ACT

To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.

PREAMBLE

RECOGNISING THAT—

  • section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;
  • the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;
  • the State must respect, protect, promote and fulfil the rights in the Bill of Rights;

AND BEARING IN MIND THAT—

  • consonant with the constitutional values of democracy and openness, the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information;

AND IN ORDER TO—

  • regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests,

PARLIAMENT of the Republic of South Africa therefore enacts, as follows:—

Section 1 Definitions

In this Act, unless the context indicates otherwise —

‘‘biometrics’’ means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition;
‘‘child’’ means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself;
‘‘code of conduct’’ means a code of conduct issued in terms of Chapter 7;
‘‘competent person’’ means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;
‘‘consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
‘‘Constitution’’ means the Constitution of the Republic of South Africa, 1996;
‘‘data subject’’ means the person to whom personal information relates;
‘‘de-identify’’, in relation to personal information of a data subject, means to delete any information that—
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject,
and ‘‘de-identified’’ has a corresponding meaning;
‘‘direct marketing’’ means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –
(a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
(b) requesting the data subject to make a donation of any kind for any reason;
‘‘electronic communication’’ means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient;
‘‘enforcement notice’’ means a notice issued in terms of section 95;
‘‘filing system’’ means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;
‘‘information matching programme’’ means the comparison, whether manually or by means of any electronic or other device, of any document that contains personal information about ten or more data subjects with one or more documents that contain personal information of ten or more data subjects, for the purpose of producing or verifying information that may be used for the purpose of taking any action in regard to an identifiable data subject;
‘‘information officer’’ of, or in relation to, a—
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
(b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;
‘‘Minister’’ means the Cabinet member responsible for the administration of justice;
‘‘operator’’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
‘‘person’’ means a natural person or a juristic person;
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
‘‘prescribed’’ means prescribed by regulation or by a code of conduct;
‘‘private body’’ means—
(a) a natural person who carries or has carried on any trade, business or
profession, but only in such capacity;
(b) a partnership which carries or has carried on any trade, business or profession; or
(c) any former or existing juristic person, but excludes a public body;
‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
‘‘professional legal adviser’’ means any legally qualified person, whether in private practice or not, who lawfully provides a client, at his or her or its request, with independent, confidential legal advice;
‘‘Promotion of Access to Information Act’’ means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);
‘‘public body’’ means—
(a) any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
(b) any other functionary or institution when—
(i) exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
(ii) exercising a public power or performing a public function in terms of any
legislation;
‘‘public record’’ means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body;
‘‘record’’ means any recorded information—
(a) regardless of form or medium, including any of the following:
(i) Writing on any material;
(ii) information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
(iii) label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;
(iv) book, map, plan, graph or drawing;
(v) photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
(b) in the possession or under the control of a responsible party;
(c) whether or not it was created by a responsible party; and
(d) regardless of when it came into existence;
‘‘Regulator’’ means the Information Regulator established in terms of section 39;
‘‘re-identify’’, in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that—
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject, and ‘‘re-identified’’ has a corresponding meaning;
‘‘Republic’’ means the Republic of South Africa;
‘‘responsible party’’means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;
‘‘restriction’’ means to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information;
‘‘special personal information’’ means personal information as referred to in section 26;
‘‘this Act’’ includes any regulation or code of conduct made under this Act; and
‘‘unique identifier’’ means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.

Section 3 Application and interpretation of Act


  1. This Act applies to the processing of personal information—
    1. entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof; and
    2. where the responsible party is—
      1. domiciled in the Republic; or
      2. not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic.
    1. This Act applies, subject to paragraph (b), to the exclusion of any provision of any other legislation that regulates the processing of personal information and that is materially inconsistent with an object, or a specific provision, of this Act.
    2. If any other legislation provides for conditions for the lawful processing of personal information that are more extensive than those set out in Chapter 3, the extensive conditions prevail.
  2. This Act must be interpreted in a manner that—
    1. gives effect to the purpose of the Act set out in section 2; and
    2. does not prevent any public or private body from exercising or performing its powers, duties and functions in terms of the law as far as such powers, duties and functions relate to the processing of personal information and such processing is in accordance with this Act or any other legislation, as referred to in subsection (2), that regulates the processing of personal information.
  3. ‘‘Automated means’’, for the purposes of this section, means any equipment capable of operating automatically in response to instructions given for the purpose of processing information.

Section 5 Rights of data subjects

  1. A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right—
    1. to be notified that—
      1. personal information about him, her or it is being collected as provided for in terms of section 18; or
      2. his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
    2. to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;
    3. to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
    4. to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
    5. to object to the processing of his, her or its personal information—
      1. at any time for purposes of direct marketing in terms of section 11(3)(b); or
      2. in terms of section 69(3)(c);
    6. not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
    7. not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;
    8. to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
    9. to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.

Section 6 Exclusions

  1. (1) This Act does not apply to the processing of personal information—
    1. in the course of a purely personal or household activity;
    2. that has been de-identified to the extent that it cannot be re-identified again;
    3. by or on behalf of a public body—
      1. which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public safety; or
      2. the purpose of which is the prevention, detection, including assistance in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in legislation for the protection of such personal information;
    4. by the Cabinet and its committees or the Executive Council of a province; or
    5. relating to the judicial functions of a court referred to in section 166 of the Constitution.
  2. ‘‘Terrorist and related activities’’, for purposes of subsection (1)(c), means those activities referred to in section 4 of the Protection of Constitutional Democracy against Terrorist and Related Activities Act, 2004 (Act No. 33 of 2004).

Section 12 Collection directly from data subject

  1. Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2).
  2. It is not necessary to comply with subsection (1) if—
    1. the information is contained in or derived from a public record or has deliberately been made public by the data subject;
    2. the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
    3. collection of the information from another source would not prejudice a legitimate interest of the data subject;
    4. collection of the information from another source is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
      4. in the interests of national security; or
      5. to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
    5. compliance would prejudice a lawful purpose of the collection; or
    6. compliance is not reasonably practicable in the circumstances of the particular case.

Section 14 Retention and restriction of records

  1. Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—
    1. retention of the record is required or authorised by law;
    2. the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
    3. retention of the record is required by a contract between the parties thereto; or
    4. the data subject or a competent person where the data subject is a child has consented to the retention of the record.
  2. Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
  3. A responsible party that has used a record of personal information of a data subject to make a decision about the data subject, must—
    1. retain the record for such period as may be required or prescribed by law or a code of conduct; or
    2. if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.
  4. A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in terms of subsection (1) or (2).
  5. The destruction or deletion of a record of personal information in terms of subsection (4) must be done in a manner that prevents its reconstruction in an intelligible form.
  6. The responsible party must restrict processing of personal information if—
    1. its accuracy is contested by the data subject, for a period enabling the responsible party to verify the accuracy of the information;
    2. the responsible party no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof;
    3. the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or
    4. the data subject requests to transmit the personal data into another automated processing system.
  7. Personal information referred to in subsection (6) may, with the exception of storage, only be processed for purposes of proof, or with the data subject’s consent, or with the consent of a competent person in respect of a child, or for the protection of the rights of another natural or legal person or if such processing is in the public interest.
  8. Where processing of personal information is restricted pursuant to subsection (6), the responsible party must inform the data subject before lifting the restriction on processing.

Section 15 Further processing to be compatible with purpose of collection

  1. Further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of section 13.
  2. To assess whether further processing is compatible with the purpose of collection, the responsible party must take account of—
    1. the relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
    2. the nature of the information concerned;
    3. the consequences of the intended further processing for the data subject;
    4. the manner in which the information has been collected; and
    5. any contractual rights and obligations between the parties.
  3. The further processing of personal information is not incompatible with the purpose of collection if—
    1. the data subject or a competent person where the data subject is a child has consented to the further processing of the information;
    2. the information is available in or derived from a public record or has deliberately been made public by the data subject;
    3. further processing is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
      4. in the interests of national security;
    4. the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to—
      1. public health or public safety; or
      2. the life or health of the data subject or another individual;
    5. the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; or
    6. the further processing of the information is in accordance with an exemption granted under section 37.