What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
South Africa’s Constitution sets the foundation for privacy in the country, giving everyone the right to privacy, including “the right not to have…the privacy of their communications infringed” (Sec. 14).
The Protection of Personal Information Act, 2013 (POPI) regulates and sets the standard that public and private bodies must follow. Under POPI, employers (and other data processors) must follow certain parameters to process personal data, including:
- processing data in a reasonable manner that doesn’t infringe on the privacy of the individual;
- limiting processing to what’s adequate, relevant and not excessive;
- only processing data with the individual’s consent, to comply with a legal obligation, or for another permitted reason;
- only collecting personal data directly from the employee (with a few exceptions);
- collecting personal employee data only for a specific purpose (any additional processing must be compatible with the original purpose);
- taking reasonable steps to ensure the accuracy of information;
- informing the employee about their personal data that is being collected along with their rights related to the collection;
- taking appropriate security measures; and,
- giving individuals access to the personal information that is being collected about them.
Under POPI, processing sensitive personal information may require the consent of the employee. Sensitive personal information includes information concerning: religious/philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information, and/or criminal behavior.
In addition, Regulations Relating to the Protection of Personal Information were published in December 2018. These Regulations further define the requirements outlined in POPI.
The current authority responsible for enforcement of data privacy law and regulations in South Africa is the:
Information Regulator (South Africa)