The Protection of Personal Information Bill 2009 (POPI) aims to bring South Africa in line with international data protection laws. In this bi-weekly series, members of our Information Law Group provide some insight into the implications of POPI to assist you in your preparations for the new legislative regime*. The impact of this legislation will be far-reaching and will significantly affect the way companies collect, store and disseminate personal information. This edition focuses on the types of personal information protected by POPI.
POPI only protects "personal information" that falls within the definition. Such information must relate to identifiable and living persons, and where applicable, companies and other juristic persons. Personal information includes, but is not limited to:
- information relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person, or if the disclosure of the name itself would reveal information about the person.
It has been proposed that the definition of personal information be amended to include consumer or purchasing preferences or patterns in certain circumstances. If this amendment comes into force, information regarding consumer purchasing trends held by market research companies will also be protected.
Personal information of children
Unless there is prior consent from a parent or guardian, POPI prohibits the processing of personal information concerning a child. Processing is also permitted when the law requires such processing and / or when the Regulator permits such processing.
Special personal information
POPI prohibits the processing of "special personal information" unless a data subject consents to such processing. The only exception to consent is when the law requires processing, or when the Regulator authorises it. Special personal information is information about the data subject's religious or philosophical beliefs; race or ethnic origin; trade union membership; political opinions; health; sexual life; or the commission or alleged commission of any offence and related court proceedings.
Personal information that has been "anonymised" or de-identified does not constitute "personal information" under POPI. The anonymising of personal information is a useful tool for disclosing data that would otherwise be prohibited under POPI. It is widely used in the disclosure of data, for example in providing trends or statistics for employers; in due diligence investigations; and in the cross-border transferring of data in the health industry.
Application to companies and other juristic entities
The definition of "personal information" extends to information about juristic entities, where applicable. The definition is most significant for corporate entities in the realm of financial information, private and confidential correspondence and the corporation's views or opinions of others. This approach of including juristic bodies in data protection is in line with similar legislation in countries such as Austria, Switzerland and Denmark. Proposed European Union (EU) Regulations, which may amend current EU legislation, do not make provision for safeguarding the personal information of legal entities; and Italian privacy laws were recently amended to remove protection for legal entities in an attempt to simplify the data protection legal landscape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.