South Africa’s New Protection of Personal Information Act

Introduction

While South African law recognises a general right to privacy in relation to a person’s information, there is currently nothing in South African law which expressly regulates the processing of personal information. The Constitution of the Republic of South Africa, 1996 recognises a general right to privacy. Data protection and privacy issues are also currently regulated under the common law and various sector-specific statutes and laws, governing particular aspects of data protection.

The South African legislative framework relating to the processing and transfer of personal information is set to undergo drastic change with the imminent introduction of the Protection of Personal Information Act (“Act”), which was signed into law by the President on Nov. 19, 2013, and gazetted on Nov. 26, 2013 see WDPR, December 2013, page 27.

The Act will come into operation on a date to be proclaimed by the President in the Government Gazette.

This article sets out the basic principles of the Act and certain salient concepts introduced by the legislation.

General Principles

Under the common law, privacy embraces all those personal facts which the person concerned has determined to exclude from the knowledge of outsiders and intends to keep private. The Constitution confirms that everyone has the right to privacy, which includes, on a broad interpretation, the right:

• to protection against the unlawful collection, retention, dissemination and use of personal information; and/or

• not to have the privacy of his or her communications infringed.

The stated purpose of the Act is to give effect to the constitutional right to privacy. The Constitution, together with the Act, will regulate the parameters for the lawful processing and protection of personal information by automated and manual means.

In line with international trends set in the European Union and the United States, the Act seeks to bring South Africa in line with international data protection laws by:

• regulating the processing of the information of natural and juristic persons; and

• placing more onerous obligations on “responsible parties” that process such information.

The Act sets out the essential parameters for the lawful processing of personal information, including:

• eight “core-information-protection principles”;

• exemptions from the information-protection principles;

• the founding of an independent information-protection regulator;

• the rights of data subjects regarding unsolicited electronic communications and automated decision making;

• transborder information flows; and

• enforcement.

Relevant Definitions

The Act introduces terminology and concepts which are, to a certain extent, novel to South African law, the broad formulation of which is likely to have significant implications in respect of both the citizens of South Africa whose information is processed by companies and public bodies, and the companies and public bodies doing the actual processing (whether this be in South Africa or not).

“Personal information” is defined as information relating to identifiable, living natural and juristic persons, including:

• information relating to demographics, such as the race, gender, sex, pregnancy, marital status, nationality, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

• information relating to the education or the medical, financial, criminal or employment history of the person;

• any identifying number, symbol, or contact details, such as the e-mail address, physical address, telephone number or other particular assignment to the person;

• the blood type or any other biometric information of the person;

• the personal opinions, views or preferences of the person or the views or opinions of another individual about the person;

• correspondence sent by the person that is of a private or confidential nature; and

• the name of the person, if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

“Consent” is any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.

A “data subject” is a person to whom personal information relates, while a “responsible party” is defined as any public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

“Processing” is broadly defined as activity, whether automated or not, concerning personal information, which includes:

• the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

• dissemination by means of transmission, distribution or making available in any other form; or

• merging, linking, blocking, degradation, erasure or destruction of information.

Application

The provisions of the Act apply to the processing of personal information entered in a record by or for a responsible party that is domiciled in South Africa. The Act will also apply where the receiving party is not domiciled in South Africa but is using either automated or non-automated means to process personal information in South Africa.

The Act will apply to the exclusion of any provision of any other legislation that regulates the processing of personal information which is materially inconsistent with an object, or a specific provision, of the Act. If any other legislation provides for conditions for the lawful processing of personal information that are more extensive than those set out in Act, the extensive conditions prevail.

The Act will not apply to the processing of information:

• in the course of a purely personal or household activity;

• that has been “de-identified” (i.e., deleted to the extent that it cannot be retrieved);

• by or on behalf of the State, relating to national security, investigation of offences, and the like;

• for exclusively journalistic purposes by responsible parties who are subject to a code of conduct by virtue of office;

• by cabinet, provincial executive councils and municipal councils; and

• relating to the judicial conduct of a court.

From the commencement date of the Act, responsible parties will have one year to ensure compliance with the requirements contained therein.

Processing Outside South Africa

The Act places a further restriction on the flow of information out of South Africa, and provides that a responsible party may not transfer personal information about a data subject to a third party in a foreign country unless:

• the recipient of the information is subject to a law or contract which effectively upholds the principles for reasonable processing of information which are substantively similar to the principles applicable in South Africa;

• the data subject consents to the transfer;

• the transfer is necessary for the performance of a contract between the data subject and the responsible party; or

• the transfer is for the benefit of the data subject.

Compliance Requirements

The requirements imposed by Chapter 3 of the Act regarding the processing of personal information in South Africa, the so-called “core-information-protection principles”, apply to all responsible parties.

These principles are, in summary, as follows:

Principle One: Accountability

• A responsible party must ensure that the principles set out in the Act are complied with.

Principle Two: Processing Limitations

• The processing must be lawful, adequate, relevant, and reasonable and must not infringe the privacy of the data subject; and

• The data subject must consent to the processing, or the processing must be justified on the grounds of legal obligation, protection of a legitimate interest, necessity of performance of a public law duty by a private body or the performance of a contract; pursuance of the legitimate interests of the responsible party.

Principle Three: Purpose Specification

• Responsible parties may collect personal information only for a specific, explicitly defined and lawful purpose, and steps must be taken to ensure that the data subject is aware of the purpose for the collection; and

• Records of personal information cannot be retained any longer than necessary for achieving the purpose for which the information was collected.

Principle Four: Further Processing

• Any further processing of personal information must be compatible with the purpose for which it was collected (i.e., for the purposes of national security or research purposes).

Principle Five: Information Quality

• Reasonable and practicable steps must be taken by the responsible party to ensure that the personal information is complete, accurate, not misleading and up to date.

Principle Six: Openness

• Personal information may be processed only by a responsible party that has notified the regulator in terms of Chapter 6 of the Act; and

• Reasonably practicable steps must be taken by the responsible party to ensure that the data subject is aware that the information is being collected, as well as all relevant details pertaining to the reasons for the collection, unless compliance would, inter alia, prejudice a lawful purpose.

Principle 7: Security Safeguards

• Responsible parties must secure the integrity of personal information, and prevent loss of, damage to or unauthorised destruction of it by taking appropriate measures; and

• If there are grounds to believe that the personal information has been accessed by an unauthorised third party, the responsible party must notify the regulator and the data subject.

Principle 8: Data Subject Participation

• Data subjects have the right to request responsible parties to confirm (free of charge) whether the responsible party holds personal information about him or her, a description of the personal information held and may, in certain circumstances, request the destruction of it.

Information Regulator

The Act provides for the creation of an “Information Regulator”, being a supervisory body consisting of a chairperson and four other members. The Information Regulator will be an independent body subject only to the Constitution, and will be responsible for, inter alia, promoting, monitoring and enforcing the provisions of the Act on an international level and investigating complaints.

In addition, the Information Regulator will have the power to draft or approve category-specific or industry-specific codes of conduct which, once established, will regulate the processing of information within those categories or industries.

Offences and Penalties

The Information Regulator bears the responsibility of monitoring and enforcing compliance with the Act.

Potential civil and criminal penalties, as well as private rights of action, may apply. A person convicted of an offence may be liable to a fine or imprisonment, the term of which will be subject to the type of contravention. In certain cases, fines of up to ZAR10 million (U.S.$933,300) may be applicable.

The Act creates a number of offences, including but not limited to:

• non-compliance with any information/enforcement notice issued by the Information Regulator;

• the obstruction of the Information Regulator, or the obstruction of the execution of a warrant;

• unlawful acts by responsible parties in connection with the processing of account numbers of a data subject; and

• unlawful collection/disclosure of an account number of a data subject, by a third party without the consent of a responsible party.

In addition to the above, all persons acting on behalf of or under the direction of the Information Regulator have a duty to maintain the confidentiality of any personal information which comes to their knowledge during the course of the performance of official duties. The breach of this duty is an offence under the Act.

Conclusion

The Act will come into operation on a date to be proclaimed by the President in the Government Gazette. Given the limited transitional period provided for compliance (12 months), once the effective date is announced, it is advisable to commence compliance initiatives as soon as possible.

Darryl Bernstein is a Partner and Widaad Ebrahim is a Senior Associate in the Johannesburg office of Baker & McKenzie. They may be contacted at darryl.bernstein@bakermckenzie.com and widaad.ebrahim@bakermckenzie.com.