In Black Sash Trust v Minister of Social Development, the Constitutional Court agreed with the Information Regulator that data subjects own their personal information and that a responsible party cannot transfer the data subject’s personal information to another party. The Court ruled that the South African Social Security Agency (SASSA) must only use personal information to process monthly social grant payments to its beneficiaries. The Court ordered that the contract between SASSA and Cash Paymaster Services (CPS) must contain safeguards to protect grant beneficiaries’ personal information.

Who should care about this judgment and why?

  • Responsible parties, public or private bodies, because you have to process personal information responsibly and only for a specific purpose.
  • Operators that process on behalf of a responsible party because you may only process as authorised by a responsible party and for a specific purpose.
  • SASSA because they must only use grant beneficiaries’ personal data to process monthly social grant payments.
  • Anyone entering into a data processing agreement (DPA) because the judgment outlines what needs to be in a DPA between a responsible party and a controller.
  • Social grant beneficiaries because they need to know they own their personal information and that others must protect it from misuse.

What could you do about it?

  1. Gain more insight about the information regulator by reading this post by Michalsons.
  2. Dive into the detail by reading the full judgment.
  3. Get an overview of the judgment by reading the Constitutional Court’s explanatory note.
  4. Access all judgments relating to data protection by joining a Michalsons programme.

Our insights on the judgment

The regulator‘s main interest in this matter concerns the protection of the personal information of social grant beneficiaries. The regulator only opposed one aspect of Black Sash‘s application which was detailed in the Notice of Motion. In paragraphs 5(b) and 11(b) of the Notice of Motion Black Sash requested an order for the court to declare that personal information of grant beneficiaries become SASSA’s property was against the principles of POPIA. On the application papers alone, it was clear that although POPIA is yet to commence, the Court adopted the regulator’s interpretations of a “data subject” and “personal information”.

The court agreed with the regulator that Black Sash’s request (for an order declaring personal information of grant beneficiaries as SASSA’s property) was flawed. The paragraphs were removed from Black Sash’s final application papers adding weight to the notion that data subjects own their personal information and that a responsible party cannot transfer the data subject’s personal information to another party.

The Court supported the regulator’s strategic goal of eliminating barriers to data protection and access to information. It also lays the foundation for data subjects to challenge any organisation that fails to protect their personal information.

When they process personal information for one purpose, they cannot use it for any other purpose. They have to stay in their lane when they process personal information. They also cannot share personal information with anyone else.

Digest

This judgment primarily deals with SASSA’s ability to pay grant beneficiaries across the country in a lawful manner. As part of a previous contract, SASSA outsourced the monthly social grant payments process to CPS.

Black Sash approached the Constitutional Court in the public interest and asked the Court to declare that any contract between SASSA and CPS must provide that the personal information of grant beneficiaries becomes the property of SASSA.

The Regulator opposed Black Sash’s request on the ground that there was no basis in law to divest social grant beneficiaries of ownership of their personal information and vest the ownership upon SASSA. Therefore, the Court held that social grant beneficiaries own their personal information.

Order

The Court ordered SASSA to ensure that the contract with CPS:

  • includes adequate safeguards to ensure that personal data obtained during the payment process remains private; and
  • outlines measures to ensure that CPS will use personal information to process grant payments only; and
  • prevents anyone from inviting beneficiaries to “opt-in” to share confidential information to market goods and services.

Details of Black Sash Trust v Minister of Social Development

  • Universal citation: [2018] ZACC 36
  • Also reported at 2017 (3) SA 335 (CC); 2018 (12) BCLR 1472 (CC)
  • Full name: Black Sash Trust v Minister of Social Development And Others (Freedom Under Law Intervening)

Please note: Whilst this judgment addresses several constitutional issues our insights focus on the privacy and data protection aspects as dealt with by the Court. The summary of this judgment is not intended for a general audience and is specifically drafted for the members of the Michalsons Data Protection programme.