What does the law say in regards to data privacy or data protection in South Africa? Does South Africa have a Data Protection Act? In terms of South African law, the right to privacy is protected in terms of the common law and section 14 of the Constitution of South Africa 1996. In both instances, the right to privacy is limited, and to prove an infringement will be fairly difficult. There is also established case law on:
- bodily privacy,
- the privacy of communications, and
- territorial privacy.
The Protection of Personal Information Act (called the POPI Act or POPIA) brings an end to the uncertainty surrounding the processing of personal information. POPIA is essentially the South African Data Protection Act.
Overview of the POPI Act
The POPI Act recognises the right to privacy enshrined in the Constitution and gives effect to this right through mandatory procedures and mechanisms for the handling and processing of personal information. The POPI Act is in line with current international trends and laws on privacy. ‘Processing’ is widely defined to include the ‘collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, erasure or destruction of personal information.’
The POPI Act provides eight information protection principles to govern the processing of personal information. There are specific provisions for:
- direct marketing,
- automated decision making,
- the processing of cross-border flows of data (see section 72 of the POPI Act).
The need for an Information Regulator to enforce the provisions of the POPI Act has also been recognised, and provision is made for penalties and offences in certain instances.
The eight principles
People often provide their personal information for a specific reason but do not realise that it may be used for other purposes as well. Therefore POPIA prescribes eight specific principles for the lawful processing and use of personal information. In a nutshell, the POPIA principles are:
- processing of information is limited which means that personal information must be obtained in a lawful and fair manner.
- Â information can only be used for the specified purpose it was originally obtained for.
- the POPI Act limits the further processing of personal information. If processing takes place for purposes beyond the original scope that was agreed to by the data subject, the processing is prohibited.
- the person who processes the information must ensure the quality of the information by taking reasonable steps to ensure that the information is complete, not misleading, up to date, and accurate.
- the person processing personal information should have a degree of openness. The data subject and the Information Regulator must be notified that data is being processed.
- the person processing data must ensure that the proper security safeguards and measures to safeguard against loss, damage, destruction, and unauthorised or unlawful access or processing of the information, has been put in place.
- the data subject must be able to participate. The data subject must be able to access the personal information that a responsible party has on them and must be able to correct the information.
- the person processing the data is accountable to ensure that the measures that give effect to these principles are complied with when processing personal information.
The introduction of these defined principles will limit the processing of personal information to a very large extent, subject to the exclusions provided for in the POPI Act.
Cross-Border data flows and data privacy
The electronic flow of data cross-border has lead to a concern that data protection legislation will simply be circumvented by the transfer of personal information to countries where privacy-protecting legislation will not apply and where information will be processed without any hindrance.
POPIA only permits the transferring of personal information across borders under the specific circumstances mentioned in section 72. In essence, the country where the information will be processed, or the recipient of the information, must be subject to rules or regulations effectively similar to the principles stated in POPIA. This can be done by means of legislation or a personal contractual relationship between the parties. In countries where no such rules or regulations exist, for example in most African countries, the parties can enter into an agreement, outlining the duties on the party processing or receiving the information in the country without data protection legislation, in line with the principles of POPIA. A party’s prior consent to a cross-border transfer of its personal information may also be obtained.
Offences and penalties regarding data privacy in South Africa
The POPI Act established the Information Regulator, the supervisory authority (otherwise known as the body for South Africa). Part A of Chapter 5 of POPI has 17 sections (section 39-54), that relate to all aspects of this new body.
The offences and penalties in POPIA are quite limited. For example, there’s one directed against the hindering and obstruction of the Information Regulator in the execution of its obligations and duties. Another important one is failing to protect an account number. A person convicted of these offences will be subject to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and imprisonment.
Conclusion regards data protection in South Africa
The regulation of the collection, use, and processing of personal information through legislation is an internationally accepted practice. Not only will individuals and organisations in the private sector stand to gain with the introduction of data privacy legislation or a data protection Act, but it is also important for trade, as concerns around information privacy can create barriers to international trade.