Protection of Personal Information Act Prof A Mukheibir Constitution of the Republic of South Africa, 1996 S 14 of the Bill of Rights Everyone has the right to privacy, which includes the right not to have their person or home searched; their property searched; their possessions seized; or the privacy of their communications infringed Right to privacy prior to advent of Constitution • Protected in terms of common law of delict • Infringement - patrimonial or nonpatrimonial loss • Claim compensation for damage arising from infringement of this right in terms of a delictual action • Law of delict remains available Protection of Personal Information Act (POPI) • Enacted to give effect to section 14 of the Bill of Rights • To provide protection against the unlawful collection, dissemination & use of personal information • To balance the right to privacy with the constitutional values of democracy and openness & facilitate the free flow of information Purpose of POPI • Give effect to right to privacy • Regulate manner in which personal information is processed • Provide rights and remedies for protection of personal information • Establish voluntary and compulsory measures to • ensure respect for rights; • promote rights • enforce and fulfill rights Exemptions POPI Act not applicable to •Info used for personal/household activity •Information that has been “de-identified” •Information collected for national security •Information collected for purpose of combatting crime •Information collected solely for the purpose of journalistic, literary or artistic – reconciliation of right to privacy with right to freedom of expression data subject operator “person to whom information relates” “person who processes information for a responsible party Public or private body …determining purpose & means of processing personal information public body'' means— (a) any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or (b) any other functionary or institution when— (i)exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or (ii)exercising a public power or performing a public function in terms of any legislation data subject “person to whom information relates” rights duties operator Relate to processing of personal information “person who processes information for a responsible party personal information information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to— (a)information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; a) c b) information relating to the education or the medical, financial, criminal or employment history of the person; c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; d) the the biometric information of the person; e) the personal opinions, views or preferences of the person; f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; g) the the views or opinions of another individual about the person; and h) the the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person Special personal information (a) religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or (b) the criminal behaviour of a data subject relating to (i) the alleged commission by a data subject of any offence; or (ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceeding Processing prohibited subject to s 27 processing – “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— (a)the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b)dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;” data subject “person to whom information relates” rights duties operator Relate to processing of personal information “person who processes information for a responsible party Rights of data subjects The right to have personal information processed in accordance with the conditions for the lawful processing of personal information Rights include the following • Notification of the following • Collection of personal information • Unauthorized access Rights of data subjects (cont) • To be informed if responsible party holds personal information • Access to personal information held by responsible party • Correction, deletion or destruction of personal information • Object to processing of personal information (on reasonable grounds) • Object to use of info for direct marketing • Institution of remedies Conditions for the lawful processing of personal information (a) Accountability (b) Processing limitation (c) Purpose specification (d) Further processing limitation (e) Information quality (f) Openness (g) Security safeguards (h) Data subject participation Conditions for the lawful processing of personal information (a) Accountability s8 (b) Processing limitation s9 - 12 (c) Purpose specification s13 - 14 (d) Further processing limitation s15 (e) Information quality s16 (f) Openness s17- 18 (g) Security safeguards s19 - 22 (h) Data subject participation s23 - 25 Conditions for the lawful processing of personal information (a) Accountability s8 (b) Processing limitation s9 - 12 (c) Purpose specification s13 - 14 (d) Further processing limitation s15 (e) Information quality s16 (f) Openness s17- 18 (g) Security safeguards s19 - 22 (h) Data subject participation s23 - 25 Exemption from conditions • Regulator grants exemption by notice in the Gazette for promotion of the public interest • Processing of information by person/body for the purpose protecting members of the public against dishonesty, fraud, etc Remedies • Ito POPI Act • Lay a complaint with the regulator • Regulator orders investigation • May order corrective steps after consultation with Enforcement Committee • Right of appeal to High Court • Civil remedies • Claim damages ito law of delict • Not necessary to prove fault • Damages, including aggravated damages Criminal liability ito of POPI Act Examples •Interference with Regulator •Breach of confidentiality ito s 54 •Failure to comply with enforcement notices Penalties •Fine, and/or •Imprisonment of 12 months to 10 years •Administrative fines – up to R10million Transitional arrangements • Within 1 year after commencement of s 114 processing of information has to comply with Act • On 11 April 2014 ss1, 112 ,113 and part A of chapter 5 came into operation; rest of POPI not yet operational. Thank you! Protection of Personal Information Act Prof A Mukheibir x