Finally! Protection of personal information. Not yet…

On 19 November 2013 the Protection of Personal Information Act 4 of 2013 (PoPIA) was assented to by the President. The date of commencement however remains a mystery, as a date is yet to be proclaimed via Government Gazette. This article will however attempt to shed some light on the purpose, application and interpretation of the PoPIA.

The purpose of the PoPIA is to give effect to the constitutional right to privacy contained in section 14 of the Constitution of the Republic of South Africa, 1996 (Constitution). This includes the right not to have your person or home searched, your property searched, your possessions seized or the privacy of your communications infringed. The PoPIA further attempts to safeguard personal information when processed by a responsible party, to regulate the manner in which personal information may be processed, to provide persons with rights and remedies to protect their personal information from being processed in a manner other than in accordance with the PoPIA and to establish voluntary and compulsory measures by way of an Information Regulator.

These rights are however not limitless and can be limited to the extent that they are aimed at balancing the right to privacy against other rights, particularly the right of access to information and protecting important interests, including the free flow of information within the Republic and across international borders. PoPIA therefore introduces, in addition to the limiting factors set out in section 36 of the Constitution, two additional factors that will now need to be taken into account when the right to protection of personal information is to be limited.

The PoPIA makes mention of the following terms, which need to be understood in context and have accordingly been defined in section 1 of the PoPIA as follows:

’Personal information’” is information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to information relating to race, education, any identifying number, biometric information, personal opinions, correspondence that is implicitly or explicitly of a private or confidential nature, views or opinions of another individual about a person and the name of the person if it appears with other personal information relating to the person etc.”

‘“Processing’” is any operation or activity or any set of operations, whether or not by automatic means, concerning personal information including inter alia: the collection, receipt, recording, organisation, collation storage, updating or modification, retrieval, alteration, consultation or use; dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as restricting, degrading, erasing or destruction of information”

’Responsible party’” is a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.”

The definitions of the above terms are so wide that it appears to apply to any person who processes personal information. This is however not the case as section 3 provides clarity on the ambit of the PoPIA. In context and purpose, the PoPIA applies to a responsible party having entered personal information into a record by making use of automated or non-automated means, provided that if the recorded information was processed in a non-automated manner it forms part of a filing system or is intended to form part of such system. This is only in instances where the responsible party is domiciled within the Republic, or makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic.

It should be noted that section 6 of the PoPIA specifically excludes instances where personal information has been processed in the course of purely household or personal activity; that the information has been de-identified to such an extent that it cannot be re-identified again; if such information is processed by or on behalf of a public body which involves national security; the Cabinet and its committees or the Executive Council of a province; the judicial function of a court. In addition it should be noted that should a responsible party process personal information solely for journalistic purposes the PoPIA will not apply, subject to the code of conduct set out in Chapter 7 of the Act.

We have now addressed the ambit of the act and will soon delve deeper into whether the PoPIA makes provision for responsible parties concluding non-disclosure agreements for the processing of personal information between one another.

by Albert Arnold
albert@dyason.co.za