- in United States
- within Immigration, Transport, Government and Public Sector topic(s)
Organisations often assume that if information has been reduced to a reference number, account number or other unique identifier, it falls outside the scope of the Protection of Personal Information Act 4 of 2013 (“POPIA”). This assumption is based on the belief that only the organisation can link the identifier to a specific person and that third parties would be unable to use the identifier to identify that person. In practice, however, the position is seldom that straightforward.
Section 1 of POPIA defines a unique identifier as “any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party”. In broad terms, a unique identifier is any identifier distinguishes a person from others and enables that person to be singled out, either directly or indirectly.
Examples of unique identifiers are commonplace in both the public and private sectors. Identity numbers are perhaps the most obvious example, but organisations routinely assign customers, employees and suppliers unique identifiers in the form of employee numbers, student numbers, customer account numbers, membership numbers, policy numbers, taxpayer reference numbers, medical aid numbers and examination numbers. In the digital environment, online identifiers such as usernames, device identifiers, IP addresses and cookie identifiers may also function as unique identifiers.
POPIA defines personal information broadly as information relating to an identifiable, living natural person and, where applicable, an identifiable, existing juristic person. A unique identifier will therefore constitute personal information precisely because it enables a person to be identified.
This issue was recently considered by the Gauteng Division in Minister of Basic Education and Another v Information Regulator of South Africa and Others (Appeal). The matter concerned the Department of Education’s (“Department”) annual publication of matric results in local newspapers using a learner’s examination number only, without publishing any other personally identifiable information about the learner, such as their names and school.
The Information Regulator argued that learners were identifiable because examination numbers are issued sequentially per school, and matriculants are seated sequentially in examination rooms according to those numbers. In the Regulator’s view, this would allow a learner to recall who sat next to them during an examination and, with reference to the sequence of published examination numbers, deduce that person’s results. The Court rejected this argument and agreed with the Department that this argument was fanciful, holding that no empirical evidence supported the position and that it did not reflect events in the real world. The Court concluded that the manner of publication did not constitute the processing of personally identifiable information (although whether publication constitutes “processing” under POPIA is itself a separate question warranting analysis, given that the definition of processing expressly includes “dissemination by means of transmission, distribution or making available in any other form”). Accordingly, the question of whether the learners’ right to privacy had been infringed did not arise.
While the Court's approach may be understandable from a practical perspective, the judgment raises important questions regarding the treatment of unique identifiers under POPIA. An examination number is, after all, a unique identifier assigned to a learner and the Department retains the information necessary to link that examination number back to a specific learner. From a data protection perspective, this is generally regarded as pseudonymisation rather than anonymisation. The learner has not ceased to be identifiable; the direct identifier has simply been replaced with another identifier.
The judgment also leaves open an important question regarding whose perspective should be used when assessing identifiability. The Court considered whether members of the public could identify a learner from the examination number. However, the Department itself, and potentially schools and teachers, could readily identify the learner concerned. Whether information constitutes personal information may therefore depend not only on the information itself, but also on who holds it, who receives it and what other information is available to them.
Notably, the definition of personal information in section 1 of POPIA expressly includes “any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person”. This suggests that identifiers assigned to a person are, by their nature, personal information.
International guidance supports this interpretation. The UK Information Commissioner’s Office (“ICO”) has confirmed that unique identifiers, including reference numbers, customer numbers and online identifiers, will generally constitute personal data where they can be used to single out an individual, even if the organisation holding the identifier is the only entity able to link it back to a specific person. Similarly, the European Union’s General Data Protection Regulation (“GDPR”) expressly includes “identification numbers” and “online identifiers” within its definition of personal data.
Recital 26 of the GDPR provides further guidance on assessing identifiability. It states that account should be taken of all the means reasonably likely to be used, such as singling out a natural person, whether by the controller or by another person, directly or indirectly. Importantly, the assessment must consider all objective factors, including the costs of identification, the amount of time required, the available technology at the time of processing, and anticipated technological developments. This means the question is not whether the general public can identify a person from an identifier, but whether the data controller or any other person with access to the data could reasonably do so.
Applied to unique identifiers, this standard suggests to us that where an organisation assigns an identifier to a person and retains the means to link that identifier back to that person, the information remains personal data, regardless of whether third parties can perform the same linkage.
Applying this standard to the facts in Minister of Basic Education, an examination number is plainly a unique identifier that enables the Department to identify the learner to whom the results relate. The fact that members of the public cannot perform that linkage does not change the nature of the information in the hands of the Department. The Department continues to hold personal information about the learner, and that information remains subject to POPIA.
For organisations, the practical lesson is clear: assigning a unique identifier to a data subject is not the same as de-identifying data. Where an organisation retains the ability to link the identifier back to a specific person, the information remains personal information and the organisation must continue to comply with all aspects of POPIA when processing that data. This includes, importantly, the obligation to notify the Information Regulator and affected data subjects in the event of a data breach. Organisations should not assume that because data has been reduced to a reference number or account number, it falls outside the scope of POPIA or that a breach involving such data is not reportable.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]