Protection of Personal Information in South Africa
Author: Emmie de Kock - 15 January 2010
Whether you use the internet to network or trade, you are likely to be requested to provide some personal data at some point. Collection of personal data in electronic format is made easy by computers and cell phones alike, and vast volumes of data can easily be sent or stored for unlimited periods.
Consumers, however, are often not informed about their rights and possible consequences of rendering such personal information to data collectors. In this regard, collection and use of personal data may result in the invasion of an individual’s privacy rights. Data may be disclosed or accessed without authorisation or used for a different reason for which it was collected.
Collecting data electronically also poses various risks for data collectors. In this regard, there may be risks that the data provided may be inaccurate, false, incomplete or irrelevant.
Data collection poses international legal challenges and many countries have adopted “data protection” laws. “Data protection” has a technical meaning and generally refers to the collection, storage, use and transmission of “personal information”. It therefore does not apply to all types of data.
In the 1980s, a number of international organisations, including the Organisation for Economic Co-operation and Development (OECD), the European Council and the European Economic Community started a process of exploring and developing means to conform data protection standards in every country to ensure the free flow of information across-country borders. As a result two significant international documents were issued, namely the European Council’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the OECD’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.
In 1995 a further important document was issued by the European Union, namely Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such data (Directive 95/46/EC). Article 25 of this Directive prescribes that a member state must prohibit the transfer of personal data to non-member states that do not ensure adequate levels of data protection.
The development of these international instruments did not involve the United States of America as member state. The United States of America did not have any data protection laws which applied to all its states on a federal level. Different legislations and data protection levels apply and there is no provision for a central data protection authority. The EU countries did not initially find the USA personal information protection system adequate and a separate agreement was negotiated to ensure the free flow of personal data to and from the USA. This “Safe Harbor” agreement was adopted in 2000 and consists of a set of privacy principles. USA companies may voluntarily self-certify to comply with these principles and these principles are not mandatory for USA companies.
Developments in South Africa:
South Africa became a democracy in 1994. This development led to the development of the Bill of Rights (Chapter 2 of the Constitution of the Republic of South Africa) which expressly provides for the protection of the right to privacy of individuals. It was also South Africa’s objective to develop national legislation which would ensure an adequate level of data protection to meet the requirements of the EU Directive.
The South African Law Reform Commission (SALRC) published a discussion paper (Green Paper) on the issue of privacy and data protection in October 2005. The discussion paper included a draft Bill on the Protection of Personal Information. A copy of this draft Bill can be downloaded at:
The proposed Act applies to personal information collected, stored and disseminated by automated and non-automated processes. It generally applies to South African businesses processing personal information in the context of their trade activities. The proposed Act will for instance not apply to the processing of personal information in the course of a purely personal or household activity. It further applies to the processing of personal information by/for businesses established outside South Africa using automated or non-automated means situated in South Africa. The proposed Act binds the State.
The Act will also establish a body known as the Information Protection Commission, of which the chairperson and two ordinary members will be appointed by the State President. The duties of the Commission will include education, monitoring compliance and dealing with complaints.
Chapter 3, Part A provides for the principles for the processing of personal information, which are in line with main principles set out in the EU Directive and includes in short the following:
(a) Principle 1: Processing limitation: Personal information must be processed in accordance with the law and in a proper and careful manner in order not to intrude upon the privacy of the data subject to an unreasonable extent.
(b) Principle 2: Purpose specific: Personal information must be collected for a specific, explicitly defined and legitimate purpose. Personal information may not be kept for longer than is necessary for archiving purposes.
(c) Principle 3: Further process limitation: Personal information must not be further processed in a way incompatible with a purpose for which it has been collected in the first instance.
(d) Principle 4: Information quality: The data collector collecting and processing personal information must take practical steps to ensure that the personal information is complete, not misleading, and accurate.
(e) Principle 5: Openness: Personal information may only be collected by a data collector which has give notice and has been recorded in a Register kept by the Commissioner.
(f) Principle 6: Security safeguards: Appropriate technical and organisational measures must be taken to secure the integrity of personal data by safeguarding against the risk of loss of, or damage or destruction of personal information and against the unauthorised or unlawful access to, or processing of personal information.
(g) Principle 7: Individual participation: Where personal information is collected, the data subject is entitled to obtain, free of charge, confirmation whether and what personal information is being kept.
(h) Principle 8: Accountability: The responsible party must ensure that there are measures taken that give effect to the Principles set out in Chapter 3, Part A.
Chapter 3, Part B deals with the prohibition on the processing of “special personal information”. In this regard, in principle, it is prohibited to process personal information concerning a person’s religion or philosophy of life, political persuasion, health or sexual life, or trade union membership, criminal behavior, or unlawful or objectionable conduct connected with a ban imposed with regard to such conduct, except where the data subject has given his/her explicit consent to the processing of the information. However, Part B further sets out various exemptions to this general prohibition on the processing of special personal information as described. For instance, the prohibition on processing of personal information relating to a person’s health or sex life will not apply where the processing is carried out by medical professionals and it is necessary for proper treatment.
Chapter 4 provides for exemptions from the 8 information protection principles referred to above, and set out fully Chapter 3, Part A. In this regard, the Commission may authorise a responsible party (data collector) to process personal information, even though that processing would otherwise be in breach of an information protection principle, if the Commission is satisfied that, in the special circumstances of the case:
(a) the public interest in that processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from that processing; or
(b) that processing involves a clear benefit to the data subject or a third party that outweighs any interference with the privacy of the data subject or third party that could result from that processing.
Any person may submit a complaint to the Commission alleging that any action is, or appears to be, for instance, a breach of any information protection principle. A complaint may be made either orally or in writing. A complaint made orally must be put in writing as soon as reasonably practicable. The Commission must provide such reasonable assistance which is necessary in the circumstances to enable an individual who wishes to make a complaint to the Commission, to put the complaint in writing. It is the function of the Commission to then conduct investigations and decide whether to take formal action or not.
If the Commission is satisfied that a responsible party has interfered with the protection of the personal information of a person by, for instance, breaching the information protection principles, the Commissioner may serve a notice on the responsible party requiring the responsible party to refrain from proceeding with the processing of personal information within a specified period.
A data subject or the Commission may also institute civil court proceedings against any responsible party who has contravened the provision of the Act for inter alia payment of damages, interest and costs of suit.
Any person who hinders, obstructs or unduly influences the Commission or any person acting on behalf of, or under the direction of the Commission in the performance of the Commission’s duties and functions under this Act, will be guilty of an offence. Any person convicted of an offence may be imprisoned or fined or both.
Section 94 of the proposed Act further provides that a responsible party in South Africa may transfer personal information about a data subject to someone who is in a foreign country only if:
(a) The recipient of the information is subject to a law, binding scheme or contract which effectively upholds the fair handling of the information that is substantially similar to the information protection principles; or
(b) The data subject consents to the transfer; or
(c) The transfer is necessary for the performance of a contract between the individual and the organization, or for the implementation of pre-contractual measures taken in response to the data subject’s request; or
(d) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organization and a third party; or
(e) All of the following apply: the transfer is for the benefit of the individual; it is reasonably impracticable to obtain the consent of the data subject to that transfer; if it were reasonably practicable to obtain such consent, the individual would be likely to give it.
Due to the borderless nature of the internet and the ability of computers to collect, distribute and store vast volumes of electronic data, it is desirable that the processing of personal information is regulated to protect both, data collectors and data subjects. Data protection laws are particularly important to help protect privacy rights of individuals.
South Africa has made progress over the last decade to catch up on international developments relating to data and privacy protection laws.
The Protection of Personal Information Bill is expected to come into force in the course of 2010 and should, in the writer’s view, align South African laws with international standards and the EU Directive relating to the protection of personal information.