As most of us are aware, The Protection of Personal Information Act 4 of 2013 (the Act) was signed into law on 26 November 2013 and we have written numerous articles on the topic in the last few years while waiting for the Act to become fully operational. Certain sections of the Act have been implemented incrementally since April 2014, but it has mostly been a paper tiger.
The purpose of the Act has always been to protect our constitutional right to privacy, but at the same time balancing this right with the right of access to information and the protection of the free flow of information. It will be practically impossible to function normally without sharing personal information, but the Act aims to manage the way we do it by promoting the protection of personal information processed by public and private bodies.
On Monday, 22 June 2020, President Cyril Ramaphosa proclaimed the following sections of the Act to come into effect on 1 July: Sections 2 to 38; Sections 55 to 109; Section 111; and Section 114(1), (2) and (3).
These sections comprise the conditions for the lawful processing of personal information; the regulation of the processing of special personal information; Codes of Conduct issued by the Information Regulator; procedures for dealing with complaints; provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act.
So, what now?
- Let’s start with the most obvious question: Does the Act apply to your business?
The Act applies to most businesses. It is much further reaching than many may think. If you collect, use, process, store or destroy any personal information, then the answer is YES!
- The next question to follow is then: What is considered personal information?
Basically, any information relating to an identifiable, living, natural person or existing juristic person.
This can include race, gender, pregnancy, marital status, sexual orientation, age, religion, culture, language, education, medical, financial, criminal or employment history, any identifying e-mail address, physical address, telephone number, location information, online identifier, biometric information (fingerprints, DNA, signatures) and even a name of a person if it would reveal information about that person.
I’m sure you recognise some of the information you collect from clients, suppliers and employees in this list.
- What exactly is processing and are you doing it?
The Act applies to the processing of personal information by or for a responsible party if that party is domiciled in South Africa or makes use of automated or non-automated ways in South Africa to process personal information, but not if personal information is only forwarded through South Africa.
“Processing” in terms of the Act is quite broad and includes:
- collection, receipt, recording, organisation, storage, updating, modification or use for whatever reason of personal information;
- circulation, transmission, distribution or making personal information available in any other form;
- restriction, erasure or destruction of personal information.
If you collect clients’ personal information, if you store your supplier’s information, if you have an employee file with personal information, if you analyse the information someone fills in on the website enquiry = the answer is YES, you are processing personal information.
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
There are certain exclusions for when the Act does not apply, e.g. if information has been de-identified to the extent that it cannot be re-identified again, or information used for journalistic, literary or artistic purposes under certain circumstances. This analysis of the Act when it was still a Bill touches more on this and you can read that here.
Conditions for lawful processing of personal information
The Act sets out strict conditions that have to be followed and complied with when processing personal information. Paula Kennedy-Smith details these conditions in her article that you can read here.
This includes that personal information may only be processed if:
- the person consents to processing (voluntary, specific and informed consent)
- it is necessary to perform your obligations under a contract to which the person is a party
- if there is an obligation imposed on you by law (tax information of an employee)
- if it protects legitimate interests of the person or yourself
- it is necessary for performance of a public duty by public body (in the interest of the public)
Personal information can only be collected for a specific, explicitly defined and lawful purpose. The information must be collected directly from the data subject, with certain exceptions, and he/she must be aware of the purpose for which this information is collected.
If there is a breach and data subjects’ personal information is unlawfully accessed on your watch, you must notify the Information Regulator and the person whose information it is as soon as reasonably possible.
It is also important to take note that there is a restriction on processing “special personal information” subject to certain conditions. Special information may only be processed if:
- the data subject has consented to the processing;
- it is necessary in law;
- it is for research purposes;
- the information has been made public by the data subject; or
- if a listed exception applies for specific categories.
Transborder Information Flows
The Act further contains provisions contains provisions that prohibits the transfer of personal information to a third party in a foreign country, unless:
- such foreign country has the same or substantially similar laws protection the processing of personal information;
- you have the data subject’s consent for such transfer;
- such transfer is agreed to in terms of a contract;
- the transfer is for the benefit of the data subject, but
- it is not reasonably practicable to get the data subject’s consent and
- he or she would be likely to give it.
Depending on who you ask, this is a consumers’ favourite part of the Act and a sales teams’ least favourite part. At present Section 45 of the Electronic Communications and Transactions Act (ECTA) deals with spam but this will be now be repealed by the Act. Direct Marketing will become “opt-in” as opposed to the standard “opt-out” approach followed now.
In simple terms this means that you will not be allowed to do direct marketing UNLESS:
- the person gives consent (which consent you may only request ONCE)
- he or she is already an existing customer AND:
– you obtained their details through the sale of goods/services;
– the direct marketing will be about similar goods/services;
BUT the person must still be given the opportunity to object to the direct marketing.
We will need to see whether this is enforced in practice and whether there will be real change to the spam calls we receive every day.
If someone lays a complaint against you for a breach of duties in terms of the Act, the Regulator will investigate the complaint and may issue you with an enforcement notice telling you to either take steps/refrain from taking steps within a specific period or to stop processing personal information specified in the notice or stop processing personal information for the purpose or in the manner specified within the specified period.
If you don’t comply with an enforcement notice by the Regulator, this will lead to penalties – either a fine or imprisonment for not more than 10 years or both.
The Regulator may also issue administrative fines, which will essentially be an admission of guilt fine, to the maximum of R10 million.
A data subject also retains the right to take civil action against you and claim damages if you:
- breach any of the lawful processing conditions
- fail to notify them of a security breach
- do unlawful direct marketing
- unlawfully transfer personal information outside the borders of South Africa
- violate their constitutional right to privacy
It is very important to note that this remedy is available to the data subject whether or not you committed the action intentionally or negligently i.e. a no-fault liability.
Section 114(1) states that all forms of processing personal information must, within one year after the commencement of this section, be made to conform to the Act. This means that entities (both private and public bodies) will have to ensure compliance with the Act by 1 July 2021.
As we have been advising business to pro-actively enforce the Act, we are sure you are ready to comply already! If not, remember that there are significant consequences for non-compliance, and we suggest that you do not wait until the last minute.
Feel free to contact us for advice on this topic!