The Protection of Personal Information Bill 2009 (POPI or the
Bill*) aims to bring South Africa in line with international data
protection laws. The impact of this legislation will be
far-reaching and will significantly affect the way companies
collect, store and disseminate personal information. Members of our
Information Law and Data Protection Group provide some insight into
the implications of POPI in this series of Snapshots.
In previous Snapshots we discussed that the Bill sets out eight
conditions that responsible parties will need to consider for the
processing of personal information to be lawful. Accountability,
the first condition, was examined in the previous Snapshot. This
Snapshot considers Processing Limitation, the second of the eight
Condition 2: Processing Limitation
Lawfulness of processing
Personal information must be processed lawfully and in a
reasonable manner that does not infringe on a data subject's
privacy. Thus, a responsible party will need to develop procedures
and policies to ensure that personal information is processed in a
There must be clarity on the length of time and the reasons for
which personal information will be retained. In determining
appropriate retention periods, any statutory obligations imposed on
a responsible party must be taken into consideration.
Once the purpose for which the personal information was
obtained has ceased and it is no longer required, it may be
anonymised, deleted or disposed of in a secure manner. To comply
with this requirement, responsible parties are advised to assign
specific responsibility and to introduce procedures to ensure that
files are regularly purged.
Compliance may vary depending on the reason for which the
information is processed. In time, objective guidelines are
expected to be made available. These will assist responsible
parties to assess whether their information processing is
Personal information may only be processed in a manner that is
relevant, adequate and not excessive, bearing in mind the purpose
for which it is used.
Consent, justification and objection
Personal information may only be processed if the processing:
has been consented to by the data subject or a competent person
in the case of a minor;
is necessary to fulfil a contract that the data subject is
complies with an obligation imposed on the responsible party by
is necessary to protect a data subject's legitimate
is necessary for a public body to perform a public law duty
is necessary to pursue the legitimate interests of the
responsible party or a third party to whom the information is
The responsible party bears the burden of proof to show that
consent has been given. It is therefore prudent for companies to
obtain such consent in writing. Consent may be withdrawn at any
time, but the lawfulness of processing of personal information done
before the withdrawal of the consent will not be affected.
A data subject may object to the processing of personal
in a specific manner, on reasonable grounds, unless the law
permits that processing;
for purposes of direct marketing (other than unsolicited
Once a data subject has objected to the processing of personal
information, a responsible party may no longer process this
Collection directly from data subject
Personal information must be collected directly from the data
subject except when:
the information is obtained from a public record;
the data subject consents to another means of collection;
there is no prejudice to a legitimate interest of the data
collection of information from another source is necessary, for
criminal investigations and prosecutions;
the collection of revenue by SARS;
proceedings in courts and tribunals;
the interest of national security; or
to maintain the legitimate interests of the responsible party
or third party to whom the information is supplied;
compliance is not reasonably practicable in a particular
compliance would prejudice a lawful purpose of the
Click here to read clauses 9 - 12 - Processing Limitation.
*The Bill has been adopted by the Portfolio Committee on
Justice and Constitutional Development and by the National Assembly
(NA). This Snapshot has been drafted using the latest version of
the Bill as passed by the NA.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Nigerian Communications Commission (NCC) has concluded plans to introduce Lawful Interception (LI); a legally sanctioned official access to private communications, such as telephone calls or email messages
After 10 years of debate, South Africa’s President Jacob Zuma has finally signed South Africa’s first framework privacy bill into law, the Protection of Personal Information Bill.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).