Section 1 Definitions

In this Act, unless the context indicates otherwise —

‘‘biometrics’’ means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition;
‘‘child’’ means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself;
‘‘code of conduct’’ means a code of conduct issued in terms of Chapter 7;
‘‘competent person’’ means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;
‘‘consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
‘‘Constitution’’ means the Constitution of the Republic of South Africa, 1996;
‘‘data subject’’ means the person to whom personal information relates;
‘‘de-identify’’, in relation to personal information of a data subject, means to delete any information that—
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject,
and ‘‘de-identified’’ has a corresponding meaning;
‘‘direct marketing’’ means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –
(a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
(b) requesting the data subject to make a donation of any kind for any reason;
‘‘electronic communication’’ means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient;
‘‘enforcement notice’’ means a notice issued in terms of section 95;
‘‘filing system’’ means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;
‘‘information matching programme’’ means the comparison, whether manually or by means of any electronic or other device, of any document that contains personal information about ten or more data subjects with one or more documents that contain personal information of ten or more data subjects, for the purpose of producing or verifying information that may be used for the purpose of taking any action in regard to an identifiable data subject;
‘‘information officer’’ of, or in relation to, a—
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
(b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;
‘‘Minister’’ means the Cabinet member responsible for the administration of justice;
‘‘operator’’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
‘‘person’’ means a natural person or a juristic person;
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
‘‘prescribed’’ means prescribed by regulation or by a code of conduct;
‘‘private body’’ means—
(a) a natural person who carries or has carried on any trade, business or
profession, but only in such capacity;
(b) a partnership which carries or has carried on any trade, business or profession; or
(c) any former or existing juristic person, but excludes a public body;
‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
‘‘professional legal adviser’’ means any legally qualified person, whether in private practice or not, who lawfully provides a client, at his or her or its request, with independent, confidential legal advice;
‘‘Promotion of Access to Information Act’’ means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);
‘‘public body’’ means—
(a) any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
(b) any other functionary or institution when—
(i) exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
(ii) exercising a public power or performing a public function in terms of any
legislation;
‘‘public record’’ means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body;
‘‘record’’ means any recorded information—
(a) regardless of form or medium, including any of the following:
(i) Writing on any material;
(ii) information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
(iii) label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;
(iv) book, map, plan, graph or drawing;
(v) photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
(b) in the possession or under the control of a responsible party;
(c) whether or not it was created by a responsible party; and
(d) regardless of when it came into existence;
‘‘Regulator’’ means the Information Regulator established in terms of section 39;
‘‘re-identify’’, in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that—
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject, and ‘‘re-identified’’ has a corresponding meaning;
‘‘Republic’’ means the Republic of South Africa;
‘‘responsible party’’means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;
‘‘restriction’’ means to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information;
‘‘special personal information’’ means personal information as referred to in section 26;
‘‘this Act’’ includes any regulation or code of conduct made under this Act; and
‘‘unique identifier’’ means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.

Section 4 Lawful processing of personal information

  1. The conditions for the lawful processing of personal information by or for a responsible party are the following:
    1. ‘‘Accountability’’, as referred to in section 8;
    2. ‘‘Processing limitation’’, as referred to in sections 9 to 12;
    3. ‘‘Purpose specification’’, as referred to in sections 13 and 14;
    4. ‘‘Further processing limitation’’, as referred to in section 15;
    5. ‘‘Information quality’’, as referred to in section 16;
    6. ‘‘Openness’’, as referred to in sections 17 and 18;
    7. ‘‘Security safeguards’’, as referred to in sections 19 to 22; and
    8. ‘‘Data subject participation’’, as referred to in sections 23 to 25.
  2. The conditions, as referred to in subsection (1), are not applicable to the processing of personal information to the extent that such processing is—
    1. excluded, in terms of section 6 or 7, from the operation of this Act; or
    2. exempted in terms of section 37 or 38, from one or more of the conditions concerned in relation to such processing.
  3. The processing of the special personal information of a data subject is prohibited in terms of section 26, unless the—
    1. provisions of sections 27 to 33 are applicable; or
    2. Regulator has granted an authorisation in terms of section 27(2), in which case, subject to section 37 or 38, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.
  4. The processing of the personal information of a child is prohibited in terms of section 34, unless the—
    1. provisions of section 35(1) are applicable; or
    2. Regulator has granted an authorisation in terms of section 35(2), in which case, subject to section 37, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.
  5. The processing of the special personal information of a child is prohibited in terms of sections 26 and 34 unless the provisions of sections 27 and 35 are applicable in which case, subject to section 37, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.
  6. The conditions for the lawful processing of personal information by or for a responsible party for the purpose of direct marketing by any means are reflected in Chapter 3, read with section 69 insofar as that section relates to direct marketing by means of unsolicited electronic communications.
  7. Sections 60 to 68 provide for the development, in appropriate circumstances, of codes of conduct for purposes of clarifying how the conditions referred to in subsection (1), subject to any exemptions which may have been granted in terms of section 37, are to be applied, or are to be complied with within a particular sector.

Section 19 Security measures on integrity and confidentiality of personal information

  1. A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
    1. loss of, damage to or unauthorised destruction of personal information; and
    2. unlawful access to or processing of personal information.
  2. In order to give effect to subsection (1), the responsible party must take reasonable measures to—
    1. identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
    2. establish and maintain appropriate safeguards against the risks identified;
    3. regularly verify that the safeguards are effectively implemented; and
    4. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
  3. The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Section 22 Notification of security compromises

  1. Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—
    1. the Regulator; and
    2. subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
  2. The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
  3. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
  4. The notification to a data subject referred to in subsection (1) must be in writing and communicated to the data subject in at least one of the following ways:
    1. Mailed to the data subject’s last known physical or postal address;
    2. sent by e-mail to the data subject’s last known e-mail address;
    3. placed in a prominent position on the website of the responsible party;
    4. published in the news media; or
    5. as may be directed by the Regulator.
  5. The notification referred to in subsection (1) must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
    1. a description of the possible consequences of the security compromise;
    2. a description of the measures that the responsible party intends to take or has taken to address the security compromise;
    3. a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
    4. if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
  6. The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

Section 55 Duties and responsibilities of Information Officer

  1. An information officer’s responsibilities include—
    1. the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
    2. dealing with requests made to the body pursuant to this Act;
    3. working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
    4. otherwise ensuring compliance by the body with the provisions of this Act; and
    5. as may be prescribed.
  2. Officers must take up their duties in terms of this Act only after the responsible party has registered them with the Regulator.

Section 56 Designation and delegation of deputy information officers

Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of—

  1. such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of this Act; and
  2. any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.

Section 57 Processing subject to prior authorisation

  1. The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to—
    1. process any unique identifiers of data subjects—
      1. for a purpose other than the one for which the identifier was specifically intended at collection; and
      2. with the aim of linking the information together with information processed by other responsible parties;
    2. process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
    3. process information for the purposes of credit reporting; or
    4. transfer special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.
  2. The provisions of subsection (1) may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.
  3. This section and section 58 are not applicable if a code of conduct has been issued and has come into force in terms of Chapter 7 in a specific sector or sectors of society.
  4. A responsible party must obtain prior authorisation as referred to in subsection (1) only once and not each time that personal information is received or processed, except where the processing departs from that which has been authorised in accordance with the provisions of subsection (1).

Section 69 Direct marketing by means of unsolicited electronic communications

  1. The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject—
    1. has given his, her or its consent to the processing; or
    2. is, subject to subsection (3), a customer of the responsible party.
    1. A responsible party may approach a data subject—
      1. whose consent is required in terms of subsection (1)(a); and
      2. who has not previously withheld such consent,
      3. only once in order to request the consent of that data subject.
    2. The data subject’s consent must be requested in the prescribed manner and form.
  2. A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)—
    1. if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
    2. for the purpose of direct marketing of the responsible party’s own similar products or services; and
    3. if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details—
      1. at the time when the information was collected; and
      2. on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
  3. Any communication for the purpose of direct marketing must contain—
    1. details of the identity of the sender or the person on whose behalf the communication has been sent; and
    2. an address or other contact details to which the recipient may send a request that such communications cease.
  4. ‘‘Automatic calling machine’’, for purposes of subsection (1), means a machine that is able to do automated calls without human intervention.
1Address

Section 72 Transfers of personal information outside Republic

  1. A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless—
    1. the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that—
      1. effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
      2. includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
    2. the data subject consents to the transfer;
    3. the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
    4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
    5. the transfer is for the benefit of the data subject, and—
      1. it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
      2. if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
  2. For the purpose of this section—
    1. ‘‘binding corporate rules’’ means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and
    2. ‘‘group of undertakings’’ means a controlling undertaking and its controlled undertakings.

Section 105 Unlawful acts by responsible party in connection with account number

  1. A responsible party who contravenes the provisions of section 8 insofar as those provisions relate to the processing of an account number of a data subject is, subject to subsections (2) and (3), guilty of an offence.
  2. The contravention referred to in subsection (1) must—
    1. be of a serious or persistent nature; and
    2. likely cause substantial damage or distress to the data subject.
  3. The responsible party must—
    1. have known or ought to have known that—
      1. there was a risk that the contravention would occur; or
      2. such contravention would likely cause substantial damage or distress to the data subject; and
    2. have failed to take reasonable steps to prevent the contravention.
  4. Whenever a responsible party is charged with an offence under subsection (1), it is a valid defence to such a charge to contend that he or she has taken all reasonable steps to comply with the provisions of section 8.
  5. Account number’’, for purposes of this section and section 106, means any unique identifier that has been assigned—
    1. to one data subject only; or
    2. jointly to more than one data subject,
    3. by a financial or other institution which enables the data subject, referred to in paragraph (a), to access his, her or its own funds or to access credit facilities or which enables a data subject, referred to in paragraph (b), to access joint funds or to access joint credit facilities.