Section 18 Notification to data subject when collecting personal information

  1. If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—
    1. the information being collected and where the information is not collected from the data subject, the source from which it is collected;
    2. the name and address of the responsible party;
    3. the purpose for which the information is being collected;
    4. whether or not the supply of the information by that data subject is voluntary or mandatory;
    5. the consequences of failure to provide the information;
    6. any particular law authorising or requiring the collection of the information;
    7. the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
    8. any further information such as the—
      1. recipient or category of recipients of the information;
      2. nature or category of the information;
      3. existence of the right of access to and the right to rectify the information collected;
      4. existence of the right to object to the processing of personal information as referred to in section 11(3); and
      5. right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
  2. The steps referred to in subsection (1) must be taken—
    1. if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or
    2. in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
  3. A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.
  4. It is not necessary for a responsible party to comply with subsection (1) if—
    1. the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
    2. non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
    3. non-compliance is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
      4. in the interests of national security;
    4. compliance would prejudice a lawful purpose of the collection;
    5. compliance is not reasonably practicable in the circumstances of the particular case; or
    6. the information will—
      1. not be used in a form in which the data subject may be identified; or
      2. be used for historical, statistical or research purposes.

Section 20 Information processed by operator or person acting under authority

  1. An operator or anyone processing personal information on behalf of a responsible party or an operator, must—
    1. process such information only with the knowledge or authorisation of the responsible party; and
    2. treat personal information which comes to their knowledge as confidential and must not disclose it,

unless required by law or in the course of the proper performance of their duties.

Section 21 Security measures regarding information processed by operator

  1. A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19.
  2. The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

Section 23 Access to personal information

  1. A data subject, having provided adequate proof of identity, has the right to—
    1. request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and
    2. request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—
      1. within a reasonable time;
      2. at a prescribed fee, if any;
      3. in a reasonable manner and format; and
      4. in a form that is generally understandable.
  2. If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.
  3. If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1)(b) to enable the responsible party to respond to a request, the responsible party—
    1. must give the applicant a written estimate of the fee before providing the services; and
    2. may require the applicant to pay a deposit for all or part of the fee.
    1. A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.
    2. The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.
  5. If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4)(a), every other part must be disclosed.

Section 24 Correction of personal information

  1. A data subject may, in the prescribed manner, request a responsible party to—
    1. correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
    2. destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.
  2. On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable
    1. correct the information;
    2. destroy or delete the information;
    3. provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
    4. where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
  3. If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
  4. The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.

Section 26 Prohibition on processing of special personal information

  1. A responsible party may, subject to section 27, not process personal information concerning—
    1. the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
    2. the criminal behaviour of a data subject to the extent that such information relates to—
      1. the alleged commission by a data subject of any offence; or
      2. any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

Section 27 General authorisation concerning special personal information

  1. The prohibition on processing personal information, as referred to in section 26, does not apply if the—
    1. processing is carried out with the consent of a data subject referred to in section 26;
    2. processing is necessary for the establishment, exercise or defence of a right or obligation in law;
    3. processing is necessary to comply with an obligation of international public law;
    4. processing is for historical, statistical or research purposes to the extent that—
      1. the purpose serves a public interest and the processing is necessary for the purpose concerned; or
      2. it appears to be impossible or would involve a disproportionate effort to ask for consent,
      3. and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;
    5. information has deliberately been made public by the data subject; or
    6. provisions of sections 28 to 33 are, as the case may be, complied with.
  2. The Regulator may, subject to subsection (3), upon application by a responsible party and by notice in the Gazette, authorise a responsible party to process special personal information if such processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the data subject.
  3. The Regulator may impose reasonable conditions in respect of any authorisation granted under subsection (2).