South Africa became a democracy in 1994. This development led to the development of the Bill of Rights which expressly provides for the protection of the right to privacy of individuals.
In South Africa, the right to privacy is protected in terms of both our common law and in section 14 of the Constitution. The common law protects the rights of personality under the broad umbrella of the actioinjuriarum . In terms of the common law, the right to privacy is limited by the rights of others and the public interest. The recognition and protection of the right to privacy as a fundamental human right in the Constitution provide an indication of its importance. The constitutional right to privacy is, like its common law contemporary, not an absolute right but may be limited in terms of our law of general application and has to be balanced with other rights entrenched in the Constitution.
The South African Law Reform Commission was tasked to develop legislation that will give effect to the Constitutional right to privacy and this process resulted in the Protection of Personal Information Act or POPI Act which will become effective on a date still to be determined. Processing of personal information must meet the requirements of the Act within one year after the commencement of the Act.
The POPI Act follows the principles which are established in the European Union Data Privacy Directive and the OECD (Organisation for Economic Co-operation and Development) Guidelines. Many European countries have incorporated these principles in their legislation, and South Africa will now be able to offer similar and adequate legislation which deals with the protection of personal information.
The purpose of the POPI Act is the following:
‘‘Personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, and may include the following:
(Biometric information includes a technique of personal identification that is based on physical, physiological or behavioral characterization including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.)
Both individuals and companies are included in the ambit of “personal information”.
It is not "personal information" if the information is already in the public domain or is not used, or intended to be used, in trade or commerce.
Processing is any operation or activity or any set of operations, whether or not by automatic means, concerning personal information.
Processing is, therefore, the automated or non-automated activity of collecting, recording, organizing, storing, updating, distributing and even the act of deleting personal information.
The “responsible party” is the company or entity that decides what to do with personal information and how to process the information.
Record means any information that is recorded in any format that is in the possession or under control of a responsible party, regardless of who made the record and when the record came into existence. Records may include:
The POPI Act applies to the processing of personal information where:
The POPI Act does not apply to the processing of personal information
Certain journalistic, literary and artistic purposes are also excluded from the ambit of the Act.
A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless certain conditions are met.
The POPI Act sets conditions that any person who processes personal information must comply with and aims to protect the personal information of people. The Act does not aim to stop the free flow of information but creates a balance.
The POPI Act includes eight information protection conditions and the Conditions are subject to exclusions and processing of information is prohibited in certain instances. The conditions are:
Responsible parties must comply with all the conditions
Personal information of a data subject must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject.
In addition to being lawful, only information that is necessary for the purpose of the collection must be processed.
The information that is collected must be adequate and relevant for the purpose, and not more than (excessive) what is required for the purpose.
If a data subject has objected to the processing of personal information; the responsible party may no longer process the personal information and consent may be withdrawn at any time.
Personal information must be collected directly from the data subject except in certain circumstances, for instance where the information is already available in a public record or where there is consent to collect the information from another source.
Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party and the data subject must be made aware of the fact that personal information is being collected.
Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed.
There are exceptions for non-compliance with this condition.
Further processing of personal information must be compatible with the purpose for which it was collected in the first place.
The responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary. This must be done while the responsible party keeps the purpose for which the information was collected or further processed, in mind.
There are a number of requirements which a responsible party must meet when personal information is collected from a data subject and there are also reasons for non-compliance with this condition. This includes that the responsible party must take reasonably practicable steps to ensure that the data subject is aware of the fact that the information is being collected and where the information is not collected from the data subject, the source from which it is collected.
The responsible party is responsible to secure the integrity and confidentiality of personal information in its possession or under its control. This is done by taking appropriate, reasonable technical and organizational measures to prevent loss of, damage to or unauthorized destruction of personal information; and unlawful access to or processing of personal information.
A data subject has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject – proof of identity must be provided to the responsible party. A record or description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information must also be provided to the data subject.—
Data subjects may also request that personal information is corrected.
There is provision for exceptions to the information protection conditions, especially in specific sectors in applicable circumstances. Examples of such exemptions are:
The Information Regulator may also grant exemptions from the conditions for processing personal information.
The POPI Act sets out specific rights of data subjects.
The rights that data subjects (you and me) have are the following:
These rights are all subject to certain conditions and in most instances, certain procedures must be followed in exercising these rights.
The POPI Act changed the manner in which consent was regarded for direct marketing purposes and regulates the sending of unsolicited commercial communications with an "opt-in" mechanism for consumers. This means that processing of the personal information of a data subject for the purposes of direct marketing by means of any form of electronic communication is prohibited unless the data subject has specifically consented to the processing; or is a customer of the responsible party doing the marketing.
A responsible party may approach a data subject (who has not previously withheld consent) only once to request consent for processing the data subject's personal information for direct marketing purposes. The data subject's consent must be obtained in the prescribed manner and form.
The POPI Act established a new regulatory body called the Information Regulator. The Information Regulator is, among other things, required to undertake educational programmes for the purpose of promoting the protection of personal information, monitor and enforce compliance by the public and private bodies with the provisions of the Act, receive and handle complaints about alleged violations of the protection of personal information of data subjects.
The POPI Act makes provision for Codes of Conduct to be issued by the Regulator. These Codes may be industry-specific and must meet specific requirements which include:
EG Cleaning Depot (Pty) Ltd does not guarantee that the Acts displayed on this website reflect the most recent version of those Acts after any possible amendments.
EG Cleaning Depot (Pty) Ltd is not liable for any loss sustained or prejudice caused by a disregard of this warning.