DATA PRIVACY AND PROTECTION LAWS IN SOUTH AFRICA
In terms of South African laws, an individual’s right to privacy is protected in terms of common law and Section 14 of The Constitution of South Africa 1996. In these instances, the right to privacy is limited and to prove an infringement will most likely be difficult.
The Protection of Personal Information Act, also known as the POPI Act, brings an end to the uncertainty regarding the law on the use and processing of personal information. POPI Act is essentially the South African Data Protection Bill or Data Protection Act.
The POPI Act recognizes the right to privacy enshrined in the Constitution and gives effect to the right mandatory procedures and mechanisms for the handling and processing of personal information. The POPI Act is in line with current international trends and laws on data privacy.
The POPI Act provides eight information protection principles to govern the processing of personal information, specifically for provisions in direct marketing, automated decision-making and the processing of cross-border flows of data.
The Eight principals of the popi act:
The POPIA prescribes eight specific principles for the lawful processing and use of personal information. The principles are:
- The processing of information is limited which means that personal information must be obtained lawfully and fairly.
- The information can only be used for the specified purpose it was originally obtained for.
- The POPI Act limits the further processing of personal information. If the processing takes place for purposes beyond the original scope that was agreed on by the data subject, the processing is prohibited.
- The person who processes the information must ensure the quality of the information by taking reasonable steps to ensure that the information is complete, not misleading, up-to-date and accurate.
- The person processing the personal information should have a degree of openness. The data subject and the Information Regulator must be notified that data has been processed.
- The person processing data must ensure that the proper security safeguards and measures to safeguard against loss, damage, destruction, and unauthorized or unlawful access or processing of the information have been put in place.
- The data subject must be able to participate. The data subject must be able to access the personal information that a responsible party has on them and must be able to correct the information.
- The person processing the data is accountable to ensure that the measures that give effect to these principles are complied with when processing personal information.
Personal data is any type of information that can be used to directly or indirectly identified an individual (data subject). Some examples of personal data are name, picture, phone number, address (which enable direct identification) as well as IP address or username (which enable indirect identification).
CROSS-BORDER DATA FLOWS AND DATA PRIVACY
The electronic flow of data cross-border has led to a concern that data protection legislation will simply be circumstanced by the transfer of personal information to countries where privacy-protecting legislation will not apply and where information will be processed without any consequence.
The POPI Act only permits the transferring of personal information across borders under the specific circumstances mentioned in Section 27. Essentially, the country where the information will be processed, or the recipient of the information must be subjected to rules or regulations effectively like the principles stated in the POPI Act.
Unfortunately, the Protection of Personal Information Act has not yet taken effect, we are waiting got the Information Regulator to announce a commencement date. The need for an Information Regulator to enforce the provisions of the POPI Act has been recognized and provision is made for penalties an offense.
The regulation of the collection use and processing of personal information through legislation is an internationally accepted practice.