Data protection in South Africa is regulated by the Promotion of Access to Information Act No. 2 of 2000 (“PAIA”); Promotion of Personal Information Act No. 4 of 2013 (“POPI”) and the Electronic Communications Act (“ECT”) No 36 of 2005. Data protection requires a balance between the protection of information, (personal information in this instance) and the provision of information needed for purposes of exercising a right. These laws seek to regulate the collection, processing, furnishing and retention of personal information in a manner that will give effect to the constitutional rights of the requester and the data subject. POPI has the objective of enforcing the Section 14 constitutional right of privacy by protecting against the unlawful collection, dissemination, retention and use of personal information.

Practically, POPI was legislated in response to the advancing modern technology which has made accessing and disseminating personal information much easier. This could have the implication of infringing the constitutional right to privacy. It aims to therefore, protects the dissemination and reckless retention of personal information which may lead to or cause identity thefts, discrimination, the unlawful access of personal information for reasons that might be unjustified and oppressive.

POPI affords data subjects certain rights in respect of the processing of personal information. Data subjects are defined as persons to whom personal information relate and personal information is given a wide definition to encompass information relating to inter alia, the gender, sex, pregnancy, telephone number, marital status, health, education, disability, religion, well-being, the views or information of another individual about that person, the personal views, opinions or preferences of that person. 

POPI prescribes rules on how personal information should be processed. It requires that data subjects should be notified that personal information about them is being collected or that their personal information has been accessed or acquired by an unauthorised source. It further enables them to object to the processing of personal information for, inter alia, purposes of direct marketing and not to have their personal information.

Section 11 of POPI provides that personal information may only be processed if, inter alia, the data subject consents to the processing of information. Personal information may only be collected for a specific, explicitly defined and lawful purpose which is related to a function or activity of the responsible party. A responsible party may not process more information that what is needed to achieve the objective for which the information was collected. A responsible party must destroy personal information as soon as reasonably practicable after the information is no longer needed for purposes which it was collected.

An alarming number of consumers are not aware of their rights and protection afforded by POPI, specifically in instances of direct marketing. POPI prohibits the processing of personal information for purposes of unsolicited direct marketing without obtaining the consent of the data subject. A responsible party may approach a data subject for purposes of obtaining the required consent only once and if withheld, the responsible party may not request consent again.

Equally so, POPI will have a significant impact on businesses who process personal information, in that it creates the obligation to ensure that they have effective measures to prevent the leak of personal information and in the instance that there is such a leak, that there are effective controls to effectively manage the risks that might arise. A business that does not comply with POPI exposes itself to a maximum administrative fine of R10 million or imprisonment for a period not exceeding 10 years. It is therefore critical that business embrace compliance with POPI, both in relation to their staff, job applicants as well as consumers and other persons whose information comes into their possession in the course of their business.

Author
Laura Sedibe (Candidate Attorney)