"Personal information” is defined very broadly in the Act, and includes a wide range of information that can be used to identify a Data Subject (the person to whom the data applies – which can be an identifiable living natural person and/or an identifiable existing juristic person or legal entity).
We can clarify what is meant by ‘personal information’ even further, by dividing it into categories, as follows:
Personal Data (General)
This includes information about a person’s:
- Age, colour, race, gender, sex, pregnancy, marital status, biometric information
- National, ethnic or social origin
- Sexual orientation, personal opinions, preferences or views of the Data Subject and/or the views or opinions of another person about the Data Subject
- Physical or mental health, wellbeing, disability
- Religion, conscience, belief, culture, language and birth
- Education, medical, financial, criminal or employment history
- Identifying number, symbol, email address, physical address, telephone number, location information, online identifier
- Correspondences sent by the Data Subject that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence
- The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
POPIA provides for a separate category of information called 'special personal information' which includes all information relating to:
- A person's religious or philosophical beliefs
- Race or ethnic origin
- Trade union membership
- Political persuasion,
- Health or sex life,
- Biometric information (fingerprints or blood type)
- Criminal behaviour (that is alleged or any proceedings relating to any alleged offence of the Data Subject, or the disposal of such proceedings).
The Data of Children
POPIA also specifically regulates the personal information of a child.
[A child is defined in POPIA as a natural person under 18, who is not competent to make a decision or take any action on a matter concerning him or herself without the assistance of a competent person].
In what follows, we will briefly expand on the requirements for the lawful processing of the General Personal Data, and thereafter take a brief look at the additional requirements imposed by POPIA for the lawful processing of Special Personal Information, and of Children’s Personal Information.
Lawful Processing of Personal Information (General):
The 8 Conditions for the lawful processing of personal information by or for a Responsible Party are the following:
- Responsible Party must comply with these 8 Conditions
- Processing limitation
- Personal Information should only be obtained by limited and lawful processing that does not unnecessarily infringe privacy
- Section 11 deals with the concept of consent, under Condition 2. Basically, personal information can only be processed if the Data Subject (or a competent person on behalf of a child), expressly consents to it. In addition, the Responsible Party bears the burden of proof for that consent. There are certain instances where consent is not required, and personal information may be processed lawfully - such as when it is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is party; or the processing complies with an obligation imposed by law on the Responsible Party; or it protects a legitimate interest of the Data Subject; or it is necessary for the proper performance of a public law duty by a public body; or it is necessary for pursuing the legitimate interests of the Responsible Party or of a third party to whom the information is supplied. The Data Subject may withdraw his, her or its consent at any time.
- Purpose Specification
- The purpose for which the personal information is collected must be specific, explicitly defined and lawful
- Further processing limitation
- Further processing must be compatible with the purpose for which personal information is collected
- Information Quality
- Reasonably practicable steps to ensure personal information is complete, accurate, not misleading and updated
- Advise the Data Subject of certain mandatory information in respect of collection
- Security Safeguards
- The integrity and confidentiality of the personal information must be secured
- Data Subject Participation
- The Data Subject has certain access rights, including a right to request its deletion
Note that these conditions are not applicable where specifically excluded, or are specifically exempted by the Information Regulator (for example, where an exemption from having to comply with these conditions is deemed to be in the public interest or for the benefit of the Data Subject).
Codes of Conduct for particular Sectors:
Certain Codes of Conduct may be developed in order to clarify how the 8 Conditions are to be applied within a particular sector.
Lawful Processing of Special Personal Information (Sensitive Data):
A Responsible Party is prohibited from processing sensitive data, unless certain additional and specific criteria, are met- which are clearly set out in clauses 27 to 33. For example, where the processing is necessary to comply with an obligation of international public law. The Information Regulator may also grant a specific authority (for example it being in the public interest). Should such criteria be met, then the information may be processed, but also subject to the 8 Conditions listed above.
Lawful Processing of Personal Information of a Child:
The processing of the Personal Information of a Child, is also prohibited by POPIA, unless certain criteria are met, which are listed in clause 35. One such requirement is that the processing is carried out with the prior consent of a competent person. Again, should the specific criteria laid out on Section 35 be met, then the information must also be processed in accordance with the 8 Conditions listed above.
Lawful Processing of Personal Information for Direct Marketing purposes:
Section 69 states that the processing of personal information of a Data Subject for the purpose of direct marketing by means of any form of electronic communication including automatic calling machines, faxes, SMS’s or email is also prohibited unless the Data Subject has given his or her consent to the processing or is a customer of the RP (subject to certain conditions).
The Rights of Data Subjects:
Data Subjects have certain rights, and these are set out in the Act.
- To have personal information processed in accordance with the 8 Conditions set out in POPIA.
- To be notified that personal information about them is being collected in accordance with Condition 6 (Openness).
- To be notified that personal information about them has been accessed or acquired by an unauthorised person, in accordance with Condition 7 (Security Safeguards).
- The right to establish whether a Responsible Party holds personal information of that Data Subject, and to request access thereto, in accordance with Condition 8 (Data Subject Participation).
- To request, where necessary, the correction, destruction or deletion of his, her or its personal information, in accordance with Condition 8 (Data Subject Participation).
- The right to object, on reasonable grounds relating to their particular situation, to the processing of his, her or its personal information in terms of section 11(3)(a).
- The right to object to the processing of his, her or its personal information if it is for the purposes of direct marketing.
- The right not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except where he, she or it has given his consent or is a customer of the Responsible Party (subject to certain requirements).
- The right not to be subject to a decision which is based solely on the basis of automated processing of his, her or its personal information intended to provide a profile of such person.
- The right to submit a complaint to the Information Regulator regarding alleged interference with the protection of personal information of any Data Subject, or in respect of a determination of an adjudicator.
- The right to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information.
When must a Responsible Party obtain Prior Authorisation from the Information Regulator?
There are certain instances where a Responsible Party is required to obtain prior authorisation from the Information Regulator, before it is able to process certain information.
These instances where prior authorisation is required, are set out in more detail in Sections 57, as follows:
- Where unique identifiers of data subjects will be processed for a purpose other than the one for which the identifier was specifically intended at collection, and with the aim of linking the information together with information processed by other Responsible Parties
- Where criminal behaviour or unlawful or objectionable conduct information on the Data Subject is processed on behalf of third parties
- Where information is processed for the purpose of credit reporting on the Data Subject
- Where special personal information (sensitive data) or the personal information of children is to be transferred to a third party in a foreign country that does not provide an adequate level of protection for the processing of this information
- The Information Regulator may include other types of information processing by law or regulation if the processing thereof carries a particular risk for the legitimate interests of the Data Subject.
- Where a specific sector is subject to a Code of Conduct in terms of Chapter 7 of the Act, then this requirement will not apply to that sector.
What is the process for obtaining this Prior Authorisation?
The Responsible Party is required to notify the Information Regulator of its intention to process the information and must not proceed with doing so, until the Information Regulator has completed its investigation, or the Responsible Party has received a notice that the more detailed investigation will not be conducted.
The Information Regulator will have 4 weeks after the notification to inform the Responsible Party as to whether it will conduct the more detailed investigation or not. Should the Information Regulator notify the Responsible Party that it intends conducting a more detailed investigation, it must do so within 13 weeks. Upon conclusion thereof, the Information Regulator must issue a statement concerning the lawfulness of the processing. Should a Responsible Party not receive the Information Regulator’s decision within the time limit specified, it may presume a decision in its favour, and continue with its processing.
The Responsible Party need only obtain prior authorisation once and not each time that personal information is received or processed, except where the processing departs from that for which it was initially authorised.
What if a Responsible Party does not comply with this requirement?
Should a Responsible Party fail to provide a notice to the Information Regulator or should the Responsible Party fail to suspend processing until the Information Regulator has completed its investigation - the Responsible Party will be guilty of an offence, and may be liable to a fine or imprisonment for a period not exceeding 12 months, or both.