A Summary of the Requirements to process Personal Information
Article written by Jarrod van der Heever, Candidate Attorney, checked and released by Justin Sloane, Partner at Schindlers Attorneys
04 June 2021
The Protection of Personal Information 4 of 2013 (“POPIA”) seeks to regulate the manner in which personal information is processed. Chapter 3 (sections 8 – 25) of POPIA provides for the 8 conditions which must be complied with for the lawful processing of personal information. This article shall provide an overview of these 8 conditions. In this article “data subject” means the person or organisation whose information is being processed, and “responsible party” means any person or organisation who determines the purpose of and means for processing information.
What is “Processing” of Personal Information?
POPIA applies to the “processing” of personal information. Processing includes, but is not limited to, the collection, receipt, recording, organisation, collating, storage, updating, modification, dissemination, merging, linking, erasure, or destruction of personal information.
Condition 1: Accountability (Section 8 POPIA)
The first condition which must be complied with is Accountability. Section 8 provides that the responsible party must give effect to the conditions as contained in Chapter 3 of POPIA.
Condition 2: Processing Limitation (Sections 9 – 12 of POPIA)
The second condition provides for a processing limitation. Section 9 requires that the processing of personal information must be done lawfully in a manner that does not infringe upon a data subject’s privacy. Section 10 provides for minimality and requires that personal information may only be processed if it is adequately relevant and not excessive. What is adequate, relevant and not excessive would depend on the circumstances of each case.
Section 11 states that personal information may only be processed if:
(i) the data subject consents;
(ii) the processing is required for the performance or conclusion of a contract to which the data subject is a party;
(iii) processing complies with an obligation imposed by law;
(iv) processing protects one of the data subject’s legitimate interests;
(v) necessary for the performance of a public law duty by a public body; or
(vi) necessary for pursuing the legitimate interests of the responsible party.
Section 11 allows a data subject to withdraw their consent at any time. A data subject may also object to the processing of personal information on reasonable grounds or for the purposes of direct marketing unless legislation provides for the processing. After an objection, the personal information may not be processed.
Section 12 of POPIA provides that personal information must be collected directly from the data subject unless an exception applies. The exceptions include, but are not limited to, where information is contained in a public record, if the collection would not prejudice an interest or if the collection is in the interests of national security.
Condition 3: Purpose Specification (Sections 13 – 14 of POPIA)
The third condition provides for purpose specification. Section 13 states that personal information must be processed for a specific, and explicitly defined and lawful purpose.
Section 14 provides that information which has been collected must not be retained for longer than is necessary to achieve the purpose for which it was collected or processed unless certain exceptions apply. Section 14 provides personal information may be retained if its retention is authorised in law, if the data subject consents thereto, if the retention is required by a contract or if the personal information is required for lawful purposes related to the responsible party’s functions.
The responsible party must destroy or delete the information after they are no longer authorised to retain such information. The destruction or deletion must be done in a manner which prevents its reconstruction. Section 12 provides that processing of personal information must be restricted if:
(i) the personal information’s accuracy is contested;
(ii) the information is no longer needed for the purposes for which it was collected or processed, but the information has to be maintained for purposes of proof;
(iii) the processing is unlawful and the data subject objects to its destruction or deletion and requests restriction of its use instead; or
(iv) the data subject requests to transmit the data into another automated processing system.
Condition 4: Further Processing Limitation (Section 15 of POPIA)
The fourth condition places a restriction on the further processing of personal information. The further processing of personal information must comply with section 13 above and must therefore be for a defined purpose. Section 14 provides further processing may occur for a number of reasons, including but not limited to, the following:
(i) the data subject consents to further processing;
(ii) the information is derived from a public record; or
(iii) further processing is necessary to mitigate or prevent a serious or imminent threat to public health and safety or the life or health of the data subject or another individual.
Condition 5: Information Quality (Section 16 of POPIA)
The fifth condition provides for information quality. Section 16 states that the responsible party must take reasonable steps to ensure the information is complete, accurate, not misleading and updated where necessary.
Condition 6: Openness (Sections 17 – 18 of POPIA)
The sixth condition provides for openness. Section 17 states that the responsible party must maintain the documentation of all processing operations under its responsibility.
Section 18 places the obligation on the responsible party to ensure the data subject is aware of, inter alia, the following:
(i) the information being collected or where the information is collected from elsewhere, the source from which it is collected;
(ii) the name and address of the responsible party;
(iii) the purpose for which the information is collected;
(iv) whether the supply of the information is mandatory or voluntary;
(v) any law authorising or requiring the collection of the information; and
(vi) if the responsible party intends to transfer the information to another country or international organisation and level of protection afforded by the country or international organisation.
The notification must be provided where information is collected directly from the data subject before it is collected. If the information is collected from another source the notification must be provided either prior to collection or as soon as practicable after collection.
Condition 7: Security Safeguards (Sections 19 – 22 of POPIA)
The seventh condition provides for the security safeguards which must be put in place. Section 19 states that the responsible party must secure the integrity and confidentiality of the personal information by taking reasonable, technical and organisational measures to prevent the loss, damage or unauthorised destruction of the personal information as well as the unlawful access or processing of the information.
Section 19 obliges the responsible party to identify foreseeable internal and external risks, establish and maintain appropriate safeguards, regularly verify the safeguards are being implemented and ensure the safeguards are continually updated.
Section 20 applies where personal information is processed by an operator on the responsible party’s behalf. Such an operator must process the information with the knowledge or authorisation of the responsible party and must treat the information as confidential. Section 21 provides that operators must establish and maintain the security measures required by section 19 of POPIA.
Section 22 provides for notifications whenever there are security compromises. Section 22 specifically states that where an unauthorised person has accessed the personal information, the Information Regulator and the data subject must be notified as soon as possible after the compromise.
Any notification provided in terms of section 22 must contain sufficient information to enable the data subject to take protective measures which includes, inter alia, a description of the possible consequences of the security compromise, the measures taken or the measures the responsible party intends to take to address the compromise, a recommendation with regard to the measures which may be taken by the data subject and the identity of the person who accessed the information without authorisation.
Condition 8: Data Subject Participation (Section 23 – 25 of POPIA)
The eighth condition provides for the access, correction and the manner of access to the personal information. Section 23 states that a data subject, who has provided proof of identity, has the right to request that the responsible party confirm whether or not they hold personal information about them. Section 23 further that a person may request the record or a description of the personal information which is being held.
Section 24 allows a data subject to request the correction or deletion of personal information being held which is inaccurate, irrelevant, excessive, out of date, incomplete or which was obtained unlawfully. A data subject may also request the deletion of their personal information which the responsible party is no longer authorised to retain in terms of section 14 above.
Section 25 of POPIA provides for the manner of access and states that sections 18 and 53 of the Promotion of Access to Information Act 2 of 2000 (“PAIA”) will apply to the manner of access. Sections 18 and 53 provide for a prescribed form that must be completed in order to access information and stipulates the information which must be contained in such a request.
Whenever your personal information is processed all of the abovementioned conditions must be complied with in order for such processing to comply with POPIA. Should an individual or organisation fail to comply with POPIA their conduct may be reported to the Information Regulator which is the body tasked with ensuring compliance with POPIA.
Non-compliance with POPIA may even result in a fine or imprisonment for a period not exceeding 10 years in certain circumstances. If you believe your information is being processed in contravention of any of the abovementioned conditions or if you are an organisation that wishes to ensure your processing of information is lawful, please contact our offices who have experienced professionals who will be in a position to assist.
Understanding the requirements for processing of personal information.