Protection of Personal Information Act

Prof A Mukheibir

Constitution of the Republic of South Africa, 1996 S 14 of the Bill of Rights

Everyone has the right to privacy, which includes the right not to have their person or home searched; their property searched; their possessions seized; or the privacy of their communications infringed

Right to privacy prior to advent of Constitution

•

Protected in terms of common law of delict

•

Infringement - patrimonial or non patrimonial loss

•

Claim compensation for damage arising from infringement of this right in terms of

•

a delictual action Law of delict remains available

Protection of Personal Information Act (POPI)

• Enacted to give effect to section 14 of the Bill of Rights • To provide protection against the unlawful collection, dissemination & use of personal information • To balance the right to privacy with the constitutional values of democracy and openness & facilitate the free flow of information

Purpose of POPI

• Give effect to right to privacy • Regulate manner in which personal information is processed • Provide rights and remedies for protection of personal information • Establish voluntary and compulsory measures to • ensure respect for rights; • promote rights • enforce and fulfill rights

Exemptions POPI Act not applicable to

•Info used for personal/household activity •Information that has been “de-identified” •Information collected for national security •Information collected for purpose of combatting crime •Information collected solely for the purpose of journalistic, literary or artistic – reconciliation of right to privacy with right to freedom of expression

data subject operator

“person to whom information relates ” “person who processes information for a

responsible party

Public or private body …determining purpose & means of processing personal information

public body'' means — (a) any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or

(b) any other functionary or institution when — (i)exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or (ii)exercising a public power or performing a public function in terms of any legislation

data subject rights duties operator

“person to whom information relates ” Relate to

processing

of

personal information

“person who processes information for a

responsible party

personal information

information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to — (a)information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

a) c b) information relating to the education or the medical, financial, criminal or employment history of the person; c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; d) the the biometric information of the person; e) the personal opinions, views or preferences of the person;

f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; g) the the views or opinions of another individual about the person; and h) the the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

Special personal information

(a) religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or (b) the criminal behaviour of a data subject relating to (i) the alleged commission by a data subject of any offence; or (ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceeding

Processing prohibited subject to s 27

processing – “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information

, including — (a)the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b)dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

”

data subject rights duties operator

“person to whom information relates ” Relate to

processing

of

personal information

“person who processes information for a

responsible party

Rights of data subjects

The right to have personal information processed in accordance with the

conditions for the lawful processing

of personal information • Rights include the following

Notification

of the following • Collection of personal information • Unauthorized access

•

Rights of data subjects (cont) To be informed

if responsible party holds • personal information

Access

to personal information held by responsible party • Correction, deletion or destruction of personal information • Object to processing of personal information (on reasonable grounds) • Object to use of info for direct marketing • Institution of remedies

Conditions for the lawful processing of personal information

(a) Accountability (b) Processing limitation (c) Purpose specification (d) Further processing limitation (e) Information quality (f) Openness (g) Security safeguards (h) Data subject participation

Conditions for the lawful processing of personal information

(a) Accountability

s8

(b) Processing limitation

s9 - 12

(c) Purpose specification

s13 - 14

(d) Further processing limitation

s15

(e) Information quality

s16

(f) Openness

s17- 18

(g) Security safeguards

s19 - 22

(h) Data subject participation

s23 - 25

Conditions for the lawful processing of personal information

(a) Accountability

s8

(b) Processing limitation

s9 - 12

(c) Purpose specification

s13 - 14

(d) Further processing limitation

s15

(e) Information quality

s16

(f) Openness

s17- 18

(g) Security safeguards

s19 - 22

(h) Data subject participation

s23 - 25

• •

Exemption from conditions Regulator grants exemption by notice in the Gazette for promotion of the public interest Processing of information by person/body for the purpose protecting members of the public against dishonesty, fraud, etc

• •

Remedies Ito POPI Act

• Lay a complaint with the regulator • Regulator orders investigation • May order corrective steps after consultation with Enforcement Committee • Right of appeal to High Court

Civil remedies

• Claim damages ito law of delict • Not necessary to prove fault • Damages, including aggravated damages

Criminal liability ito of POPI Act

Examples •Interference with Regulator •Breach of confidentiality ito s 54 •Failure to comply with enforcement notices Penalties •Fine, and/or •Imprisonment of 12 months to 10 years •Administrative fines – up to R10million

• •

Transitional arrangements Within 1 year after commencement of s 114 processing of information has to comply with Act On 11 April 2014 ss1, 112 ,113 and part A of chapter 5 came into operation; rest of POPI not yet operational.

Thank you!

Protection of Personal Information Act

Prof A Mukheibir

x