Personal information is essentially any information that identifies a person. But the position is a bit more complicated than that because different laws in South Africa define it to mean different things. In other words, personal information means different things in different contexts. This is bad drafting and law making because it causes confusion. Must the person be alive or can a dead person have personal information? Do only natural persons have personal information or do juristic persons also have it?

The law requires you to do certain things with personal information and there are consequences for failing to do so. It is therefore critical that you know exactly what information is personal.

The Laws that define Personal Information

Personal information is currently defined in various different pieces of legislation (or potential legislation). They are the:

  1. Promotion of Access to Information Act (PAIA);
  2. Electronic Communications and Transactions Act (ECT Act)
  3. Protection of Personal Information Act (PPI Act, POPI)
  4. Protection of State Information Bill (POSI)
  5. Cybercrimes and Cybersecurity Bill (Cybercrimes Bill)

There are various definitions of personal information in South Africa. Prior to POPI, the acts defining it include the ECT Act and PAIA. The ECT Act and PAIA have the same definition, but once POPI commences, POPI will replace the current definitions in PAIA and the ECT Act with a new definition. But that new definition will be different to how personal information is defined in POPI. The Cybercrimes Bill adopts the definition of personal information in POPI. Sorry, I know this is confusing. Blame Parliament.

POPI, the Cybercrimes Bill and Personal Information

POPI and the Cybercrimes Bill define it to mean “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

b) information relating to the education or the medical, financial, criminal or employment history of the person;

c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person

d) the biometric information of the person;

e) the personal opinions, views or preferences of the person;

f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

g) the views or opinions of another individual about the person; and

h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.”

Sub-clauses a) to h) are simply examples. The important bit is the beginning.

PAIA, the ECT Act and Personal Information

Once POPI (especially section 110 (Amendment of laws)) commences, PAIA and the ECT Act will define it to mean “information relating to an identifiable natural person, including, but not limited to—

a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

b) information relating to the education or the medical, financial, criminal or employment history of the person;

c) any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assigned to the person;

d) the biometric information of the person;

e) the personal opinions, views or preferences of the person;

f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

g) the views or opinions of another individual about the person; and

h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person,

but excludes information about an individual who has been dead for more than 20 years.”

Meeting your Legal Responsibilities

We can help you to meet your legal responsibilities regards the personal information you store and process. Sometimes you must protect it and sometimes you must give access to it. We can also help you to focus on particular types of personal information. Within the POPI Act, there are the smaller categories of special personal information, information that identifies children and account numbers.