1 (Sections 1 and 2): the definitions and purpose sections of POPIA respectively, came into effect on 11 April 2014;
- Chapter 2: generally described as the application provisions but more specifically including:
- the specific application and interpretation provisions (Section 3);
- descriptions of the conditions for the lawful processing of personal information, and the application thereof (Section 4);
- descriptions of the rights of data subjects (Section 5); and
- exclusions from the scope of POPIA, describing those circumstances under which the POPIA does not apply to the processing of personal information (Sections 6 and 7);
- Chapter 3 (Sections 8 - 35): conditions for the lawful processing of personal information, which conditions must be complied with by responsible parties when processing personal information;
- Chapter 4 (Sections 36 - 38): exemptions from the conditions for the lawful processing of personal information which, if applicable, will exempt a responsible party for processing that is in breach of the conditions for the lawful processing of personal information;
- Chapter 5 – Part A (Sections 39 - 54): pertaining to the establishment of the Information Regulator (Sections 39 – 54 came into effect on 11 April 2014);
- Chapter 5 – Part B (Sections 55 - 56): pertaining to the requirements for information officers;
- Chapter 6 (Sections 57 - 59): pertaining to the requirements for responsible parties to obtain prior authorisation from the Information Regulator for specific types of planned processing activities;
- Chapter 7 (Sections 60 – 68): pertaining to the issuing of codes of conduct by the Information Regulator;
- Chapter 8 (Sections 69 - 71): pertaining to the requirements in respect of direct marketing, directories, and automated decision making;
- Chapter 9 (Section 72): pertaining to transborder information flows;
- Chapter 10 (Sections 73 - 99): pertaining to the enforcement of POPIA;
- Chapter 11 (Sections 100 -109): pertaining to offences, penalties and administrative fines;
- Section 111: pertaining to prescribed fees to be paid by data subjects to responsible parties under certain circumstances;
- Sections 112 and 113: pertaining to the procedure for making regulations (Sections 112 and 113 came into effect on 11 April 2014);
- Section 114(1)(2)(3): pertaining to transitional arrangements and, importantly, the commencement of the one-year transition period following the commencement of POPIA to allow persons to become compliant; and
- Section 115: being the short title and commencement section of POPIA – a Section which is of an administrative nature and functions as the basis on which different dates of commencement in respect of different provisions of POPIA were determined by proclamation in the Government Gazette.
Furthermore, in terms of the POPIA Commencement Proclamation of 22 June 2020, the following sections of POPIA will only be in effect as of 30 June 2021:
- Section 110 – which results in the amendment of the relevant pieces of legislation listed in the Schedule of POPIA. The effect of the suspension of the commencement of Section 110 is, accordingly, that during this time the pieces of legislation listed in the Schedule of POPIA will not be amended and shall remain in their current form until the commencement of Section 110 on 30 June 2021. Therefore, the obligations of responsible parties will only change under POPIA (as a result of the commencement thereof) and will not change under any other pieces of applicable legislation (as set out in the Schedule of POPIA). Notably, as eluded to above, the commencement of Section 110 will result in the repeal of the provisions of the ECTA pertaining to the protection of personal information.
- Section 114(4) – imposes an obligation on the South African Human Rights Commission to finalise or conclude its functions under Sections 83 and 84 of the Promotion of Access to Information Act No. 2 of 2000 ('PAIA'). We note that this will not have an effect on a responsible party's general obligations under POPIA.
As mentioned above, Section 114(1) of POPIA provides for a one-year transition period following the commencement of POPIA to allow persons to become compliant. We note that the result of Section 114(1) coming into effect on 1 July 2020 means that responsible parties will need to comply with all of the provisions of POPIA from 1 July 2021. Responsible parties may, however, in terms of Section 114(2) of POPIA, be granted an extended grace period not exceeding three additional years if the relevant responsible party is granted such extension (upon request) by the Minister in consultation with the Information Regulator.
Data privacy must also be considered from the perspective of consumer protection law as the Consumer Protection Act, 2008 ('CPA') which was enacted in 2011 and applies to the direct marketing of goods as well as services to consumers. The provisions under the CPA on direct marketing and unsolicited communications may overlap with the provisions under POPIA in certain circumstances. This will, however, depend on whether the CPA is applicable to a particular case where the relevant provisions of POPIA also apply.
On 26 May 2021, President Ramaphosa signed the Cybercrimes Bill into an Act of Parliament and a law of the Republic of South Africa as the Cybercrimes Act No. 19 of 2020 ('Cybercrimes Act'). The Cybercrimes Act aims to both create new offences that, for example, criminalise the theft and interference of data, while also modernising existing criminal offences to cater for the particular nature with which many cybercrimes are committed. The objectives of the Cybecrimes Act are therefore to:
- create offences and impose sanctions that relate to cybercrime;
- criminalise the dissemination of harmful data messages; and
- further regulate law enforcement's jurisdiction over cybercrime by granting extensive powers to investigate, search, access and seize articles used in committing an offence, such as computers, databases or networks, etc.
Specific offences created under the Cybercrimes Act include a person's unlawful access – being the unlawful and intentional access to a computer system or a computer data storage medium (commonly referred to as 'hacking'); unlawful interception, interference or acquisition of data, a computer program, a computer data storage medium or a computer system. The 'modernised' criminal offences include cyber fraud – being fraud committed by means of data or a computer program or through any interference with data or a computer program, cyber forgery – being the creation of false data or a false computer program with the intention to defraud; cyber uttering – being the passing-off of false data or a false computer program with the intention to defraud; cyber extortion – being, inter alia, the unlawful and intentional interception of data for the purpose of obtaining any advantage from another person or compelling another person to perform or to abstain from performing any act; and the theft of incorporeal property. Of note, however, is the criminalisation of malicious or harmful communications. These are communications, or rather 'data messages', which:
- incite or threaten damage to property or violence;
- threaten persons with damage to property or violence; and
- disclose an intimate image.
PAIA regulates the access to information and it enables people to gain access to information held by both public and private bodies. In terms of PAIA, an Information Officer ('IO') must be appointed within an organisation to manage the requirements to access information held by that organisation. IOs are appointed automatically by virtue of their position within a private or public entity. However, the advent of POPIA has now expanded the role of an IO, meaning the role of an IO within an organisation is now not only governed by the provisions of PAIA, but also by POPIA.
In accordance with its powers under POPIA, the Information Regulator published, in December 2018, the Protection of Personal Information Act, 2013 (Act No. 4 Of 2013): Regulations Relating to the Protection of Personal Information ('the Regulations'). The Regulations are mainly administrative in nature and prescribe a number of forms to be used in order to take certain types of action under POPIA including:
- the manner in which an objection to the processing of personal information can be made (Section 2 of the Regulations);
- requests for the correction or deletion of personal information or the destruction or deletion of a record of personal information (Section 3 of the Regulations);
- duties and responsibilities of information officers (to be appointed by each responsible party), which includes obligations relating to impact assessments to be undertaken (Section 4 of the Regulations);
- applications for the Information Regulator to issue industry codes of conduct (Section 5 of the Regulations);
- the manner in which consent is requested for processing of personal information for direct marketing by means of unsolicited electronic communications (Section 6 of the Regulations);
- submission of complaints or grievances (Section 7 of the Regulations);
- the Information Regulator acting as a conciliator during an investigation (Section 8 of the Regulations);
- the notification requirements of the Information Regulator to provide notification and information to all affected parties to a complaint/investigation (Section 12 of the Regulations); and
- the notification requirements of the Information Regulator to provide notification to affected parties of its intention to carry out assessments or relating to a request by a third party to do so (Section 11 of the Regulations).
The Regulations also provide for various prescribed forms which are required to be utilised when requests or complaints are submitted.
The Regulator gazetted a Guideline to Develop Codes of Conduct on 26 February 2021, indicating the dates for the commencement of the Regulations issued in terms of Section 112(2) of POPIA ('Regulations'). The Information Regulator provides that:
- Regulation 5 (Application for Issuing Code of Conduct) of the Regulations will be effective as from 1 March 2021; and
- Regulation 4 (Responsibilities of Information Officers) of the Regulations will be effective as from 1 May 2021.
On 1 April 2021, the Regulator published a Guidance Note on Information Officers and Deputy Information Officers ('Guidance Note'), which confirmed that the registration of Information Officers and Deputy Information Officers is expected to commence on 1 May 2021. In a separate media statement released alongside the Guidance Note on 1 April 2021, the Regulator confirmed that such registration will be able to take place via an online portal on the Regulator's website. The deadline for such registration is 30 June 2021.
The Regulator has also published a Guidance Note on Applications for Prior Authorisation, which elaborates on the process to be followed by businesses who are currently processing or intend to process personal information which is subject to prior authorisation.
A business has to apply for prior authorisation from the Regulator if they process or intend to process any personal information specifically falling within the specified categories, as per Sections 57 and 58 of POPIA. These categories are:
- processing of unique identifiers (examples of unique identifiers are included in the Guidance Note, which, amongst others, include: bank account numbers or any account number; policy number; identity number; employee number; student number; telephone or cell phone number; or reference number) where these are used for a purpose other than the one for which the unique identifier was specifically intended (at collection) and is linked with information processed by another or other responsible parties;
- processing information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties (eg. any person contracted to conduct a criminal record enquiry or reference check pertaining to past conduct or disciplinary action);
- information processed for the purposes of credit reporting (e.g. Including the processing activities of credit bureaus); and
- any transfer of special personal information or the personal information of children from South Africa to a third party in a foreign country, where that country does not provide an adequate level of protection for the processing of personal information (i.e. an adequate level of protection requires the recipient of the information to be subject to a law, binding corporate rules or binding agreement which provides a level of protection that effectively upholds principles for reasonable processing of personal information that is substantially similar to the conditions for the lawful processing as mentioned under POPIA).
A responsible party who continues information processing activities that are subject to prior authorisation without the Regulator's express approval will be committing an offence and may be liable to a penalty as set out in Section 107 of POPIA. This would include a fine (of up to R10 million) or imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment.
1.3. Case law
In light of the fact that POPIA is not yet fully operational and that the majority of the operative provisions recently came into effect on 1 July 2020, there has not yet been any reported case law in terms of which a litigant has based a claim on POPIA. Nonetheless, the operative provisions of POPIA now impose onerous obligations on responsible parties and it is, therefore, anticipated that a plethora of case law will develop rapidly now that the operative provisions of POPIA are in force.
The Regulator's statement highlighted a number of concerns with regard to the revised WhatsApp policy and its application to South Africa, stating the following:
"… it is the Information Regulator's view that the processing of cell phone numbers as accessed on the user's contact list for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties (such as Facebook companies) does not require consent from the data subject, but prior authorisation from the IR."
The matter is still ongoing and updates are expected soon.
2. SCOPE OF APPLICATION
POPIA applies to the processing of personal information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.
POPIA will apply not only to responsible parties domiciled in South Africa but also responsible parties outside of South Africa that use means to process in South Africa (unless such means are only used to forward the information through South Africa).
POPIA applies to the processing (widely defined under POPIA to include collection, recording, organising, collating, distributing, modifying, storing, using and destruction) of personal information by a responsible party (being a public or private body or any other person which alone or together with others determines the purpose and means for processing).
All processing of personal information is covered by POPIA. However, POPIA does not apply to personal information processing:
- which is purely personal or household activity;
- by or on behalf of a public body where it involves national security or where its purpose is to prevent or detect unlawful activities (provided that alternative legislation relevant to such activities provides for safeguards to protect personal information);
- by the Cabinet and its committees or the Executive Council of a province;
- related to a courts' judicial functions; and
- which is solely for the purpose of journalistic, literary or artistic expression.
3.1. Main regulator for data protection
POPIA introduces and provides for the establishment of an independent supervisory authority, namely the Information Regulator, specifically established for the purpose of data protection.
3.2. Main powers, duties and responsibilities
The Information Regulator is responsible for the oversight and enforcement of POPIA, and has wide-ranging powers and responsibilities, including in relation to:
- facilitating education, training and awareness on data protection;
- monitoring and enforcing compliance with POPIA;
- consulting with any interested parties on data protection;
- handling complaints from data subjects and/or other parties in relation to data protection;
- research regarding privacy and data protection;
- issuing codes of conduct; and
- facilitating cross border cooperation in the enforcement of privacy laws.
Any person may, either orally or in writing (although oral submissions are to be converted to writing as soon as reasonably practicable), submit a complaint to the Information Regulator in the event of alleged interference. POPIA provides that, after receipt of a complaint, the Information Regulator is obliged to investigate the complaint, act as a conciliator where appropriate and take further action as contemplated by POPIA. In exercising its investigative powers, the Information Regulator may, inter alia:
- summon and enforce the appearance of persons;
- compel the provision of written or oral evidence under oath;
- receive evidence irrespective of whether such evidence is admissible in a court of law; and
- enter and search any premises occupied by a responsible party. Where necessary, the Information Regulator may apply to a judge of the High Court or a magistrate to issue a warrant to enable the Information Regulator to enter and search premises.
4. KEY DEFINITIONS
Personal data: 'Personal information' is defined broadly in POPIA to include information relating to both an identifiable, living, natural person, and where applicable, an identifiable juristic person or legal entity, and includes:
- information about a person's race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language, and birth;
- information relating to the education, medical, financial, criminal, or employment history of the person;
- any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views, or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Sensitive data: POPIA provides for a separate category of information called 'special personal information' which includes all information relating to a person's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or criminal behaviour. POPIA also specifically regulates personal information (of a child).
Data controller: A 'responsible party' is a public or private body that determines the purpose and means for processing personal information of a data subject.
Data processor: An 'operator' is a party that processes personal information on behalf of a responsible party, without coming under the direct authority of the responsible party.
Data subject: Any party to whom personal information relates.
Biometric data: 'Biometrics' means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.
Health data: Not applicable.
Pseudonymisation: POPIA does not provide a definition for pseudonymisation. However, 'de-identify', in relation to personal information of a data subject, means to delete any information that:
- identifies the data subject;
- can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
- can be linked by a reasonable foreseeable method to other information that identifies the data subject; and
- 'de-identified' has a corresponding meaning.
5. LEGAL BASES
In terms of Section 11 of POPIA, personal information may only be processed if:
- the data subject or a competent person where the data subject is a child consents to the processing;
- processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- processing complies with an obligation imposed by law on the responsible party;
- processing protects a legitimate interest of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
See section 5 above.
See section 5 above.
See section 5 above.
See section 5 above.
See section 5 above.
See section 5 above.
The processing of a data subject's personal information for the purposes of direct marketing is prohibited, unless the data subject has given his/her consent or the email recipient is a customer of the responsible party. The responsible party must have obtained the details of the data subject through sales of a product or service and the marketing should relate to similar products or services of the responsible party. The data subject must be given a reasonable opportunity to object to the use of his/her personal information for marketing each time the responsible party communicates with the data subject for marketing purposes.
POPIA prescribes eight conditions for the lawful processing of personal information by or for a responsible party, which are as follows:
The responsible party must ensure compliance with all the conditions under POPIA and is responsible for implementing such conditions. This will include having to ensure that any third party or service providers (defined as 'operators' under POPIA) also comply with the provisions of POPIA.
2. Processing Limitation
Processing of personal information must be undertaken lawfully and done in a reasonable manner.
3. Purpose Specification
Personal information must be collected for a specific, explicitly defined and lawful purpose relating to the responsible party's business.
4. Further Processing
The further processing of personal information must be undertaken in accordance with, or be compatible with, the purpose for which the personal information was originally collected. It is important to note that further processing will be compatible with the original purpose if:
- the data subject consents;
- the information is in a public record or has been deliberately made public by the data subject;
- the further processing is necessary to avoid prejudice to the maintenance of the law by any public body, to comply with obligations imposed by the law or in the interests of national security; or
- the further processing is necessary to prevent or mitigate a threat to public health or safety or the life or health of the data subject or anyone else.
5. Information Quality
The responsible party will need to ensure that the personal information it processes about the data subjects is complete, accurate, not misleading and updated where necessary.
This condition seeks to ensure transparency between the responsible party and data subject.
7. Security Safeguards
The responsible party must secure the integrity of personal information in its possession or under its control with appropriate and reasonable technical and organisational measures to prevent the loss of, damage to or unauthorised destruction of the personal information; and any unlawful access to or processing of personal information.
8. Data Subject Participation
A data subject, having provided adequate proof of identity, has the right to request the responsible party to confirm, free of charge, whether or not the responsible party holds personal information about that particular data subject. The data subject may then request a description of the personal information, including information about third parties who have had access to the information, within a reasonable time and at a prescribed fee (if any). In addition, the information must be provided to the data subject in a reasonable manner and in a form that is generally understandable. In this regard, it is important to note that PAIA differentiates between records held by public bodies and private bodies and the instances in which access to records may be refused by these respective bodies.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
The rights and responsibilities of a responsible party are not separately specified, and are incorporated in relation to the information protection conditions, in terms of which responsible parties may process (which includes collecting) personal information where, inter alia:
- the information protection conditions are met;
- the processing is performed in a reasonable manner that does not infringe the data subject's privacy and is for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party;
- the data subject has been made aware of, inter alia, the nature of the information being collected, the identity of the responsible party and the purpose of the collection of the information;
- in relation to processing, such processing is adequate, relevant, and not excessive;
- the data subject has consented thereto, or the processing is necessary for the conclusion of a contract, complies with an obligation imposed by law, protects a legitimate interest of the data subject, or is necessary for pursuing the legitimate interests of the responsible party or a third party to whom the information is supplied;
- the personal information is collected directly from the data subject (unless the information has been made public by the data subject, the data subject has consented to collection from another source, the data subject's interests would not be prejudiced by the collection, the collection is necessary per the grounds contemplated in POPIA, and the lawful purpose of the collection would be prejudiced or compliance is not reasonably practicable);
- the data subject will continue to have access to the personal information (subject to certain exemptions); and
- the responsible party has taken appropriate technical and organisational measures to safeguard the security of the information.
POPIA contemplates that a responsible party retains ultimate accountability for an operator and must ensure that an operator or anyone processing personal information on behalf of a responsible party must:
- only do so with the knowledge or authorisation of the responsible party; and
- treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.
The registration for the processing of personal information is not required or prescribed by POPIA. Section 18 of POPIA prescribes the following notification requirements when collecting personal information from a data subject:
- the information being collected and where the information is not collected from the data subject, the source from which it is collected;
- the name and address of the responsible party;
- the purpose for which the information is being collected;
- whether or not the supply of the information by that data subject is voluntary or mandatory;
- the consequences of failure to provide the information;
- any particular law authorising or requiring the collection of the information;
- the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
- any further information such as the:
- recipient or category of recipients of the information;
- nature or category of the information;
- existence of the right of access to and the right to rectify the information collected;
- existence of the right to object to the processing of personal information as referred to in section 11(3); and
- right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
As mentioned above, if any of the processing activities outlined in Section 57 of POPIA are undertaken by a responsible party, then an application for prior authorisation must be made to the Regulator.
POPIA provides that a responsible party may not transfer personal information about a data subject to a third party in a foreign jurisdiction unless:
- the recipient is subject to a law or contract which:
- upholds principles of reasonable processing of the information that are substantially similar to the principles contained in POPIA; and
- includes provisions that are substantially similar to those contained in POPIA relating to the further transfer of personal information from the recipient to third parties;
- the data subject consents to the transfer;
- the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
- the transfer is for the benefit of the data subject and:
- it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
- if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
Section 17 of POPIA provides that a responsible party must maintain the documentation of all processing operations under its responsibility as referred to in Section 14 or 51 of PAIA.
POPIA Regulation 4(b) requires that a responsible party must undertake a Personal Information Impact Assessment ('PIIA') to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information. A PIIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to data subjects; and
- identify any additional measures to mitigate those risks and ensure compliance with the 8 conditions for lawful processing.
The Information Officer of a public body is the Information Officer or Deputy Information Officer as contemplated in Section 1 of PAIA, while in a private body, the role is automatically assigned to the "head" of the private body. In terms of PAIA, the 'head' means:
- in the case of a natural person, that natural person or any person duly authorised by that natural person;
- in the case of a partnership, any partner of the partnership or any person duly authorised by the partnership; and
- in the case of a juristic person, the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer or the person who is acting as such or any person duly authorised by such acting person.
Accordingly, in respect of private bodies, the CEO or equivalent officer is by default the Information Officer. The CEO or managing director of a juristic person may authorise any natural person within the body to act as the Information Officer. Such an authorisation which must be in writing and substantially similar to the Annexure 'C' annexed to the Guidance Note. It is important to note that despite authorisation to another person, the 'default' Information Officer still retains the accountability and responsibility for any power or function authorised to that person in terms of PAIA and POPIA. Any person who has been authorised to fulfil the role of an Information Officer should be at an executive level or equivalent position and be an employee of the body itself.
Many organisations have asked if the role of an Information Officer could be outsourced to a non-employee. The Guidance Note now unequivocally states in paragraph 5.9 that only an employee of a private body at a level of management and above should be considered for authorisation as an Information Officer of that body. To this end, each subsidiary of a group of companies should appoint and register its own Information Officer, while a further obligation is placed on a multinational entity based outside of South Africa, who must now authorise a person within South Africa as an Information Officer.
Duties of the Information Officer
The Information Regulator announced in February 2021 that Regulation 4 of the Regulations relating to POPIA, which sets out the responsibilities of Information Officers, would take effect on 1 May 2021. Regulation 4 states that an Information Officer must ensure that:
- a compliance framework is developed, implemented, monitored, and maintained;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with processing conditions stipulated under POPIA;
- a PAIA manual is developed, and copies of such manual are made available to a person upon request and payment of a prescribed fee;
- data subject access measures are developed together with adequate systems to process requests for information or access; and
- internal staff awareness training is conducted on the provisions of POPIA, the POPIA Regulations, Codes of Conduct, if applicable, and information obtained from the Information Regulator.
Information Officers of a public body are required to submit a report annually to the Information Regulator setting out information such as, for example, the number of requests for access received, the number of requests for access granted or refused, and the number of internal appeals lodged as a result of a request for access being refused. In addition to the responsibilities referred to above, Section 55(1) of POPIA sets out the specific duties and responsibilities of Information Officers as follows:
- the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information as espoused in Chapter 3 of POPIA;
- dealing with requests made to the body pursuant to POPIA and PAIA;
- working with the Information Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA in relation to the body;
- otherwise ensuring compliance by the body with the provisions of POPIA; and
- as may be prescribed.
With the above in mind, it is important that any organization policies that relate to POPIA/PAIA are continuously updated and amended to cater for the information related to the Information Officer and the Deputies appointed by him/her/them.
At any time when an employee suspects or becomes aware of any actual or potential data breach, he/she/they must report such to the Information Officer of that organization. The Information Officer will then report same to the affected data subjects and the Information Regulator.
Designation and Delegation of Deputy Information Officers
Section 17 of PAIA provides for the designation of Deputy Information Officers in a public body, while Section 56 of POPIA extends the designation of Deputy Information Officers to private bodies. The Information Regulator has stressed the utilisation of Deputy Information Officers in organisations with large and complex structures as to better ensure the extensive obligations placed on an Information Officer are managed and complied with. The Guidance Note provides that the Information Officer must designate one or more Deputy Information Officers as may be necessary to allow for the organisation to be as accessible as reasonably possible. Such a designation must be in writing as seen by Annexure 'B' annexed to the Guidance Note.
Amongst other things, Paragraph 7 of the Guidance Note provides that the designation of a Deputy Information Officer should be cognisant of the fact that a Deputy Information Officer should report to the highest management office within the organisation. This means that only an employee at a level of management and above should ideally be considered for designation as a Deputy Information Officer (Paragraph 7.9). The Deputy Information Officer should further:
- be accessible, (especially to data subjects);
- have a reasonable understanding of the organisation’s operations and processes; and
- should have a good understanding of POPIA and PAIA in order to perform her or his duties (Paragraph 7.11).
Paragraph 8 of the Guidance Note further allows the Information Officer to delegate any of its powers or duties conferred or imposed on him or her to a Deputy Information Officer. Such a delegation must be in writing and substantially similar to the Annexure "B" annexed to the Guidance Note. However, it is important to note that despite the designation of or delegation to a Deputy Information Officer, an Information Officer retains the accountability and responsibility for the duties and responsibilities in terms of PAIA and POPIA and the Information Officer is entitled to withdraw or amend the delegation at any time.
There is a general data breach notification obligation under POPIA.
Under POPIA, where there are reasonable grounds to believe that a data subject's personal information has been accessed or acquired by an unauthorised person, the responsible party, or any third party processing personal information under the authority of the responsible party, must notify the Information Regulator and the data subject thereof, unless the identity of the data subject cannot be established. Notification to the data subject must be:
- made as soon as reasonably possible after the discovery of the breach;
- sufficiently detailed; and
- in writing and communicated to the data subject by mail (to the data subject's last known physical or postal address), email to the data subject's last known email address, placement in a prominent position on the website of the responsible party, publication in the news media, or as may be directed by the Information Regulator.
The notification must include such detail as to allow the data subject to take protective measures.
A responsible party may be directed by the Information Regulator to publicise the breach where the Information Regulator has reasonable grounds to believe that such publicity would protect the data subject.
POPIA prescribes that an operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
No sectoral breach notifications are applicable at this stage under POPIA.
As part of the 'purpose specification' condition applicable to the processing of personal information, section 14 of POPIA provides that it is important to ensure that the records of a data subject's personal information are not retained for any longer than is necessary in achieving the purpose for which the information was collected or processed. Section 14 states records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
- retention of the record is required or authorised by law;
- the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
- retention of the record is required by a contract between the parties thereto; or
- the data subject or a competent person where the data subject is a child has consented to the retention of the record.
Records of personal information may be retained for periods in excess of those contemplated above for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
The personal information of a child is afforded special protection under POPIA. Section 34 of POPIA places a general prohibition on the processing of personal information concerning a child. Section 35 continues to state that the general prohibition will not apply when:
- carried out with the prior consent of a competent person (i.e. the parent or guardian);
- necessary for the establishment, exercise or defence of a right or obligation in law;
- necessary to comply with an obligation of international public law;
- for historical, statistical or research purposes to the extent that:
- the purpose serves a public interest and the processing is necessary for the purpose concerned; or
- it appears to be impossible or would involve a disproportionate effort to ask for consent; and
- sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
- of personal information which has deliberately been made public by the child with the consent of a competent person.
Part B of Chapter 3 of POPIA states that one may not process the category of personal information called 'Special Personal Information', which comprises:
- religious or philosophical beliefs;
- race or ethnic origin;
- trade union membership;
- political persuasion;
- health or sex life; or
- biometric information of a data subject. OR
Information concerning the criminal behaviour of a data subject to the extent that such information relates to:
- the alleged commission by a data subject of any offence; or
- any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings,
- processing is necessary for the establishment, exercise or defence of a right or obligation in law
- processing is carried out with consent
- processing is necessary to comply with an obligation of International Public Law
- processing is for historical, statistical, or research purposes if it:
- serves a public interest and processing is necessary for the purpose; or
- getting consent is impossible or would involve a disproportionate effort
- there is sufficient guarantee that processing would not adversely affect the privacy of the data subject to a disproportionate extent
- information is deliberately made public by the data subject
A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures as prescribed under POPIA.
8. DATA SUBJECT RIGHTS
POPIA contemplates the collection of personal information directly from the data subject, except in some instances, for example, where the information is already contained in, or derived from, a public record, or has deliberately been made public by the data subject, or where collection of the information from another source would not prejudice a legitimate interest of the data subject.
See Condition 6 on Openness, specifically Section 18 of POPIA, regarding notification to data subject when collecting personal information.
A data subject, having provided adequate proof of identity, has the right to request the responsible party to confirm, free of charge, whether or not the responsible party holds personal information about that particular data subject. The data subject may then request a description of the personal information, including information about third parties who have had access to the information, within a reasonable time and at a prescribed fee (if any). In addition, the information must be provided to the data subject in a reasonable manner and in a form that is generally understandable.
Such a request by a data subject may be refused by the responsible party on the grounds for refusal or access to records as set out in PAIA. In this regard, it is important to note that PAIA differentiates between records held by public bodies and private bodies and the instances in which access to records may be refused by these respective bodies. Public bodies and private bodies may refuse access to records where, inter alia, (i) the disclosure would involve the unreasonable disclosure of personal information about a third party; (ii) the record contains trade secrets of a third party; (iii) the record contains confidential information of a third party; or (iv) the record contains legally privileged documents.
The data subject may also request the responsible party to correct, delete, or destroy personal information about the data subject in its possession or under its control.
See section 8.2. above.
POPIA allows a data subject the right to request that a responsible party correct or delete personal information that is inaccurate, irrelevant and excessive, or which the responsible party is no longer authorised to retain.
As it relates to direct marketing, POPIA specifically governs the direct marketing activities via an electronic communication. Where the consumer is not the customer of the direct marketer, the Act follows an opt-in approach, in terms of which the direct marketer has to obtain the consent of the consumer before sending a direct marking communication to such person. In this situation, the direct marketer may only approach the consumer on one occasion in order to obtain the necessary consent (so as to prevent the consumer being harassed for consent) (Section 69(2) of POPIA).
Where the consumer is a customer of the direct marketer, the Act follows an opt-out approach, in terms of which the direct marketer must give the relevant customer the opportunity to object to the processing of his personal information (Section 69(3) of POPIA). In this situation, the direct marketer may only send a direct marketing communication to the customer if:
- the direct marketer obtained the customer's contact details in the context of the sale of a product or service;
- such contact details were obtained for the purpose of direct marketing in relation to the direct marketer's own products or services that are of a similar nature; and
- the customer is provided with a reasonable opportunity to object to the processing of his personal information. In this regard, the opportunity to object should be provided to the customer at the time when the personal information is collected and, if the customer has not objected to this at the time of collection, the direct marketer must provide such opportunity on every occasion when a direct marketing communication is sent to the customer.
Under the CPA, consumers have the right to pre-emptively block any direct marketing. Any consumer who has been sent any marketing communication may demand that the persons responsible for initiating the communication desist from sending any further communication to them. The ECTA has similar provisions and specifically requires that each electronic message be accompanied by an option to cancel (i.e. opt-out) a subscription to a mailing list and also requires the sender of the message to provide specific identifying information, including name and contact information. The provisions in the ECTA regulating unsolicited communications will, however, be repealed on 30 June 2021 upon the commencement of SSection 110 of POPIA.
While one can make an argument for data portability, such right is not specifically dealt in POPIA or law.
POPIA also prohibits automated processing of personal information where the data subject will be subjected to a decision which has legal consequences for the data subject or which affects the data subject to a substantial degree. There are certain exceptions to this prohibition.
Under POPIA, personal information may only be processed if the data subject (or a competent person where the data subject is a child) expressly consents to the processing of the personal information, unless the exclusions with regard to consent apply. The consent of the data subject is not required where the processing of personal information:
- is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- complies with an obligation imposed by law on the responsible party;
- protects a legitimate interest of the data subject;
- is necessary for the proper performance of a public law duty by a public body; and
- is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
It is to be noted that a data subject may withdraw his/her consent at any time.
The Information Regulator is responsible for the investigation and enforcement of POPIA. Please see section 3.2 above.
Any person who hinders, obstructs or unlawfully influences the Information Regulator, fails to comply with an information or enforcement notice, gives false evidence before the Information Regulator on any matter after having been sworn in or having made an affirmation, contravenes the conditions insofar as they relate to processing of an account number (i.e. unique identifier) of a data subject, knowingly or recklessly, without the consent of the responsible party, obtains, discloses, or procures the disclosure, sale, or offers to sell an account number of a data subject to another person, is guilty of an offence. This person is liable on conviction to a fine or imprisonment (or both) for a period of no longer than ten years, or to a fine or imprisonment for a period not exceeding 12 months (or both) in respect of the other offences created by POPIA. Currently, the maximum fine which may be imposed is ZAR 10 million (approx. €520,000), although this may change once further regulations are promulgated. Responsible parties have a right of appeal against a decision of the Information Regulator and a data subject has the right to institute a civil action for damages in a court against a responsible party for breach of any provision of POPIA.