ACT

To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.

PREAMBLE

RECOGNISING THAT—

  • section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;
  • the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;
  • the State must respect, protect, promote and fulfil the rights in the Bill of Rights;

AND BEARING IN MIND THAT—

  • consonant with the constitutional values of democracy and openness, the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information;

AND IN ORDER TO—

  • regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests,

PARLIAMENT of the Republic of South Africa therefore enacts, as follows:—

Section 2 Purpose of Act

The purpose of this Act is to —

  1. give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—
    1. balancing the right to privacy against other rights, particularly the right of access to information; and
    2. protecting important interests, including the free flow of information within the Republic and across international borders;
  2. regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
  3. provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and
  4. establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.

Section 5 Rights of data subjects

  1. A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right—
    1. to be notified that—
      1. personal information about him, her or it is being collected as provided for in terms of section 18; or
      2. his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
    2. to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;
    3. to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
    4. to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
    5. to object to the processing of his, her or its personal information—
      1. at any time for purposes of direct marketing in terms of section 11(3)(b); or
      2. in terms of section 69(3)(c);
    6. not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
    7. not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;
    8. to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
    9. to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.

Section 11 Consent, justification and objection

  1. Personal information may only be processed if—
    1. the data subject or a competent person where the data subject is a child consents to the processing;
    2. processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
    3. processing complies with an obligation imposed by law on the responsible party;
    4. processing protects a legitimate interest of the data subject;
    5. processing is necessary for the proper performance of a public law duty by a public body; or
    6. processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
    1. The responsible party bears the burden of proof for the data subject’s or competent person’s consent as referred to in subsection (1)(a).
    2. The data subject or competent person may withdraw his, her or its consent, as referred to in subsection (1)(a), at any time: Provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information in terms of subsection (1)(b) to (f) will not be affected.
  2. A data subject may object, at any time, to the processing of personal information—
    1. in terms of subsection (1)(d) to (f), in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
    2. for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications as referred to in section 69.
  3. If a data subject has objected to the processing of personal information in terms of subsection (3), the responsible party may no longer process the personal information.

Section 18 Notification to data subject when collecting personal information

  1. If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—
    1. the information being collected and where the information is not collected from the data subject, the source from which it is collected;
    2. the name and address of the responsible party;
    3. the purpose for which the information is being collected;
    4. whether or not the supply of the information by that data subject is voluntary or mandatory;
    5. the consequences of failure to provide the information;
    6. any particular law authorising or requiring the collection of the information;
    7. the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
    8. any further information such as the—
      1. recipient or category of recipients of the information;
      2. nature or category of the information;
      3. existence of the right of access to and the right to rectify the information collected;
      4. existence of the right to object to the processing of personal information as referred to in section 11(3); and
      5. right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
  2. The steps referred to in subsection (1) must be taken—
    1. if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or
    2. in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
  3. A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.
  4. It is not necessary for a responsible party to comply with subsection (1) if—
    1. the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
    2. non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
    3. non-compliance is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
      4. in the interests of national security;
    4. compliance would prejudice a lawful purpose of the collection;
    5. compliance is not reasonably practicable in the circumstances of the particular case; or
    6. the information will—
      1. not be used in a form in which the data subject may be identified; or
      2. be used for historical, statistical or research purposes.

Section 22 Notification of security compromises

  1. Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—
    1. the Regulator; and
    2. subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
  2. The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
  3. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
  4. The notification to a data subject referred to in subsection (1) must be in writing and communicated to the data subject in at least one of the following ways:
    1. Mailed to the data subject’s last known physical or postal address;
    2. sent by e-mail to the data subject’s last known e-mail address;
    3. placed in a prominent position on the website of the responsible party;
    4. published in the news media; or
    5. as may be directed by the Regulator.
  5. The notification referred to in subsection (1) must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
    1. a description of the possible consequences of the security compromise;
    2. a description of the measures that the responsible party intends to take or has taken to address the security compromise;
    3. a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
    4. if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
  6. The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

Section 23 Access to personal information

  1. A data subject, having provided adequate proof of identity, has the right to—
    1. request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and
    2. request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—
      1. within a reasonable time;
      2. at a prescribed fee, if any;
      3. in a reasonable manner and format; and
      4. in a form that is generally understandable.
  2. If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.
  3. If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1)(b) to enable the responsible party to respond to a request, the responsible party—
    1. must give the applicant a written estimate of the fee before providing the services; and
    2. may require the applicant to pay a deposit for all or part of the fee.
  4. A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.
  5. The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.
  6. If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4)(a), every other part must be disclosed.

Section 24 Correction of personal information

  1. A data subject may, in the prescribed manner, request a responsible party to—
    1. correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
    2. destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.
  2. On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable
    1. correct the information;
    2. destroy or delete the information;
    3. provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
    4. where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
  3. If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
  4. The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.