Data Privacy and Consent

Everything you need to know about your right to privacy and protection of personal data and information.

General

The South African Constitution recognises the right to privacy as an invaluable aspect of a person’s basic human rights. This right requires the government, by law, to work towards protecting the privacy rights of not only South Africans but also all those living in the country. The government has implemented several laws to increase the protection of privacy, especially with the advent of technology. 
 
In terms of South African law, privacy rights offer the following protections to a person:
 
1.     Nobody may make the personal information of another person public without their consent; and
2.     Nobody may intrude on another's private life.

Protection of Personal Information

Personal information constitutes any information relating to an identifiable living person or company. This includes a name and surname, a home address, a criminal record or shoe size. Everyone has the freedom to choose whether or not their personal information may be obtained, published or deleted by other persons or companies.
 
Note: The terms data and/or personal information will, context provided, be used interchangeably in this section.
 
Whose personal information is protected?
 
The personal information of all South African citizens and the non-citizens living in the country, as well as companies and South Africans living abroad it legally protected.
 
Note: If a person’s personal information is so detached from their identity that it is no longer identifiable, then the information is not protected.
 
When is processed data lawful?
 
Personal information data is only lawful under the following instances:
 
·       Consent – Where the personal information is obtained lawfully and in a fair manner;
·       Specific Purpose – Where the data is used only for the purpose originally obtained and consented for;
·       Further Processing – Where the data is not used for any purpose other than that obtained for;
·       Information quality - Where the information obtained is cross-checked for authenticity;
·       Security Safeguards - Where reasonable security has been put in placed to protect the data;
·       Accountability - Where the person processing the data makes sure that the above measures are taken;
·       Notification - Where the person is appropriately notified that their data is being processed; and
·       Participation - Where the person is able to participate and correct the data being processed about them.
 
Consent
 
To consent to something means to understand and agree. The consent to process a person's information must be obtained voluntarily, which means that a person may not be forced to agree to disclose their personal information. 
 
Note: Although written consent is not needed, it is recommended that written consent be obtained in order to keep a record of the consent.
 
In the case of children under 18, the parent or guardian of the child reserves the right to decide whether or not a child’s personal information may be disclosed and processed. Therefore, in order to get personal data relating to a child under 18, the parent or guardian’s consent must be obtained.
 
Purpose
 
The personal information of any person may only be kept or used as long as it is relevant to the purpose to which a person consented to their personal information being used. For example, if a person consents to sharing their email address in order to receive a notice for when a repair is done, their email address may not be used to advertise other products. The moment the information no longer serves the purpose for which consent was given, the information must be destroyed or returned.
 
Further Processing
 
If the party that a person gave consent to wants to use the data for something else, the consent of that person needs to be obtained again.
 
Note: South African law requires that a person’s personal information may only be shared with a person or company from a foreign country if that person or company agrees to follow the South African rules or law of data privacy.
 
Information Quality
 
The person who processes another's personal information should ensure the quality of the information by taking reasonable steps to verify that it is not misleading or inaccurate. 
 
Security Safeguards
 
The person processing another's personal information must ensure that the information being used is protected against loss, damage, destruction and unauthorised access. This could include the requirement that the data be encrypted.
 
Accountability
 
A person that is responsible for processing data will be held responsible for any mistakes or breaches of privacy if that data gets out. This means that they should inform the person whose data they are processing about such processing and allowing that person to confirm that the data is correct. They also need to ensure that the necessary safeguards are put in place to secure that data and that the right consent was obtained for processing such data.
 
Authorisation:
 
In certain instances, the law requires an authorisation from the Information Regulator before a person or company can process any personal information. The following are such instances:
 
·       The processing of criminal records;
·       Reports concerning credit transactions;
·       The transfer of the data to a country that does not provide adequate protection; and
·       The processing of the unique identifiers of persons.
 
In other circumstances, the law does not require any form of authorisation such as:
 
·       Data processed in the course of purely household or personal activities; 
·       Data that has been de-identified to such an extent that it cannot be re-identified;
·       Data that has been processed by or on the behalf of the state and involving national security or the prevention and detection of criminal activities and offences; 
·       Data that has been processed for exclusively journalistic purposes;
·       Data that is solely for literary or artistic expression; and 
·       Data that is processed by certain courts of government offices.
 
Offence
 
Any person or company failing to abide by the laws protecting personal data may be sentenced to imprisonment for a period of not less than 10 years or a fine or both a fine and imprisonment. 

What do do when your privacy is breached

ny person that has their right to privacy and personal information breached can do any of the following:
 
1.     The person may try to resolve the issue with the organisation that breached their privacy rights;
2.     The person may lodge a complaint with the Information Regulator through their website at inforeg@justice.gov.za,or by calling them at 012 406 4818;
3.     The person may lodge a complaint to the privacy officer at the organisation that breached their privacy rights.
4.     The person may report it to the police.
 
Note: The matter should only be reported to the police if the breach is serious. A polite but firm resolution to a dispute between the parties involved, or through the Information Regulator is always more favourable and beneficial when compared to a legal solution.
 
Precautions
 
Small companies may avoid being susceptible or liable to privacy breach issues by employing an Information Officer to ensure that the organisation complies with the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA). The officer must be registered with the Information Regulator. 

Requesting Personal Information

  • The Promotion of Access to Information Act (PAIA) was created to give citizens access to information that is held by the government as well as information that is necessary for a person to exercise or defend their rights, but is held by companies or other people.
     
    How to request access to information?
     
    Many public and private bodies allow free access to some information without the need for a formal application. Therefore, before attempting to request access to information, it is important to check if the information is already publicly available. Every organisation (including government organisations and private companies) in South Africa is required to have an information officer. All requests for information should be sent to the information officer, and the request process involves a fee and a 30-day waiting period.
     
    The following forms may be used to apply for access to personal information from a public or private body:
     
    1.     Form A- When applying for access to information from a public body (This application costs R 35); and
    2.     Form C- When applying for access to information from a private body (This application costs R 50).
     
    What if the PAIA request is denied?
     
    A person may resort to legal action in the following instances:
     
    1.     If the Information Officer denies access to a record;
    2.     If the Information Officer extends the time to respond to the request by a 30-day period and the person is unsatisfied; and
    3.     If the Information officer provides access to a record in different form than it was requested.
     
    The person may submit an appeal to the Information Officer at the public or private bodies through the following procedures:
     
    Public bodies- Where the person wishes to file a complaint against public bodies, they may file an internal appeal involving a more senior person. They must fill in the PAIA Form B request form within 60 days and submit it to the Information Officer at the national, provincial or municipal departments. 
     
    If the appeal is denied and the person is still unsatisfied, they may apply to court within 180 days of receiving the refusal. 
     
    Private bodies- Where the person wishes to file a complaint against private bodies, they may apply to court for an appeal within 180 days of receiving the decision that they don't agree with.
     
    When can an officer lawfully refuse access to information?
     
    Although the right to privacy is constitutionally protected, the constitution also provides for limitations of this right. PAIA sets out those limitations. 
     
    An officer may lawfully refuse access to information in the following instances:
     
    1.     Commercial information of a third party - The Information Officer may refuse access to information if the release of the particular information would cause harm to the commercial or financial interests of the business. (for example, trade secrets or business plans);
    2.     Confidential information - The Information Officer may refuse access to the confidential information of a third party unless the information is important to maintain public safety;
    3.     Protection of the safety of an individual and/or property - The Information Officer may refuse access to information if it threatens the safety of an individual or a property; and
    4.     Information requested in legal proceedings.