Section 2 Purpose of Act

The purpose of this Act is to —

  1. give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—
    1. balancing the right to privacy against other rights, particularly the right of access to information; and
    2. protecting important interests, including the free flow of information within the Republic and across international borders;
  2. regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
  3. provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and
  4. establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.

Section 22 Notification of security compromises

  1. Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—
    1. the Regulator; and
    2. subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
  2. The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
  3. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
  4. The notification to a data subject referred to in subsection (1) must be in writing and communicated to the data subject in at least one of the following ways:
    1. Mailed to the data subject’s last known physical or postal address;
    2. sent by e-mail to the data subject’s last known e-mail address;
    3. placed in a prominent position on the website of the responsible party;
    4. published in the news media; or
    5. as may be directed by the Regulator.
  5. The notification referred to in subsection (1) must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
    1. a description of the possible consequences of the security compromise;
    2. a description of the measures that the responsible party intends to take or has taken to address the security compromise;
    3. a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
    4. if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
  6. The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

Section 37 Regulator may exempt processing of personal information

  1. The Regulator may, by notice in the Gazette, grant an exemption to a responsible party to process personal information, even if that processing is in breach of a condition for the processing of such information, or any measure that gives effect to such condition, if the Regulator is satisfied that, in the circumstances of the case—
    1. the public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from such processing; or
    2. the processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.
  2. The public interest referred to in subsection (1) includes—
    1. the interests of national security;
    2. the prevention, detection and prosecution of offences;
    3. important economic and financial interests of a public body;
    4. fostering compliance with legal provisions established in the interests referred to under paragraphs (b) and (c);
    5. historical, statistical or research activity; or
    6. the special importance of the interest in freedom of expression.
  3. The Regulator may impose reasonable conditions in respect of any exemption granted under subsection (1).

Section 39 Establishment of Information Regulator

  1. There is hereby established a juristic person to be known as the Information Regulator, which—
    1. has jurisdiction throughout the Republic;
    2. is independent and is subject only to the Constitution and to the law and must be impartial and perform its functions and exercise its powers without fear, favour or prejudice;
    3. must exercise its powers and perform its functions in accordance with this Act and the Promotion of Access to Information Act; and
    4. is accountable to the National Assembly.

Section 40 Powers, duties and functions of Regulator

  1. The powers, duties and functions of the Regulator in terms of this Act are—
    1. to provide education by—
      1. promoting an understanding and acceptance of the conditions for the lawful processing of personal information and of the objects of those conditions;
      2. undertaking educational programmes, for the purpose of promoting the protection of personal information, on the Regulator’s own behalf or in co-operation with other persons or authorities acting on behalf of the Regulator;
      3. making public statements in relation to any matter affecting the protection of the personal information of a data subject or of any class of data subjects;
      4. giving advice to data subjects in the exercise of their rights; and
      5. providing advice, upon request or on its own initiative, to a Minister or a public or private body on their obligations under the provisions, and generally on any matter relevant to the operation, of this Act;
    2. to monitor and enforce compliance by—
      1. public and private bodies with the provisions of this Act;
      2. undertaking research into, and monitoring developments in, information processing and computer technology to ensure that any adverse effects of such developments on the protection of the personal information of data subjects are minimised, and reporting to the Minister the results of such research and monitoring;
      3. examining any proposed legislation, including subordinate legislation, or proposed policy of the Government that the Regulator considers may affect the protection of the personal information of data subjects, and reporting to the Minister the results of that examination;
      4. reporting upon request or on its own accord, to Parliament from time to time on any policy matter affecting the protection of the personal information of a data subject, including the need for, or desirability of, taking legislative, administrative, or other action to give protection or better protection to the personal information of a data subject;
      5. submitting a report to Parliament, within five months of the end of its financial year, on all its activities in terms of this Act during that financial year;
      6. conducting an assessment, on its own initiative or when requested to do so, of a public or private body, in respect of the processing of personal information by that body for the purpose of ascertaining whether or not the information is processed according to the conditions for the lawful processing of personal information;
      7. monitoring the use of unique identifiers of data subjects, and reporting to Parliament from time to time on the results of that monitoring, including any recommendation relating to the need of, or desirability of taking, legislative, administrative, or other action to give protection, or better protection, to the personal information of a data subject;
      8. maintaining, publishing and making available and providing copies of such registers as are prescribed in this Act; and
      9. examining any proposed legislation that makes provision for the—
        1. collection of personal information by any public or private body; or
        2. disclosure of personal information by one public or private body to any other public or private body, or both, to have particular regard, in the course of that examination, to the matters set out in section 44(2), in any case where the Regulator considers that the information might be used for the purposes of an information matching programme,
        3. and reporting to the Minister and Parliament the results of that examination;
    3. to consult with interested parties by—
      1. receiving and inviting representations from members of the public on any matter affecting the personal information of a data subject;
      2. co-operating on a national and international basis with other persons and bodies concerned with the protection of personal information; and
      3. acting as mediator between opposing parties on any matter that concerns the need for, or the desirability of, action by a responsible party in the interests of the protection of the personal information of a data subject;
    4. to handle complaints by—
      1. receiving and investigating complaints about alleged violations of the protection of personal information of data subjects and reporting to complainants in respect of such complaints;
      2. gathering such information as in the Regulator’s opinion will assist the Regulator in discharging the duties and carrying out the Regulator’s functions under this Act;
      3. attempting to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation; and
      4. serving any notices in terms of this Act and further promoting the resolution of disputes in accordance with the prescripts of this Act;
    5. to conduct research and to report to Parliament—
      1. from time to time on the desirability of the acceptance, by South Africa, of any international instrument relating to the protection of the personal information of a data subject; and
      2. on any other matter, including necessary legislative amendments, relating to protection of personal information that, in the Regulator’s opinion, should be drawn to Parliament’s attention;
    6. in respect of codes of conduct to—
      1. issue, from time to time, codes of conduct, amend codes and to revoke codes of conduct;
      2. make guidelines to assist bodies to develop codes of conduct or to apply codes of conduct; and
      3. consider afresh, upon application, determinations by adjudicators under approved codes of conduct;
    7. to facilitate cross-border cooperation in the enforcement of privacy laws by participating in any initiative that is aimed at such cooperation; and
    8. in general to—
      1. do anything incidental or conducive to the performance of any of the preceding functions;
      2. exercise and perform such other functions, powers, and duties as are conferred or imposed on the Regulator by or under this Act or any other legislation;
      3. require the responsible party to disclose to any person affected by a compromise to the integrity or confidentiality of personal information, such compromise in accordance with section 22; and
      4. exercise the powers conferred upon the Regulator by this Act in matters relating to the access of information as provided by the Promotion of Access to Information Act.
  2. The Regulator may, from time to time, in the public interest or in the legitimate interests of any person or body of persons, publish reports relating generally to the exercise of the Regulator’s functions under this Act or to any case or cases investigated by the Regulator, whether or not the matters to be dealt with in any such report have been the subject of a report to the Minister.
  3. The provisions of sections 3 and 4 of the Commissions Act, 1947 (Act No. 8 of 1947), will apply, with the necessary changes, to the Regulator.
  4. The powers and duties of the Regulator in terms of the Promotion of Access to Information Act are set out in Parts 4 and 5 of that Act.

Section 41 Appointment, term of office and removal of members of Regulator


    1. The Regulator consists of the following members:
      1. A Chairperson; and
      2. four other persons, as ordinary members of the Regulator.
    2. Members of the Regulator must be appropriately qualified, fit and proper persons—
      1. at least one of whom must be appointed on account of experience as a practising advocate or attorney or a professor of law at a university; and
      2. the remainder of whom must be appointed on account of any other qualifications, expertise and experience relating to the objects of the Regulator.
    3. The Chairperson of the Regulator must be appointed in a full-time capacity and may, subject to subsection (4), not perform or undertake to perform any other remunerative work during the period in which he or she holds office as Chairperson.
    4. The ordinary members of the Regulator must be appointed as follows:
      1. Two ordinary members in a full-time capacity; and
      2. two ordinary members in a full-time or part-time capacity.
    5. The members referred to in paragraph (d) who are appointed in a full-time capacity, may, subject to subsection (4), not perform or undertake to perform any other remunerative work during the period in which they hold office.
    6. The Chairperson must direct the work of the Regulator and the staff of the Regulator.
    7. A person may not be appointed as a member of the Regulator if he or she—
      1. is not a citizen of the Republic;
      2. is a public servant;
      3. is a member of Parliament, any provincial legislature or any municipal council;
      4. is an office-bearer or employee of any political party;
      5. is an unrehabilitated insolvent;
      6. has been declared by a court to be mentally ill or unfit; or
      7. has at any time been convicted, whether in the Republic or elsewhere, of any offence involving dishonesty.

    1. The Chairperson and the members of the Regulator referred to in subsection (1)(a) must be appointed by the President on the recommendation of the National Assembly, which recommendation must also indicate which ordinary members must be appointed in a full-time or part-time capacity.
    2. The National Assembly must recommend persons—
      1. nominated by a committee of the Assembly composed of members of parties represented in the Assembly; and
      2. approved by the Assembly by a resolution adopted with a supporting vote of a majority of the members of the Assembly.
  1. The members of the Regulator will be appointed for a period of not more than five years and will, at the expiration of such period, be eligible for reappointment.
  2. The Chairperson of the Regulator or a member who has been appointed in a full-time capacity may, notwithstanding the provisions of subsection (1)(c) or (e), only perform or undertake to perform any other remunerative work during the period that he or she holds office as Chairperson or member with the prior written consent of the Minister.
  3. A person appointed as a member of the Regulator may, upon written notice to the President, resign from office.
    1. A member may be removed from office only on—
      1. the ground of misconduct, incapacity or incompetence;
      2. a finding to that effect by a committee of the National Assembly; and
      3. the adoption by the National Assembly of a resolution calling for that person’s removal from office.
    2. A resolution of the National Assembly concerning the removal from office of a member of the Regulator must be adopted with a supporting vote of a majority of the members of the Assembly.
    3. The President—
      1. may suspend a member from office at any time after the start of the proceedings of a committee of the National Assembly for the removal of that member; and
      2. must remove a member from office upon adoption by the Assembly of the resolution calling for that member’s removal.

Section 42 Vacancies

  1. A vacancy in the Regulator occurs if a member—
    1. becomes subject to a disqualification referred to in section 41(1)(g);
    2. tenders his or her resignation as contemplated in section 41(5) and the resignation takes effect;
    3. is removed from office in terms of section 41(6);
    4. dies; or
    5. becomes permanently incapable of doing his or her work.

    1. Where a vacancy has arisen as contemplated in subsection (1), the procedure contemplated in section 41(2) applies.
    2. Any member appointed under this subsection holds office for the rest of the period of the predecessor’s term of office, unless the President, upon recommendation by the National Assembly, appoints that member for a longer period which may not exceed five years.

Section 43 Powers, duties and functions of Chairperson and other members

  1. The Chairperson—
    1. must exercise the powers and perform the duties and functions conferred on or assigned to him or her by the Regulator in terms of this Act and the Promotion of Access to Information Act; and
    2. is, for the purposes of exercising the powers and performing the duties and functions conferred on or assigned to him or her by the Regulator in terms of this Act and the Promotion of Access to Information Act, accountable to the Regulator.
    1. The members referred to in section 41(1)(d)(i) must exercise their powers and perform their duties and functions as follows:
      1. One member in terms of this Act; and
      2. one member in terms of the Promotion of Access to Information Act.
    2. The members referred to in section 41(1)(d)(ii) must exercise their powers and perform their duties and functions either in terms of this Act or the Promotion of Access to Information Act, or both.
    3. The members, referred to in paragraphs (a) and (b), are, for the purposes of exercising their powers and performing their duties and functions, accountable to the Chairperson.

Section 44 Regulator to have regard to certain matters

  1. In the performance of its functions, and the exercise of its powers, under this Act the Regulator must—
    1. have due regard to the conditions for the lawful processing of personal information as referred to in Chapter 3;
    2. have due regard for the protection of all human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the legitimate interests of public and private bodies in achieving their objectives in an efficient way;
    3. take account of international obligations accepted by South Africa; and
    4. consider any developing general international guidelines relevant to the better protection of individual privacy.
  2. In performing its functions in terms of section 40(1)(b)(ix)(bb) with regard to information matching programmes, the Regulator must have particular regard to whether or not the—
    1. objective of the programme relates to a matter of significant public importance;
    2. use of the programme to achieve that objective will result in monetary savings that are both significant and quantifiable or in other comparable benefits to society;
    3. use of an alternative means of achieving that objective would give either of the results referred to in paragraph (b);
    4. public interest in allowing the programme to proceed outweighs the public interest in adhering to the conditions for the lawful processing of personal information that the programme would otherwise contravene; and
    5. programme involves information matching on a scale that is excessive, having regard to—
      1. the number of responsible parties or operators that will be involved in the programme; and
      2. the amount of detail about a data subject that will be matched under the programme.
  3. In determining whether the processing of personal information for exclusively journalistic purposes by a responsible party who is, by virtue of office, employment or profession, not subject to a code of ethics as referred to in section 7(1), constitutes an interference with the protection of the personal information of the data subject in terms of section 73, the Regulator must have particular regard to the factors referred to in section 7(3)(a) to (d).

Section 45 Conflict of interest

  1. If any member of the Regulator or any person appointed by the Regulator in terms of this Act has a material interest in any matter which could conflict with the proper performance of his or her duties in terms of this Act or the Promotion of Access to Information Act, he or she must disclose that interest, as prescribed, as soon as practicable after the relevant facts came to his or her knowledge.

    1. If a member of the Regulator or person referred to in subsection (1)—
      1. is present at a meeting of the Regulator or committee referred to in section 49 or 50 at which a matter contemplated in that subsection is to be considered, the member or person concerned must disclose the nature of his or her interest to the meeting before the matter is considered; or
      2. fails to make a disclosure as required by this subsection and is present at a meeting of the Regulator or committee, as the case may be, or in any other manner participates in the proceedings, such proceedings in relation to the relevant matter must, as soon as the non-disclosure is discovered, be reviewed and be varied or set aside by the Regulator or the committee, as the case may be, without the participation of the member or person concerned.
    2. A member of the Regulator or person referred to in subsection (1) who is obliged to make a disclosure in terms of this subsection may not be present during any deliberation, or take part in any decision, in relation to the matter in question.
    3. Any disclosure made in terms of this subsection must be noted in the minutes of the relevant meeting of the Regulator or committee.
  2. A member of the Regulator or person referred to in subsection (1) who has disclosed a conflict of interest in terms of subsection (1)—
    1. may perform all duties relating to the matter in question if a decision has been taken that the interest is trivial or irrelevant; or
    2. must be relieved of all duties relating to the matter in question and such duties must be performed by another member of the Regulator or by another person referred to in subsection (1), as the case may be, who has no such conflict of interest.