Section 12 Collection directly from data subject

  1. Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2).
  2. It is not necessary to comply with subsection (1) if—
    1. the information is contained in or derived from a public record or has deliberately been made public by the data subject;
    2. the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
    3. collection of the information from another source would not prejudice a legitimate interest of the data subject;
    4. collection of the information from another source is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
      4. in the interests of national security; or
      5. to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
    5. compliance would prejudice a lawful purpose of the collection; or
    6. compliance is not reasonably practicable in the circumstances of the particular case.

Section 14 Retention and restriction of records

  1. Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—
    1. retention of the record is required or authorised by law;
    2. the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
    3. retention of the record is required by a contract between the parties thereto; or
    4. the data subject or a competent person where the data subject is a child has consented to the retention of the record.
  2. Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
  3. A responsible party that has used a record of personal information of a data subject to make a decision about the data subject, must—
    1. retain the record for such period as may be required or prescribed by law or a code of conduct; or
    2. if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.
  4. A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in terms of subsection (1) or (2).
  5. The destruction or deletion of a record of personal information in terms of subsection (4) must be done in a manner that prevents its reconstruction in an intelligible form.
  6. The responsible party must restrict processing of personal information if—
    1. its accuracy is contested by the data subject, for a period enabling the responsible party to verify the accuracy of the information;
    2. the responsible party no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof;
    3. the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or
    4. the data subject requests to transmit the personal data into another automated processing system.
  7. Personal information referred to in subsection (6) may, with the exception of storage, only be processed for purposes of proof, or with the data subject’s consent, or with the consent of a competent person in respect of a child, or for the protection of the rights of another natural or legal person or if such processing is in the public interest.
  8. Where processing of personal information is restricted pursuant to subsection (6), the responsible party must inform the data subject before lifting the restriction on processing.

Section 18 Notification to data subject when collecting personal information

  1. If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—
    1. the information being collected and where the information is not collected from the data subject, the source from which it is collected;
    2. the name and address of the responsible party;
    3. the purpose for which the information is being collected;
    4. whether or not the supply of the information by that data subject is voluntary or mandatory;
    5. the consequences of failure to provide the information;
    6. any particular law authorising or requiring the collection of the information;
    7. the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
    8. any further information such as the—
      1. recipient or category of recipients of the information;
      2. nature or category of the information;
      3. existence of the right of access to and the right to rectify the information collected;
      4. existence of the right to object to the processing of personal information as referred to in section 11(3); and
      5. right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
  2. The steps referred to in subsection (1) must be taken—
    1. if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or
    2. in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
  3. A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.
  4. It is not necessary for a responsible party to comply with subsection (1) if—
    1. the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
    2. non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
    3. non-compliance is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
      4. in the interests of national security;
    4. compliance would prejudice a lawful purpose of the collection;
    5. compliance is not reasonably practicable in the circumstances of the particular case; or
    6. the information will—
      1. not be used in a form in which the data subject may be identified; or
      2. be used for historical, statistical or research purposes.

Section 19 Security measures on integrity and confidentiality of personal information

  1. A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
    1. loss of, damage to or unauthorised destruction of personal information; and
    2. unlawful access to or processing of personal information.
  2. In order to give effect to subsection (1), the responsible party must take reasonable measures to—
    1. identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
    2. establish and maintain appropriate safeguards against the risks identified;
    3. regularly verify that the safeguards are effectively implemented; and
    4. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
  3. The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Section 24 Correction of personal information

  1. A data subject may, in the prescribed manner, request a responsible party to—
    1. correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
    2. destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.
  2. On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable
    1. correct the information;
    2. destroy or delete the information;
    3. provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
    4. where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
  3. If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
  4. The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.