- This Act does not apply to the processing of personal information solely for the purpose of journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.
- Where a responsible party who processes personal information for exclusively journalistic purposes is, by virtue of office, employment or profession, subject to a code of ethics that provides adequate safeguards for the protection of personal information, such code will apply to the processing concerned to the exclusion of this Act and any alleged interference with the protection of the personal information of a data subject that may arise as a result of such processing must be adjudicated as provided for in terms of that code.
- In the event that a dispute may arise in respect of whether adequate safeguards have been provided for in a code as required in terms of subsection (2) or not, regard may be had to—
- the special importance of the public interest in freedom of expression;
- domestic and international standards balancing the—
- public interest in allowing for the free flow of information to the public through the media in recognition of the right of the public to be informed; and
- public interest in safeguarding the protection of personal information of data subjects;
- the need to secure the integrity of personal information;
- domestic and international standards of professional integrity for journalists; and
- the nature and ambit of self-regulatory forms of supervision provided by the profession.
Category: Purpose
Section 10 Minimality
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
Section 12 Collection directly from data subject
- Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2).
- It is not necessary to comply with subsection (1) if—
- the information is contained in or derived from a public record or has deliberately been made public by the data subject;
- the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
- collection of the information from another source would not prejudice a legitimate interest of the data subject;
- collection of the information from another source is necessary—
- to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
- for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
- in the interests of national security; or
- to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
- compliance would prejudice a lawful purpose of the collection; or
- compliance is not reasonably practicable in the circumstances of the particular case.
Section 13 Collection for specific purpose
- Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
- Steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.
Section 15 Further processing to be compatible with purpose of collection
- Further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of section 13.
- To assess whether further processing is compatible with the purpose of collection, the responsible party must take account of—
- the relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
- the nature of the information concerned;
- the consequences of the intended further processing for the data subject;
- the manner in which the information has been collected; and
- any contractual rights and obligations between the parties.
- The further processing of personal information is not incompatible with the purpose of collection if—
- the data subject or a competent person where the data subject is a child has consented to the further processing of the information;
- the information is available in or derived from a public record or has deliberately been made public by the data subject;
- further processing is necessary—
- to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences;
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
- for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
- in the interests of national security;
- the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to—
- public health or public safety; or
- the life or health of the data subject or another individual;
- the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; or
- the further processing of the information is in accordance with an exemption granted under section 37.
Section 16 Quality of information
- A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
- In taking the steps referred to in subsection (1), the responsible party must have regard to the purpose for which personal information is collected or further processed.
Section 18 Notification to data subject when collecting personal information
- If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—
- the information being collected and where the information is not collected from the data subject, the source from which it is collected;
- the name and address of the responsible party;
- the purpose for which the information is being collected;
- whether or not the supply of the information by that data subject is voluntary or mandatory;
- the consequences of failure to provide the information;
- any particular law authorising or requiring the collection of the information;
- the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
- any further information such as the—
- recipient or category of recipients of the information;
- nature or category of the information;
- existence of the right of access to and the right to rectify the information collected;
- existence of the right to object to the processing of personal information as referred to in section 11(3); and
- right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
- The steps referred to in subsection (1) must be taken—
- if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or
- in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
- A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.
- It is not necessary for a responsible party to comply with subsection (1) if—
- the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
- non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
- non-compliance is necessary—
- to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
- for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
- in the interests of national security;
- compliance would prejudice a lawful purpose of the collection;
- compliance is not reasonably practicable in the circumstances of the particular case; or
- the information will—
- not be used in a form in which the data subject may be identified; or
- be used for historical, statistical or research purposes.
Section 29 Authorisation concerning data subject’s race or ethnic origin
- The prohibition on processing personal information concerning a data subject’s race or ethnic origin, as referred to in section 26, does not apply if the processing is carried out to—
- identify data subjects and only when this is essential for that purpose; and
- comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination.
Section 69 Direct marketing by means of unsolicited electronic communications
- The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject—
- has given his, her or its consent to the processing; or
- is, subject to subsection (3), a customer of the responsible party.
-
- A responsible party may approach a data subject—
- whose consent is required in terms of subsection (1)(a); and
- who has not previously withheld such consent,
- only once in order to request the consent of that data subject.
- The data subject’s consent must be requested in the prescribed manner and form.
- A responsible party may approach a data subject—
- A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)—
- if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
- for the purpose of direct marketing of the responsible party’s own similar products or services; and
- if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details—
- at the time when the information was collected; and
- on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
- Any communication for the purpose of direct marketing must contain—
- details of the identity of the sender or the person on whose behalf the communication has been sent; and
- an address or other contact details to which the recipient may send a request that such communications cease.
- ‘‘Automatic calling machine’’, for purposes of subsection (1), means a machine that is able to do automated calls without human intervention.