How Personal Information Needs to be Handled

Any organisation or person who keeps personal information must take steps to prevent the loss, damage, and unauthorized destruction of the personal information.  In terms of Section 19, they are also required to prevent unlawful access to, or unlawful processing of this personal information.

All risks have to be identified and then safeguards must be established and maintained against these risks.  Regular verification that the safeguards are being effectively implemented is required. Safeguards are to be updated in response to any new risks or identified deficiencies in existing safeguards.

Any person processing personal information on behalf of an employer must have the necessary authorization from the employer to do so.  They must also treat the personal information as confidential and not share this information without the following the required processes. (section 20). The person must have a written contract with their employer in which they are specifically obliged to maintain the integrity and confidentiality of the personal information and to implement the established safeguards against identified risks.

 In terms of Section 21(2), the employee also has an obligation to notify their employer immediately if they believe that there has been a data breach.  

New employment contracts will be required for administrative staff, data capturers and for any employee who deals with personal information, in order to ensure that these requirements are met.

In the event of a breach and personal information has been accessed or acquired by any unauthorized party the responsible party (Information Officer) is required to notify the Information Regulator, and the data subject needs to receive formal notification off this fact. The notification to the data subject must be provided with extreme haste and with sufficient information to allow the subject to protect themselves against the possible consequences of the personal information falling into the wrong hands.

Everyone has the right to enquire as to whether somebody or an entity has their personal information on record. The enquiring party must provide proof of identity and the requested information must be provided to the data subject free of charge.  To establish what this information consists of and whether this information has been disseminated to any third parties, payment may be required.  Access to this information is also subject to the Promotion of Access to Information Act.

Everyone has the right to have their personal information corrected or deleted if it is inaccurate, irrelevant, excessive, dated or misleading, or if it has been obtained unlawfully, or if the responsible party is no longer authorized to retain the information.

Special Personal Information

Section 26 of the POPI Act creates a special category of personal information called “special personal information”. This relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information. Also included in this category is information relating to the alleged commission of any offence or any proceedings in respect of any offence allegedly committed and the outcome of such proceedings. 

Failure to obtain consent makes processing this special personal information strictly prohibited, unless

  • it is necessary by law;
  • or is done for historical, statistical or research purposes;
  • or the information has been deliberately made public by the subject.

There are limited exceptions to the prohibition against the processing of “special personal information”. Details of such exceptions are set out in the Act.

Special rules apply to the processing of personal information of children. (section 35) These rules are set out in the Act.

The Information Regulator has the power to grant exemptions to allow people to process personal information without complying with the Act if the public interest outweighs the subject’s rights of privacy or where there is a clear benefit to the subject. Such exemptions may be granted if specific conditions have been met. Details of such exceptions are set out in the Act.

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013