Written by Natasha du Preez
31 May 2023
The Protection of Personal Information Act 4 of 2013, otherwise known as POPI (hereafter referred to as “the POPI Act”), was recently promulgated and emphasised in its totality, leaving many South Africans in a state of confusion regarding the precise meaning of “processing of personal information” as referred to in the act. Even though the terms “processing” and “personal information” are widely defined depending on the context, they have very specific meanings within the POPI Act, which was likely the reason for some of the ambiguity surrounding these terms.
This article will evaluate and explain the terms “processing” and “personal information” in the context of the POPI Act and further elaborate on what type of information is considered “personal information” of a living, natural person and an existing entity or juristic person.
WHAT IS THE PURPOSE OF THE POPI ACT?
The POPI Act is a legislative act in terms of data privacy law that essentially attempts to balance the interests of the individual with the interests of society as a collective group by:
- Recognising and addressing the growing societal need for transparency, which ensures democratic, economic, and social progression in relation to the free flow of information whilst simultaneously upholding and promoting the fundamental right to privacy as promulgated in Section 14 of the Constitution of the Republic of South Africa.
- Promoting not only responsibility but also the accountability of natural persons and juristic persons when it comes to the processing of personal information of individuals by attaching heavy sanctions and penalties as a consequence of non-compliance.
WHEN DID THE POPI ACT COME INTO FULL LEGAL FORCE?
The POPI Act was signed into Parliament in November 2013, with only a few sections of the Act being operative at the time and the remainder coming into full effect on 1 July 2020. The Act became fully enforceable with full compliance and mandatory provisions for all natural and juristic persons on 1 July 2021.
TO WHOM DOES THE POPI ACT APPLY?
The POPI Act applies to any natural person and any juristic person or organisation who acts as a “data controller”, referred to by the Act as “a responsible party”, domiciled inside or outside the Republic of South Africa, that utilises equipment within the Republic of South Africa to engage in the processing of personal information belonging to another person by either automated or non-automated means.
WHAT DOES “PROCESSING” WITH REGARD TO PERSONAL INFORMATION MEAN?
“Processing” is a term that is widely defined to include many actions depending on its context; however, in relation to the processing of personal information, the word can be described as a set of operations or activities that include:
- The receipt, collection, retention, collation, organisation, modification, retrieval, recording, updating, and alteration of personal information.
- The restriction, destruction, erasure, blocking, merging, degradation, and linking of personal information.
- The use, distribution, dissemination (by means of transmission), and the making available of personal information to third parties.
WHAT CLASSIFIES AS “PERSONAL INFORMATION” IN RELATION TO THE POPI ACT?
“Personal information” is defined in the POPI Act as “information relating to an identifiable, living, natural person and, where it is applicable, an identifiable, existing juristic person”.
The above definition clearly indicates that both living, natural persons and existing entities or juristic persons enjoy the protection offered by the POPI Act. It further indicates that for information to be regarded as “personal information” by the POPI Act, the information being processed by the “responsible party” must “directly relate” to the natural or juristic person, simply meaning that the data being processed:
- must have a certain outcome in relation to that natural person or juristic person; or
- has a specific purpose in relation to that natural person or juristic person; or
- contains specific contents relating to that natural person or a juristic person whose information is being processed.
The definition also requires that the information being processed must be “identifiable” to be classified as “personal information”. This means that distinguishable features relating to that natural person or juristic person must be able to be identified by processing their personal information.
WHICH DETAILS CAN BE CLASSIFIED AS THE “PERSONAL INFORMATION” OF AN INDIVIDUAL?
The POPI Act describes “sensitive information” as the personal information of a person relating to the following:
- Race
- Marital status
- Medical History
- Religious beliefs
- Sexual orientation
- Gender
- Sex
- Residential Address
- Work Address
Furthermore, the POPI Act categorises the following information as “identifiable information”, which is personal information about a person that can be used to identify that individual, such as:
- Name
- Identity number
- Passport number
- Licence plate number
- Telephone number
- Email address
The POPI Act further stipulates that an individual’s personal information can also include “information relating to the person”, such as the following:
- Criminal convictions
- Age
- Date of birth
- Financial information
- Salary information
- Educational background
- Employment History
- Photographs of the person (taken with or without consent)
- Video recordings of the person (taken with or without consent)
- Voice recordings of the person (taken with or without consent)
Understanding the terms “processing” and “personal information” as they relate to this act is vital when it comes to successfully utilising the rights outlined in the POPI Act to help individuals and juristic entities prevent falling victim to the unlawful processing of their own personal information. A firm grasp of these terms and adherence to the POPI Act is also crucial if an existing entity or juristic person aims to educate staff and put protective measures in place in an effort to avoid becoming the offending party who is unlawfully and potentially unknowingly processing the personal information of another individual.
It is also important to emphasise that it is each South African’s duty, as a citizen of our country, to ensure that they are fully aware of the laws that apply to them. The legal principle “ignorantia legis neminem excusat”, which means “ignorance of law excuses no one”, underlines the responsibility of every natural person to familiarise themselves with the provisions of the law to ensure that their actions are aligned with such legislation.
If you are uncertain of whether your or someone else’s personal information is being treated in accordance with the relevant laws, or if you want to ensure that you or your company is treating someone’s personal information in accordance with the relevant laws, it is best to seek advice from a legal professional.
Contact Burger Huyser Attorneys’ civil law specialists for assistance with protecting your personal information or to safeguard yourself or your company against breaking any data privacy laws.
DISCLAIMER: Information provided in this article does not, and is not intended to constitute legal advice. READ MORE