POPI-local-government - Centre for Law in Action (CLA)

Protection of Personal
Information Act
Prof A Mukheibir
Constitution of the Republic of South
Africa, 1996
S 14 of the Bill of Rights
Everyone has the right to privacy, which
includes the right not to have their person or
home searched; their property searched;
their possessions seized; or the privacy of
their communications infringed
Right to privacy prior to advent of
Constitution
• Protected in terms of common law of
delict
• Infringement - patrimonial or nonpatrimonial loss
• Claim compensation for damage arising
from infringement of this right in terms of
a delictual action
• Law of delict remains available
Protection of Personal Information Act
(POPI)
• Enacted to give effect to section 14 of the Bill
of Rights
• To provide protection against the unlawful
collection, dissemination & use of personal
information
• To balance the right to privacy with the
constitutional values of democracy and
openness & facilitate the free flow of
information
Purpose of POPI
• Give effect to right to privacy
• Regulate manner in which personal
information is processed
• Provide rights and remedies for protection of
personal information
• Establish voluntary and compulsory
measures to
• ensure respect for rights;
• promote rights
• enforce and fulfill rights
Exemptions
POPI Act not applicable to
•Info used for personal/household activity
•Information that has been “de-identified”
•Information collected for national security
•Information collected for purpose of combatting
crime
•Information collected solely for the purpose of
journalistic, literary or artistic – reconciliation of
right to privacy with right to freedom of expression
data subject
operator
“person to whom
information relates”
“person who processes
information for a
responsible party
Public or private body …determining purpose &
means of processing personal information
public body'' means—
(a) any department of state or
administration in the national or
provincial sphere of government or
any municipality in the local sphere
of government; or
(b) any other functionary or institution
when—
(i)exercising a power or performing a
duty in terms of the Constitution or a
provincial constitution; or
(ii)exercising a public power or
performing a public function in terms
of any legislation
data subject
“person to whom
information relates”
rights
duties
operator
Relate to processing of
personal information
“person who processes
information for a
responsible party
personal information
information relating to an identifiable, living,
natural person, and where it is applicable, an
identifiable, existing juristic person,
including, but not limited to—
(a)information relating to the race, gender, sex,
pregnancy, marital status, national, ethnic or social
origin, colour, sexual orientation, age, physical or
mental health, well-being, disability, religion,
conscience, belief, culture, language and birth of the
person;
a)
c
b) information relating to the education or the
medical, financial, criminal or employment
history of the person;
c) any identifying number, symbol, e-mail
address, physical address, telephone
number, location information, online identifier
or other particular assignment to the person;
d) the the biometric information of the person;
e) the personal opinions, views or preferences
of the person;
f) correspondence sent by the person that is
implicitly or explicitly of a private or
confidential nature or further correspondence
that would reveal the contents of the original
correspondence;
g) the the views or opinions of another individual
about the person; and
h) the the name of the person if it appears with
other personal information relating to the
person or if the disclosure of the name itself
would reveal information about the person
Special personal information
(a) religious or philosophical beliefs, race or ethnic
origin, trade union membership, political
persuasion, health or sex life or biometric
information of a data subject; or
(b) the criminal behaviour of a data subject relating to
(i) the alleged commission by a data subject of any
offence; or (ii) any proceedings in respect of any
offence allegedly committed by a data subject or
the disposal of such proceeding
Processing prohibited subject to s 27
processing – “any operation or activity or
any set of operations, whether or not by
automatic means, concerning personal
information, including—
(a)the collection, receipt, recording, organisation,
collation, storage, updating or modification, retrieval,
alteration, consultation or use;
(b)dissemination by means of transmission, distribution
or making available in any other form; or
(c) merging, linking, as well as restriction, degradation,
erasure or destruction of information;”
data subject
“person to whom
information relates”
rights
duties
operator
Relate to processing of
personal information
“person who processes
information for a
responsible party
Rights of data subjects
The right to have personal information
processed in accordance with the conditions for
the lawful processing of personal information
Rights include the following
• Notification of the following
• Collection of personal information
• Unauthorized access
Rights of data subjects (cont)
• To be informed if responsible party holds
personal information
• Access to personal information held by
responsible party
• Correction, deletion or destruction of personal
information
• Object to processing of personal information
(on reasonable grounds)
• Object to use of info for direct marketing
• Institution of remedies
Conditions for the lawful processing of
personal information
(a) Accountability
(b) Processing limitation
(c) Purpose specification
(d) Further processing limitation
(e) Information quality
(f) Openness
(g) Security safeguards
(h) Data subject participation
Conditions for the lawful processing of
personal information
(a) Accountability s8
(b) Processing limitation s9 - 12
(c) Purpose specification s13 - 14
(d) Further processing limitation s15
(e) Information quality s16
(f) Openness s17- 18
(g) Security safeguards s19 - 22
(h) Data subject participation s23 - 25
Conditions for the lawful processing of
personal information
(a) Accountability s8
(b) Processing limitation s9 - 12
(c) Purpose specification s13 - 14
(d) Further processing limitation s15
(e) Information quality s16
(f) Openness s17- 18
(g) Security safeguards s19 - 22
(h) Data subject participation s23 - 25
Exemption from conditions
• Regulator grants exemption by notice in
the Gazette for promotion of the public
interest
• Processing of information by
person/body for the purpose protecting
members of the public against
dishonesty, fraud, etc
Remedies
• Ito POPI Act
• Lay a complaint with the regulator
• Regulator orders investigation
• May order corrective steps after
consultation with Enforcement Committee
• Right of appeal to High Court
• Civil remedies
• Claim damages ito law of delict
• Not necessary to prove fault
• Damages, including aggravated damages
Criminal liability ito of POPI Act
Examples
•Interference with Regulator
•Breach of confidentiality ito s 54
•Failure to comply with enforcement notices
Penalties
•Fine, and/or
•Imprisonment of 12 months to 10 years
•Administrative fines – up to R10million
Transitional arrangements
• Within 1 year after commencement of s
114 processing of information has to
comply with Act
• On 11 April 2014 ss1, 112 ,113 and part A
of chapter 5 came into operation; rest of
POPI not yet operational.
Thank you!
Protection of Personal
Information Act
Prof A Mukheibir
x