Personal information is essentially any information that identifies a person. But the position is a bit more complicated than that because different laws in South Africa define it to mean different things. In other words, personal information means different things in different contexts. This is bad drafting and law making because it causes confusion. Must the person be alive or can a dead person have personal information? Do only natural persons have personal information or do juristic persons also have it?
The law requires you to do certain things with personal information and there are consequences for failing to do so. It is therefore critical that you know exactly what information is personal.
The laws that define personal information
Personal information is currently defined in various different pieces of legislation (or potential legislation). They are the:
- Promotion of Access to Information Act (PAIA);
- Electronic Communications and Transactions Act (ECT Act)
- Protection of Personal Information Act (PPI Act, POPIA)
- Protection of State Information Bill (POSI)
- Cybercrimes Bill
There are various definitions of personal information in South Africa. Prior to POPIA, the acts defining it include the ECT Act and PAIA. The ECT Act and PAIA have the same definition, but once POPIA commences, POPIA will replace the current definitions in PAIA and the ECT Act with a new definition. But that new definition will be different to how personal information is defined in POPIA. The Cybercrimes Bill adopts the definition of personal information in POPIA.
Sorry, I know this is confusing. Blame Parliament.
POPIA, the Cybercrimes Bill and Personal Information
POPIA and the Cybercrimes Bill define it to mean “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
b) information relating to the education or the medical, financial, criminal or employment history of the person;
c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person
d) the biometric information of the person;
e) the personal opinions, views or preferences of the person;
f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
g) the views or opinions of another individual about the person; and
h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.”
Sub-clauses a) to h) are simply examples. The important bit is the beginning.
What is the personal information of a juristic person?
Personal information includes “information relating to …Â where it is applicable, an identifiable, existing juristic person”. A juristic person includes a company, trust, CC or SOC. Examples of where it is applicable include:
a) information relating to the ownership (for example black owned) and age (for example been registered for ten years);
b) information relating to the financial or criminal history of the person;
c) any identifying number (for example, its registration number), symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
e) the personal opinions, views or preferences of the person;
f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
g) the views or opinions of another individual about the person; and
h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.”
A responsible party also needs to comply with POPIA when they process the personal information of juristic persons. Juristic persons can be customers, suppliers or partners. For example, BBBEE credentials could relate to ownership. How much a responsible party has paid an identifiable supplier over the years could be its financial history. We will only know for sure what is a juristic person’s personal information when the regulator or a court gives us guidance.
Remember that POPIA does not say you can’t process or share personal information, it just sets some conditions to do it lawfully.
PAIA, the ECT Act and Personal Information
Once POPIA (especially section 110 (Amendment of laws)) commences, PAIA and the ECT Act will define it to mean “information relating to an identifiable natural person, including, but not limited to—
a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
b) information relating to the education or the medical, financial, criminal or employment history of the person;
c) any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assigned to the person;
d) the biometric information of the person;
e) the personal opinions, views or preferences of the person;
f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
g) the views or opinions of another individual about the person; and
h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person,
but excludes information about an individual who has been dead for more than 20 years.”
Meeting your legal responsibilities
We can help you to meet your legal responsibilities regards the personal information you store and process. Sometimes you must protect it and sometimes you must give access to it. We can also help you to focus on particular types of personal information. Within the POPI Act, there are the smaller categories of special personal information, information that identifies children and account numbers.
