Protection of Personal Information (POPIA) & the Right to Access to Information (PAIA)

 
POPIA protects personal information in South Africa
 

POPIA’s overall objective is to give people control over which information is processed about them, and what is done with that information.

POPIA gives effect to the Constitution’s Section 14 Right to Privacy, and regulates the ways in which people and companies process personal information about other people and companies.

 

It’s a balancing act …

POPIA does not prohibit the processing of personal information as such, but establishes the legal framework within which this processing must be conducted, monitored and enforced. In its enforcement of POPIA, the Information Regulator must balance the protection of the right to privacy with the protection of “all human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the legitimate interests of public and private bodies in achieving their objectives in an efficient way.” (s44 POPIA)
 

Application, conditions for processing, and role players.

POPIA introduces four conditions for POPIA to apply, eight conditions for the lawful processing of personal information, and five role players that must see to it that these conditions are at all times complied with. To make your company POPIA compliant, people need to be appointed, procedures established, and documents compiled and (some) made publicly available.
 

Jump to 4Definitions 5Role players 8Conditions XData Privacy Resources

 

4 Definitions

POPIA does not protect all personal information: its application is restricted to 4 definitions of who, what, how, and where.

POPIA applies to (1) “personal information” that is (2) “processed” in a (3) “record or filing system” in (4) “South Africa”.

1. Personal information

POPIA gives a broad interpretation to “personal information”, and defines it in its Section 1 as information relating to an identifiable, living, natural person, or relating to an identifiable, existing juristic person. It follows that POPIA does not apply to the personal information of deceased persons, or to personal information that has been ‘de-identified’ (in other words, when one is no longer able to identify a person by means of the information, eg. by converting a name to a random number).

So, if you process “personal information”, you must at all times do this compliant with POPIA’s conditions. BUT, two additions!

  1. Section 26-35 POPIA: unless you fall into a particular category and you comply with the special conditions listed in sections 26-35 POPIA, you MAY NOT process “special (sensitive) personal information” concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, and criminal behaviour of a data subject, or personal information of children (<18).
  2. Section 57-59 POPIA: if you intend to process information listed in section 57 POPIA, including further processing and linking of unique identifiers, criminal behaviour, credit reporting, or transferring “special personal information” to a third party in a foreign country, you need to apply for “prior authorisation” from the Information Regulator.
View full definition
Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

  • (a) information relating to the race, gender, sex, pregnancy, marital status,
    national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • (b) information relating to the education or the medical, financial, criminal or employment history of the person;
  • (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment
    to the person;
  • (d) the biometric information of the person;
  • (e) the personal opinions, views or preferences of the person;
  • (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • (g) the views or opinions of another individual about the person; and
  • (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information
    about the person;

 
 

2. Processing

Processing gets an equally broad interpretation in Section 1 of POPIA. As soon as you get near information about a person, it is safe to assume that you are “processing” it. Or for those who prefer more formal definitions: processing is any operation or activity or any set of operations, concerning personal information, whether digital or physical, automatic or manual.

POPIA, in other words, applies to the ‘full life-cycle’ of personal information: from its creation, collection, storage, usage, transfer and amendment to its destruction.
POPIA supports the concept of ‘privacy by design’ – data processors need to respect privacy from the very first step in the life-cycle of personal information, to the very last.

View full definition
Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

  • (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • (b) dissemination by means of transmission, distribution or making available in
    any other form; or
  • (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

 
 

3. Record or filing system

POPIA only applies to personal information that has been “entered in a record” – which can be just about any known format, including writing (on any material), taping, recording, labelling, drawing, and photographing. Don’t worry, this does not include personal information you have stored in your brain – you are still free to process your own memories, even those that contain very personal information about other people 😉 “Entering in a record” is not necessarily the same thing as “creating” – transferring existing personal information to a database, for example, is covered by the definition of “entering into a record”.

POPIA makes a further distinction between “automated” and “non-automated” means of entering a record. Only in the case of non-automated entering does POPIA require that the information forms part (or is intended to form part) of a structured “filing system” (some kind of list, record or database).

POPIA does not apply to personal information collected for personal or household purposes, or for journalistic, literary or artistic purposes.

View full definition
3. (1) This Act applies to the processing of personal information— (a) entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof.
 
Record means any recorded information-
(a) regardless of form or medium, including any of the following:

  • (i) Writing on any material;
  • (ii) information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
  • (iii) label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;
  • (iv) book, map, plan, graph or drawing;
  • (v) photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;

 
(b) in the possession or under the control of a responsible party;
(c) whether or not it was created by a responsible party; and
(d) regardless of when it came into existence;
 
Filing system means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;
 
Automated means, for the purposes of [section 3], means any equipment capable of operating automatically in response to instructions given for the purpose of processing information.

 
 

4. South Africa

For POPIA to apply, the Responsible Party (the person or company that determines the purpose and means for processing, see below) must be domiciled in South Africa, or make use of “means” (equipment, like servers, etc) located in South Africa, unless those means are only used to “forward” personal information. Remember: processing information in “the cloud”, on servers stored outside of South Africa, does not discharge you of the need to comply with POPIA.

View full definition
3. (1) This Act applies to the processing of personal information— (b) where the responsible party is—

  • (i) domiciled in the Republic; or
  • (ii) not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic.

 

5 Role players

POPIA introduces five role players that must see to it that its lawful conditions for processing personal information are at all times complied with.

1. Information Regulator

The Information Regulator is the national, independent body that is empowered by POPIA to encourage, monitor and enforce compliance by Responsible Parties with the provisions of POPIA and PAIA. When a complaint is submitted to, or initiated by, the Regulator, it can decide to investigate, conciliate, take no further action (s77), or refer to the Enforcement Committee – an independent judicial tribunal established to adjudicate POPIA matters (a bit like the CCMA for labour disputes).
 

2. Responsible Party

The Responsible Party (GDPR “controller”) is the person or company that determines the purpose and means for processing personal information, and is responsible and liable for compliance with POPIA and PAIA. Liability may include administrative fines, criminal convictions and civil damages.
 

3. Information Officer

Because there is some overlap between POPIA and PAIA (the “Promotion of Access to Information Act”), I will be mentioning both regulations here. The Information Officer is defined in POPIA and PAIA as the head of a private body and is responsible for ongoing compliance by the Responsible Party with POPIA and PAIA. One or more Deputy Information Officers may be appointed. The Information Officer’s duties and responsibilities are stated in POPIA and PAIA and related regulations and notices, and may include personal liabilities for destroying, damaging, altering, concealing, falsifying or making a false record with intent to deny a right of access in terms of PAIA, for wilfully or in a grossly negligent manner failing to make available a PAIA manual as per section 51 of PAIA or for non-compliance with an Enforcement Notice. While POPIA or PAIA say nothing about it, the Information Regulator’s Guidance Notice of 1 April 2021 states that Information Officers and Deputies must be “an employee of a private body at a level of management and above”.
 

4. Operator

An Operator (GDPR “processor”) is an independent contractor that processes personal information on behalf of the Responsible Party. Section 20 and 21 of POPIA state that an operator may only act with the (written) knowledge or authorisation of the Responsible Party, and must treat personal information confidentially.
 

5. Data Subject

A Data Subject is the person the “personal information” relates to. Put differently, the person that may be ‘identified’ by the personal information.

 

8 Conditions

POPIA is “principles-based” legislation. It tells you what to do, but it doesn’t tell you how to do it. This allows POPIA to be applied to a wide and diverse range of circumstances under the general banner of “reasonability”. Central to POPIA are its eight principles for processing personal information. These principles are:-

1. Accountability

By default, the head of the company, usually the CEO, is responsible for compliance with POPIA. POPIA refers to this company as the “Responsible Party” and to the head as the “Information Officer”. The administration (but not accountability) of the responsibilities and duties of the Information Officer may be delegated to one or more Deputy Information Officers. Processing operations (but not accountability) may be outsourced to third parties (“Operators”) – independent persons or companies that process personal information on behalf, with full knowledge and authorisation in writing by the Responsible Party.
 

2. Processing Limitation

This is the “Minimality Principle”. Firstly, processing of personal information must be adequate, relevant and not excessive in relation to the (specific) purpose for which is it processed. Secondly, personal information may only be processed if the data subject has consented (and for as long as this consent is not withdrawn), when it is necessary to meet contractual obligations with the data subject, when it is imposed by law, or when it is necessary to protect a legitimate interest of the data subject, responsible party or a third party.
 

3. Purpose Specification

Personal information may only be collected for a specific, explicitly defined and lawful purpose, and not be retained for longer than is necessary for achieving that purpose.
 

4. Further Processing Limitation

Once collected, personal information must be processed (stored, used, shared, etc) in accordance and compatible with the purpose for which it was initially collected.
 

5. Information Quality

The processor of personal information must ensure that the information is complete, accurate, not misleading and updated.
 

6. Openness

Data Processors must be transparent about how they process personal information at the moment of collection, and keep record of processing operations for the duration of the processing. Collection – At the time of collection (or as soon as possible after) the person whose information is collected must be made aware of which information is being collected, the contact details of the processor, the purpose for which it is collected, whether the supply of the information is voluntary or mandatory, the consequences of failure to supply the information, the processor’s intention to transfer the information outside of South Africa’s borders and the level of privacy protection offered in that country, the recipients of the information, the right of access and the right to rectify the information, the right to object, and the right to lodge a complaint with the Information Regulator. Processing – All processing activities in terms of Section 51 of PAIA must be recorded
 

7. Security Safeguards

The integrity and confidentiality of personal information must be secured by means of appropriate, reasonable technical and organisational measures, to prevent loss, damage, and unauthorised access to, or destruction of information. Foreseeable risks must be identified, and safeguards implemented and updated as need be. Should there be reason to believe that personal information has been accessed by an unauthorised person, the Information Regulator and the person to whom the information relates must be notified (as per s22 POPIA) as soon as possible.
 

8. Data Subject Participation

A person or a company, subject to providing adequate proof of identity, may request confirmation of the fact that personal information is being processed (free of charge), request the record or a description of the information (at a fee), and request the correction of the information, in the manner prescribed by Section 53 PAIA (Form C).