The Information Regulator has released a guidance note outlining exemptions where companies or individuals processing personal information (“responsible persons”) will be excused from complying with obligations imposed by the Protection of Personal Information Act (POPIA).
Section 37 of POPIA provides for exemptions from certain requirements of POPIA to be granted to for responsible persons on application to the Regulator. Section 38 grants public bodies automatic exemptions from some of the requirements of POPIA in certain circumstances. Whether the requirements have been met will be considered on a case by case basis by the Regulator in the event of an application or a complaint.
Section 37 Exemptions
The exemptions listed in section 37 are based on two qualifying requirements, namely public interest and a clear benefit to the data subject.
Public Interest
In order to qualify for an exemption, the responsible person must show that the processing of the information in question is a matter of public interest and that the public interest concerned overshadows the data subject's right to protect that information. Whether the requirement of public interest is met will depend on multiple factors. These factors have in common that the processing is in one way or another for public benefit. The benefit should be one that promotes justice and equality.
The public interest requirement may be satisfied in a number of instances, the first being national security. This is guided by the principles of the Constitution, which requires that national security reflect the resolve of citizens to live in equality, peace and harmony. This would include avoiding potential armed conflict. Further examples of exemptions in the public interest would be where the processing of information would assist the prevention, detection or prosecution of offences, is important for the financial interests of a public body or for freedom of speech or is for historical, statistical or research activity.
Clear Benefit To The Data Subject
In order to meet this qualification, the responsible party will need to prove that the benefit achieved by the processing outweighs the data subject's right to protect such information. In its application for exemption,the responsible party needs to show exactly what the reasons for the breach are, the nature of the benefit that the breach will achieve and exactly why this benefit outweighs the data subject's right.
Section 38 Exemptions
Exemptions based on section 38 are given with regard to discharging of certain functions. They provide exemptions from compliance with certain sections if the responsible party processes personal info for the purpose of discharging a relevant function of a public body or one conferred on an individual as per the law.
This function performed by the responsible party must be with the intention to protect the public from financial losses due to fraud and other improper conduct by insurance and financial services companies and by any person approved to conduct any profession. These exemptions may be granted in respect of:
- the data subject's right to object processing of personal information:
- the obligation to ensure that information is collected directly from the data subject
- the requirement that further processing be compatible with the purpose of collection
- the requirement to notify the data subject when collecting personal information
They can be granted where the exemption is necessary to prevent any prejudice to the function of the public body or of one conferred on an individual as per the law. In the case of a private body, this would mainly relate to information that that body is required to collect from its clients in terms of money laundering or other statutory regulations. The reasons for the exemption must be recorded and will be evaluated by the Regulator in the event of a complaint.
Every application will be assessed on its own facts on an ad hoc basis. If such an exemption is granted, the Regulator can place conditions on the exemption. These exemptions will apply to responsible parties when processing personal information in limited circumstances. However, because each application will be considered on its own merits, they must not be seen as a general licence to avoid compliance even in the limited circumstances to which they comply.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.