POPI Act Part 2: Conditions for the lawful processing of personal information

Estimated Reading Time: 15 minutes

Previous: POPI Act Part 1: An Introduction

In all instances, the Act refers to the POPI Act No. 4 of 2013.
You can download the Act here.
Wooden gavel on table
Credit: Unsplash

Chapters 3, 8 and 9 deals with the responsibilities of businesses in the processing of personal information. In this section we will look at the different conditions applicable for the lawful processing of personal information.

  • Part A: The processing of personal information in general
  • Part B: The processing of special information.
  • Part C: The processing of special information of children.

Various conditions apply for the processing of personal information. They are applied to three different sections:

Table of Contents

Part A: Processing of personal information in general

Condition 1: Accountability

The responsible party must ensure that all conditions and the measure that give effect to such conditions, must be complied with. Codes of conduct needs to be developed in order to clarify how, subject to any exemptions, the specific sector will be able to comply with these conditions.

A data subject has the right to have personal information processed in accordance with the conditions for the lawful processing of information. Including the right to be notified if personal information is collected or if personal information has been accessed or acquired by an unauthorized party.

A data subject are also entitled to establish whether a responsible party hold any personal information and to request access to that information. As well as when necessary, to request correction, destruction of deletion of such personal information.

A person can object, on reasonable grounds to the processing of personal information, at any time for purposes of direct marketing via unsolicited electronic communication. As well as not to be under any circumstances subjected to a decision based on a solely automated processing of personal information to provide a profile of such a person.

A complaint can be submitted to the Information Regulator for any alleged interference with the protection of personal information as well as in respect of a determination of an adjudicator as provided for. A person can also institute civil proceedings regarding alleged interference with the protection of personal information.

The Act does not apply to processing of personal information as a purely personal or household activity. Or any information that has been de-identified in such a way that it cannot be re-identified again. As well as personal information processed by a public body which involves national security, e.g. activities assisting in the identification of the financing of terrorist and related activities, defense or public safety.

Condition 2: Processing limitation

Personal information must be processed lawfully and in a reasonable manner that does not infringe on the privacy of the data subject. And only if the purpose for which it is being processed is adequate, relevant and not excessive.

Processing can only take place if:

  1. The data subject or competent person (in case of a child) consented to the processing of personal information.
  2. The processing must be necessary to carry out actions regarding the performance of a contract relating to the data subject.
  3. Processing must comply with an obligation imposed by law on the responsible party.
  4. Processing protects a legitimate interest of the data subject.
  5. Processing is necessary for pursuing the legitimate interests of the responsible party or third party to whom the information is supplied.

The responsible party must be able to proof that the data subject or competent person has given consent to such processing of personal information. The data subject or competent person can withdraw their consent at any time, provided that the lawfulness of the processing of personal information will not be affected.

A data subject is allowed to object – on legitimate grounds – at any time to the processing of personal information. Unless the law allows for such processing of personal information. Or for purposes of direct marketing other than by means of unsolicited electronic communications.

Once the data subject has objected to the processing of personal information on legitimate grounds, the responsible body may no longer process their personal information.

Personal information must be provided directly by the data subject, unless:

  • the information is contained in or derived from a public record or has been deliberately made public by the data subject.
  • the data subject or competent person has consented to the collection of information from another source.
  • collection from another source will not prejudice the legitimate interest of the data subject.
  • collection from another source is necessary to:
    • avoid prejudice to the maintenance of the law by any public body for the prevention, detection, investigation, prosecution and punishment of offences.
    • comply with an obligation or to enforce legislation concerning the collection of revenue according to the South African Revenue Service Act, 1997 (Act no. 34 of 1997)
    • for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated.
    • in the interest of national security.
    • maintain legitimate interests of the responsible party or third party to whom the information is supplied.
  • Information does not need to be obtained directly from the data subject if it will prejudice a lawful purpose of the collection or if compliance is not reasonably practicable in the circumstances of the particular case.

Condition 3: Purpose Specification

Personal information may only be collected for a specific, explicitly defined and lawful purpose. Steps must be taken to ensure that the data subject is aware of the purpose of collection.

Personal information may only be collected for a specific, explicitly defined and lawful purpose. Steps must be taken to ensure that the data subject is aware of the purpose of collection. Click To Tweet

Retention:

Personal information can’t be retained for longer than necessary to achieve the purpose for which it was collected, unless:

  • retention are required or authorised by law.
  • the responsible party reasonably requires the record for lawful purposes related to its functions or activities.
  • retention of the records is required by a contract between the parties.
  • the data subject has consented to the retention of the record.

Records of personal information may be retained in excess as required by law, but only for historical, statistical or research purposes. And only if the responsible party has established the necessary safeguards against the records being used for other purposes.

If a responsible party has used the record to make a decision about the data subject he must retain the record for as long as prescribed by law or code of conduct. If there is no applicable law or code of conduct, the record must be retained long enough to afford the data subject a reasonable opportunity, -taking all possible consideration in account – to request access to the record.

Personal information must be destroyed, deleted or de-identified by the responsible party as soon as reasonably possible, when no longer authorised to retain those records.

Destruction or deletion of a record of personal information must be done in such a way that it prevents reconstruction in any intelligible form.

Restriction:

Green gate locked with chain and padlock
Credit: Unsplash
Processing of personal information must be restricted when:
  • accuracy is contested by the data subject for a period required to verify the accuracy of such information.
  • the responsible party no longer requires the information for the specific purpose for which it has been collected, but it must be maintained for purposes of proof.
  • the processing is unlawful and the data subject opposes the destruction or deletion and request restriction of use instead.
  • the data subject requests that the personal information must be transmitted to another automated processing system.

The personal information referred to above may only be processed for purposes of proof, or with the data subject or competent person’s consent. Or for the protection of rights of another natural or legal person if in the public interest.

If the processing of personal information is restricted, the responsible party must inform the data subject before lifting the restriction on processing.

Condition 4: Further processing limitation

Further processing of personal information must be compatible with the purpose for which it was collected.

Further processing:

To assess whether further processing is necessary the responsible party must take account of:

  • the relationship between the purpose of the intended further processing and the purpose for which the information has been collected.
  • the nature of the information.
  • the consequences for the data subject
  • the manner in which the information has been collected.
  • any contractual right and obligations between the parties.
The further processing of information is not incompatible with the purpose of collection if:
  • the data subject or competent person gives their consent.
  • the information is available or derived from a public record or has deliberately been made public by the data subject.
Further processing is necessary in the following instances:
  • To avoid prejudice to the maintenance of the law by any public body. This includes the prevention, detection, investigation, prosecution and punishment of offences.
  • To comply with an obligation by law or to enforce legislation concerning the collection of revenue.
  • For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated.
  • In the interest of national security.
  • The processing of information is necessary to prevent or mitigate a serious and imminent threat to public health or safety or the life or health of a data subject or another individual.
  • The information is used only for historical, statistical or research purposes and necessary safeguards are in place to ensure that it is only used as such and not published in any form.
  • The further processing of information is in accordance to an exemption granted.

Condition 5: Information quality

Reasonable steps must be taken by the responsible party to ensure that personal information is complete, accurate, not misleading and updated as necessary. By taking the steps necessary to implement the above, the responsible party must always keep the purpose of the further processing of personal information in mind.

Condition 6: Openness

A responsible party must maintain documentation of all processing operations according to its responsibility in relation to the Promotion of Access to Information Act.

Awareness:

When collecting personal information, the responsible party must ensure that the data subject is aware of:

  • the information being collected and if not collected from the data subject directly, the source of information.
  • name and address of the responsible party.
  • the purpose for which the information is collected.
  • whether the supplying of information is voluntary or mandatory.
  • the consequences of not providing the information.
  • any laws authorising or requiring the collection of the information.
  • if the responsible party intends to transfer the information to a third country or international organisation. As well as the level of protection afforded by the third country or international organisation.
  • any further information such as:
    • recipient or category of recipients of the information.
    • nature or category of the information.
    • the right of access to and the right to rectify the collected information.
    • the right to object to the processing of personal information.
    • the right to lodge a complaint with the Information Regulator and the contact details of the Information Regulator.

This must be necessary with regards to the specific circumstances in which the information will or will not be processed, to ensure processing is reasonable in respect of the data subject.

These steps must be taken before information is collected directly from the data subject, unless the data subject is already aware of this information. Or alternatively, as soon as reasonably possible after the information has been collected.

If a responsible party has already taken the necessary steps to comply – it is not necessary to repeat these steps for the subsequent collection from the data subject – of the same information or information of the same kind of purpose if the collection of the information remains the same.

Notification:

Notification to the data subject by the responsible party is not necessary if:

  • the data subject or competent person has consented to non-compliance.
  • non-compliance wouldn’t prejudice the legitimate interests of the data subject.

Non-compliance is necessary to avoid prejudice to the maintenance of the law by any public body. This includes prevention, detection, investigation, prosecution and punishment of offences. As well as an obligation imposed by law or to enforce legislation concerning the collection of revenue. Also for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated. Or if it is in the interest of national security.

Compliance is not necessary if it will prejudice a lawful purpose of collection or is not reasonably practical. As well as if the information will not be used in such a form that it will identify the data subject. And if the information will only be used for historical, statistical or research purposes.

Condition 7: Security safeguards

A responsible party must ensure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate and reasonable technical and organisational measures to prevent:

  • loss of, damage to or unauthorised destruction of personal information.
  • unlawful access to or processing of personal information.

Measures:

This implies that the responsible party must take reasonable measures to:

  • identify all reasonable foreseeable internal and external risks to personal information he possess or control.
  • establish and maintain safeguards against the identified risks.
  • regularly check that safeguards are effectively implemented.
  • ensure that safeguards are continually updated in response to new risks or deficiencies.

The responsible party must comply to generally accepted information security practices and procedures which might apply to him in general; for his specific industry, or according to professional rules and regulations.

An operator processing information on behalf of a responsible party must process such information only with the knowledge and authorisation of the responsible party. And he must treat personal information as confidential and must not disclose it unless required by law, or in the course of the proper performance of his duties.

The responsible party must ensure via a written contract that an operator establishes and maintains all security measures to safeguard personal information. The operator must notify the responsible party immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorised person.

In such a case, the responsible party must notify the Information Regulator and the data subject – unless his identity can’t be established. The notification must be made as soon as reasonably possible after discovery of the compromise, taking into account the legitimate needs of law enforcement or any other reasonable measures to determine the scope of the compromise. As well as measures to restore the integrity of the affected information system.

A notification may only be delayed if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines notification will impede a criminal investigation.

Notification:

Notification to the data subject must be in writing and communicated in the following ways:

  1. Mailed to last know physical or postal address.
  2. Send via e-mail to last known email address.
  3. Displayed prominently on the website of the responsible party.
  4. Published in the media.
  5. Or as may be directed by the Information Regulator.
The notification must provide sufficient information to enable the data subject to take protective measures against potential consequences of the compromise. This includes:
  • A description of the possible consequences of the compromise.
  • A description of possible measures that the responsible party intends to take or has taken to address the compromise.
  • A recommendation regarding possible measures the data subject can take to mitigate possible adverse effects of the compromise.
  • If known, the identify of the unauthorised person responsible for the compromise.

The Information Regulator may instruct the responsible party to make public, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if there is reasonable grounds to believe that it will protect the data subject affected by the compromise.

Condition 8: Data subject participation

Once a data subject has provided adequate proof of identity, he has the right to:

  • request the responsible party to confirm, free or charge, whether or not the responsible party holds personal information about the data subject.
  • request from the responsible party the record or a description of personal information about the data subject. Including information held by third parties or categories of third parties, who have or had access to the personal information. This must be provided within a reasonable time, at a prescribed fee (if any), in a reasonable manner and format and in a form that is generally understandable.

The data subject must be advised to his right to request the correction of information. If payment of a fee is required, the responsible party must provide a written estimation of the fee before providing the services. The applicant can be required to pay a deposit for all or part of the fee.

A responsible party may or must refuse to disclose any information if the grounds for refusal is set out in the Promotion of Access to Information Act, for example if it relates to health records.

If a request is made to a responsible party and part of the information must be refused, the rest of the information must be disclosed.

A data subject may request a responsible party to correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully. Or destroy or delete a record that the responsible party is no longer entitled to retain.

Upon receipt of such request, the responsible party must as soon as reasonably possible correct, destroy or delete the information and provide the data subject with credible evidence in support of the information.

Where an agreement can’t be reached, ensure to attach to the information in such manner that it will always be read with the information and indication that a correction has been requested but has not been made.

Part B: Processing of special personal information

A responsible party is not allowed to process personal information relating to:

  • religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or the biometric information of the subject,
  • criminal behaviour of a data subject as far as that information relates to:
    • the alleged commission by the data subject of any offence, or
    • any proceedings in respect of any offence allegedly committed by the data subject, or the disposal of such proceedings.

Exemptions:

The prohibition on the processing of special information doesn’t apply when the:

  • processing is carried out with the consent of the data subject
  • processing is necessary for the establishment, exercise or defense of a right or obligation in law.
  • processing is necessary to comply with an obligation of internal public law.
  • processing is for historical, statistical or research purposes, and
    • the purpose serves the public interest and is necessary for the purpose concerned.
    • it appears impossible or would involve excessive effort to ask for consent. Sufficient guarantees must then be provided to ensure that processing doesn’t negatively affect the individual privacy of the data subject.
    • the information has deliberately been made public by the data subject.

The Information Regulator may by notice in the Gazette authorise a responsible party to process special personal information. But only if it is in the public interest and appropriate safeguards have been put in place to protect such personal information.

Processing of special information relating to religious or philosophical beliefs can be carried out by:
  • spiritual or religious organisations or independent sections of such organisations if the data subject belongs to those organisations. Or if it is necessary to achieve their aims and principles.
  • institutions founded on religious and philosophical principles with respect to members or employees of such organisation if it is necessary to achieve their aims and principles.
  • Other institutions if necessary to protect the spiritual welfare of the data subjects, unless they object to such processing.

This prohibition does not apply if the association concerned maintains regular contact with family members in connection which it aims, and the family members have not objected to such processing.

This information may not be supplied to any third parties without the consent of the data subject.

Information relating to race or ethnic origin can be processed to identify the data subject, and only if essential for that purpose. As well as to comply with laws and measures designed to protect or advance persons or categories disadvantaged by unfair discrimination.

Trade unions may process special personal information if necessary to achieve their aims. But no personal information may be supplied to third parties without consent.

An institution, founded on political principles can process special information of its members or employees or other persons belonging to the institution; if necessary to achieve their aims or principles. But only if processing is necessary for purposes of:
  1. forming a political party.
  2. participating in the activities of or engaging in the recruitment of members. Or canvassing supporters or voters with the view to an election of the National Assembly, a provincial legislature or a municipal election.
  3. for a referendum as regulated in the Referendums Act, 1983.
Special information regarding a data subjects sex life can be processed by:
  • Medical professionals, healthcare institutions or facilities or social services. But only if necessary for proper treatment and care of the data subject. Or for the administration of the institution or professional practice concerned.
  • Insurance companies, medical schemes and medical scheme administrators if necessary to assess the risk to be ensured, and the data object have not objected to such processing. As well as for the performance of an insurance or medical scheme agreement or for the enforcement of any contractual rights or obligations.
  • Schools, if necessary to provide special support for pupils or making special arrangements in connection with their health or sex life.
  • Any public or private body managing the care of a child if the processing is necessary for the performance of their lawful duties.
  • Any public body if processing is necessary in connection with prison sentences or detention measures.
  • Administrative bodies, pension funds, employers or institutions working for them, if necessary for:
    • the implementation of the provision of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject.
    • the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.
  • The information may only be processed by responsible parties subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement with the data subject.
  • Any party processing information regarding health or sex life (excluding parties in the previous point), must treat this information as confidential unless required by law or in connection with their duties to communicate such information to other parties who are authorised to process such information.
  • The prohibition on the processing of any category of personal information does not apply if it is necessary to supplement the processing of personal information relating to the data subjects health, with a view to the proper care and treatment of the data subject.
  • Personal information relating to inherited characteristics may not be processed unless:
    • a serious medical interest prevails.
    • the processing is necessary for historical, statistical or research activity.

Information regarding criminal behaviour or biometric information can be processed by bodies charged by law with applying criminal law or by responsible parties who have obtained that information in accordance with the law. Or if the processing of information concerns personnel in the service of the responsible party, it must comply with rules established in compliance with labour legislation. As well as when such processing is necessary to supplement the processing of information on criminal behaviour or biometric information permitted by this section.

Credit: Unsplash

Part C: Processing of special information about children

A responsible party are not allowed to process personal information of a child, unless:

  1. The processing is carried out with prior consent of a competent person.
  2. Such processing is necessary for the establishment, exercise or defense of a right or obligation in law.
  3. It is necessary to comply with an obligation of international public law.
  4. For historical, statistical or research purposes, to the extent that:
    1. it serves the purpose of public interest and processing is necessary for that purpose.
    2. it appears to be impossible or would involve extensive effort to ask for consent. Sufficient guarantees must be provided to protect the individual privacy of the child.
  5. Personal information can be processed if it has deliberately been made public by a child, without the consent of a competent person.

The Information Regulator may, by notice in the Gazette, authorise a responsible party to process personal information of children, as long as the necessary safeguards have been put in place to protect such information.

The Regulator may impose certain conditions regarding this authorisation, including conditions regarding how a responsible party must, upon request of a competent person provide a reasonable means for that person to:
  • review the personal information to be processed, and to refuse to permit further processing.
  • provide notice regarding the nature of the personal information being processed, how such information is being processed and regarding any further processing practices.
  • refrain from any action that is intended to encourage or persuade a child to disclose personal information than what is reasonably necessary for the purpose for which it is intended.
  • establish and maintain reasonable procedures to protect the integrity and confidentiality of personal information collected from children.

In the next section we will look at how the Act will influence direct marketing and the trans-border flow of information.

 
Source: Government Gazette Vol. 581; No. 37067 November 26, 2013 POPI Act No. 4 of 2013.

Next: POPI Act Part 3: Direct Marketing & Trans-border Flow of Information

Author: Susan

I have gained many years experience in the following during my working career. General Administration Records Management Stock Management I have recently completed a Social Media Marketing Specialization and I am currently busy with the Content Strategy for Professionals Specialization (both with North Western University using the Coursera platform).

2 thoughts on “POPI Act Part 2: Conditions for the lawful processing of personal information”

Share Your Thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.