What is the law regards data privacy or data protection in South Africa? In terms of our law, the right to privacy is protected in terms of our common law and section 14 of the Constitution of South Africa 1996. In both instances, the right to privacy is limited, and to prove an infringement will most probably be fairly difficult. There is also established case law on:
- bodily privacy,
- the privacy of communications, and
- territorial privacy.
Overview of POPI
POPI recognises the right to privacy enshrined in the Constitution and gives effect to this right by mandatory procedures and mechanisms for the handling and processing of personal information. POPI is in line with current international trends and laws on privacy. ‘Processing’ is widely defined in POPI, it includes the ‘collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, erasure or destruction of personal information.’
POPI develops eight information protection principles to govern the processing of personal information. There are specific provisions for the processing of cross-border flows of data (see section 72 of POPI). The need for an Information Regulator to enforce the provisions of POPI has also been recognised, and provision is made for penalties and offences in certain instances.
The eight POPI Principles
People often provide information for one reason and do not realise that it may be used for other purposes as well. Therefore POPI prescribes eight specific principles for the lawful processing and use of personal information.
In a nutshell, the POPI principles are:
- The processing of information is limited which means that personal information must be obtained in a lawfully and fair manner.
- The information can only be used for the specified purpose it was originally obtained for.
- The Act limits the further processing of personal information. If the processing takes place for purposes beyond the original scope that was agreed to by the data subject, the processing is prohibited.
- The person who processes the information must ensure the quality of the information by taking reasonable steps to ensure that the information is complete, not misleading, up to date and accurate.
- The person processing the personal information should have a degree of openness. The data subject and the Information Regulator must be notified that data is being processed.
- The person processing data must ensure that the proper security safeguards and measures to safeguard against loss, damage, destruction and unauthorised or unlawful access or processing of the information, has been pout in place.
- The data subject must be able to participate. The data subject must be able to access the personal information that a responsible party has on them and must be able to correct the information.
- The person processing the data is accountable to ensure that the measures that give effect to these principles are complied with when processing personal information.
The introduction of these defined principles will limit the processing of personal information to a very large extent, subject to the exclusions provided for in the Act.
Cross-Border Data Flows and Data Privacy
The electronic flow of data cross border has lead to a concern that data protection legislation will simply be circumvented by the transfer of personal information to countries where privacy-protecting legislation will not apply and where information will be processed without any hindrance.
POPI only limits the processing of personal information across borders to specific circumstances in section 72. In essence, the country where the information will be processed or the recipient of the information must be subject to rules or regulations effectively similar to the principles stated in POPI. This can be done by means of legislation or a personal contractual relationship between the parties. In countries where no such rules or regulations do exist, for example in most African countries, the parties will enter into an agreement, outlining the duties on the party processing or receiving the information in the country without data protection legislation, in line with the principles of POPI. A party’s prior consent to cross-border transfer of its personal information may also be obtained.
Offences and Penalties regards Data Privacy
The POPI Act is the newest piece of data privacy legislation, established the Information Regulator, a supervisory body. Part A of Chapter 5 of POPI has 17 sections (section 39-54), that relate to all aspects of this new body.
The offences and penalties in POPI are directed against the hindering and obstruction of the Information Regulator in the execution of its obligations and duties. A person convicted of this offence will be subject to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and imprisonment.
Conclusion regards data protection in South Africa
The regulation of the collection, use, and processing of personal information through legislation is an internationally accepted practice. Not only will individuals and organisations in the private sector gain with data privacy legislation or a data protection Act but it is also important for trade, as concerns around information privacy can create barriers to international trade.