Upload
phungkien
View
219
Download
0
Embed Size (px)
Citation preview
1Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Protection of Personal Information
Act, 2013
Ensuring protection of your personal information and effective access to information
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
2
Protection of Personal Information
Act, 2013
3Protection Of Personal Information Act, 2013
Act No. 4 of 2013
GENERAL EXPLANATORY NOTE:
[ ] Words in bold type in square brackets indicate omissions fromexistingenactments.
Words underlined with a solid line indicate insertions inexistingenactments.
____________________________________________________________
(English text signed by the President)(Assented to 19 November 2013)
ACT To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.
PREAMBLE PREAMBLE RECOGNISING THAT—• section14of theConstitutionof theRepublicofSouthAfrica,1996,
providesthateveryonehastherighttoprivacy;• therighttoprivacyincludesarighttoprotectionagainsttheunlawful
collection,retention,disseminationanduseofpersonalinformation;• the Statemust respect,protect,promoteand fulfil the rights in the
Bill of Rights;
AND BEARING IN MIND THAT—• consonantwiththeconstitutionalvaluesofdemocracyandopenness,
theneedforeconomicandsocialprogress,withintheframeworkofthe
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
4
informationsociety,requirestheremovalofunnecessaryimpedimentstothefreeflowofinformation,includingpersonalinformation;
AND IN ORDER TO—• regulate, inharmonywith internationalstandards, theprocessingof
personal informationbypublic andprivatebodies in amanner thatgiveseffecttotherighttoprivacysubjecttojustifiablelimitationsthatareaimedatprotectingotherrightsandimportantinterests,
5Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Parliament of the republic of south africa therefore anacts as follows:-
CONTENTS OF ACTCHAPTER 1
DEFINITIONSANDPURPOSE1. Definitions2. Purpose of Act
CHAPTER 2 APPLICATIONPROVISIONS
3. ApplicationandinterpretationofAct4. Lawfulprocessingofpersonalinformation5. Rightsofdata6. Exclusions7. Exclusionforjournalistic,literaryorartisticpurposes
CHAPTER 3 CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION
Part A Processing of personal information in general
Condition 1 Accountability 8. Responsiblepartytoensureconditionsforlawfulprocessing
Condition 2Processing limitation
9. Lawfulnessofprocessing10. Minimality 11. Consent,justificationandobjection12. Collectiondirectlyfromdatasubject
Condition 3Purpose specification
13. Collectionforspecificpurpose 14. Retentionandrestrictionofrecords
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
6
Condition 4Further processing limitation
15. Furtherprocessingtobecompatiblewithpurposeofcollection
Condition 5 Information quality
16. Qualityofinformation
Condition 6Openness
17. Documentation18. Notificationtodatasubjectwhencollectingpersonalinformation
Condition 7Security safeguards
19. Securitymeasuresonintegrityandconfidentialityofpersonalinformation
20. Informationprocessedbyoperatororpersonactingunderauthority
21. Securitymeasuresregardinginformationprocessedbyoperator22. Notificationofsecuritycompromises
Condition 8Data subject participation
23. Accesstopersonalinformation24. Correctionofpersonalinformation25. Manner of access
Part BProcessing of special personal information
26. Prohibitiononprocessingofspecialpersonalinformation27. Generalauthorisationconcerningspecialpersonalinformation
7Protection Of Personal Information Act, 2013
Act No. 4 of 2013
28. Authorisationconcerningdatasubject’sreligiousorphilosophical beliefs
29. Authorisationconcerningdatasubject’sraceorethnicorigin30. Authorisationconcerningdatasubject’stradeunionmembership31. Authorisationconcerningdatasubject’spoliticalpersuasion32. Authorisationconcerningdatasubject’shealthorsexlife33. Authorisationconcerningdatasubject’scriminalbehaviour
orbiometric25information
Part CProcessing of personal information of children
34. Prohibitiononprocessingpersonalinformationofchildren35. Generalauthorisationconcerningpersonalinformationof
children 30
CHAPTER 4EXEMPTION FROM CONDITIONS FOR PROCESSING OF
PERSONAL INFORMATION
36. General37. Regulatormayexemptprocessingofpersonalinformation 3538. Exemptioninrespectofcertainfunctions
CHAPTER 5SUPERVISION
Part AInformation Regulator 40
39. EstablishmentofInformationRegulator40. Powers,dutiesandfunctionsofRegulator41. Appointment,termofofficeandremovalofmembersofRegulator42. Vacancies43. Powers,dutiesandfunctionsofChairpersonandothermembers
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
8
44. Regulatortohaveregardtocertainmatters45. Conflictofinterest
Remuneration,allowances,benefitsandprivilegesofmembers46. Staff47. Powers,dutiesandfunctionsofchiefexecutiveofficer48. CommitteesofRegulator49. EstablishmentofEnforcementCommittee 50. MeetingsofRegulator51. Funds52. ProtectionofRegulator53. Dutyofconfidentiality
Part B Information Officer
54. DutiesandresponsibilitiesofInformationOfficer55. Designationanddelegationofdeputyinformationofficers
CHAPTER 6PRIOR AUTHORISATION
Prior Authorisation
56. Processingsubjecttopriorauthorisation57. ResponsiblepartytonotifyRegulatorifprocessingis
subjecttopriorauthorisation58. Failuretonotifyprocessingsubjecttopriorauthorisation
CHAPTER 7CODES OF CONDUCT
59. Issuingofcodesofconduct60. Processforissuingcodesofconduct61. Notification,availabilityandcommencementofcodeofconduct62. Procedurefordealingwithcomplaints63. Amendmentandrevocationofcodesofconduct64. Guidelines about codes of conduct
9Protection Of Personal Information Act, 2013
Act No. 4 of 2013
65. Registerofapprovedcodesofconduct66. Reviewofoperationofapprovedcodeofconduct 67. Effectoffailuretocomplywithcodeofconduct
CHAPTER 8RIGHTS OF DATA SUBJECTS REGARDING DIRECT MARKETING
BY MEANS OF UNSOLICITED ELECTRONIC COMMUNICATIONS,DIRECTORIES AND AUTOMATED DECISION MAKING
68. Directmarketingbymeansofunsolicitedelectroniccommunications
69. Directories70. Automateddecisionmaking
CHAPTER 9TRANSBORDER INFORMATION FLOWS
72.TransfersofpersonalinformationoutsideRepublic
CHAPTER 10ENFORCEMENT5
71. Interferencewithprotectionofpersonalinformationof datasubject
72. Complaints73. ModeofcomplaintstoRegulator74. Actiononreceiptofcomplaint75. Regulatormaydecidetotakenoactiononcomplaint 76. Referralofcomplainttoregulatorybody77. Pre-investigationproceedingsofRegulator78. Settlementofcomplaints79. InvestigationproceedingsofRegulator80. Issue of warrants 81. Requirementsforissuingofwarrant82. Executionofwarrants
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
10
83. Mattersexemptfromsearchandseizure84. Communicationbetweenlegaladviserandclientexempt85. Objectiontosearchandseizure 86. Returnofwarrants87. Assessment88. Informationnotice89. Partiestobeinformedofresultofassessment90. MattersreferredtoEnforcementCommittee
FunctionsofEnforcementCommittee91. Partiestobeinformedofdevelopmentsduringand
resultofinvestigation92. Enforcementnotice93. Cancellationofenforcementnotice94. Rightofappeal 95. Considerationofappeal96. Civilremedies
CHAPTER 11OFFENCES, PENALTIES AND ADMINISTRATIVE FINES
97. ObstructionofRegulator Breachofconfidentiality
98. Obstructionofexecutionofwarrant99. Failuretocomplywithenforcementorinformationnotices100. Offencesbywitnesses101. Unlawfulactsbyresponsiblepartyinconnectionwith
account number 102. Unlawfulactsbythirdpartiesinconnectionwithaccount
number103. Penalties104. Magistrate’sCourtjurisdictiontoimposepenalties105. Administrativefines
11Protection Of Personal Information Act, 2013
Act No. 4 of 2013
CHAPTER 12 GENERAL PROVISIONS
106. Amendment of laws107. Fees108. Regulations109. Procedureformakingregulations
Transitionalarrangements110. Shorttitleandcommencement111. Fees112. Regulations113. Procedureformakingregulations114. Transitionalarrangements115. Shorttitleandcommencement
13Protection Of Personal Information Act, 2013
Act No. 4 of 2013
SCHEDULELawsamendedbysection110
CHAPTER 1DEFINITIONS AND PURPOSE
Definitions
1. In this Act, unless the context indicates otherwise—
‘‘biometrics’’ means a technique of personal identification thatis based on physical, physiological or behavioural characterisationincluding blood typing, fingerprinting,DNAanalysis, retinal scanningandvoicerecognition;
‘‘child’’ meansa naturalpersonunder theageof 18 yearswho is notlegally10competent,without the assistanceof a competentperson,to take any actionordecisioninrespectofanymatterconcerninghim-orherself;
‘‘code of conduct’’ meansacodeofconductissuedintermsofChapter7;
‘‘competent person’’ means any person who is legally competent to consenttoanyactionordecisionbeingtaken in respectofanymatterconcerningachild;
‘‘consent’’ meansanyvoluntary,specificandinformedexpressionofwillin terms of which permission is given for the processing of personalinformation;
‘‘Constitution’’ meanstheConstitutionoftheRepublicofSouthAfrica,1996;
‘‘data subject’’ meansthepersontowhompersonalinformationrelates;
‘‘de-identify’’, inrelationtopersonalinformationofadatasubject,meanstodelete20anyinformationthat—
(a)identifiesthedatasubject;
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
14
(b) can be used or manipulated by a reasonably foreseeable method to identifythedatasubject;or
(c) can be linked by a reasonably foreseeable method to other informationthat25identifiesthedatasubject,
and ‘‘de-identified’’ hasacorrespondingmeaning;
‘‘direct marketing’’ meanstoapproachadatasubject,eitherinpersonorbymailorelectroniccommunication,forthedirectorindirectpurposeof—
(a)promotingorofferingtosupply,intheordinarycourseofbusiness,anygoods30orservicestothedatasubject;or
(b)requestingthedatasubjecttomakeadonationofanykindforanyreason;
‘‘electronic communication’’ means any text, voice, sound or imagemessagesentoveranelectroniccommunicationsnetwork which is stored in the network or in therecipient’sterminalequipmentuntilitiscollectedbytherecipient;35
‘‘enforcement notice’’ meansanoticeissuedintermsofsection95;
‘‘filing system’’ means any structured set of personal information,whether centralised, decentralised or dispersed on a functional orgeographicalbasis,whichisaccessibleaccordingtospecificcriteria;
‘‘information matching programme’’ means the comparison, whether manually 40 or by means of any electronic or other device, of any document that containspersonalinformationabouttenormoredatasubjectswithoneormoredocuments
thatcontainpersonalinformationoftenormoredatasubjects,forthepurposeofproducingorverifyinginformationthatmaybeusedforthepurposeoftakinganyactioninregardtoanidentifiabledatasubject;45
‘‘information officer’’ of,orinrelationto,a—
(a) public bodymeans an informationofficeror deputy informationofficerascontemplatedintermsofsection1or17;or
(b) private body means the head of a private body as contemplated in section1,ofthePromotionofAccesstoInformationAct;50
15Protection Of Personal Information Act, 2013
Act No. 4 of 2013
‘‘Minister’’ means the Cabinet member responsible for theadministration ofjustice;
‘‘operator’’ meansa personwhoprocessespersonal informationfor aresponsible party in termsof a contractormandate,without comingunderthedirectauthorityofthatparty;
‘‘person’’ meansanaturalpersonorajuristicperson;
‘‘personal information’’ means informationrelating to an identifiable,living,naturalperson,andwhereitisapplicable,anidentifiable,existingjuristicperson,including,butnotlimitedto—
(a)informationrelatingtotherace,gender,sex,pregnancy,marital
status,national, ethnicor socialorigin, colour, sexualorientation,age, physical or mental health, well-being, disability, religion,conscience,belief,culture,languageandbirthoftheperson;
(b)information relating to the education or the medical, financial,criminaloremploymenthistoryoftheperson;
(c)anyidentifyingnumber,symbol,e-mailaddress,physicaladdress,telephonenumber,locationinformation,onlineidentifierorotherparticularassignmenttotheperson;
(d)thebiometricinformationoftheperson;
(e)thepersonalopinions,viewsorpreferencesoftheperson;
(f) correspondence sent by the person that is implicitly or explicitly ofaprivateorconfidentialnatureorfurthercorrespondencethatwouldrevealthecontentsoftheoriginalcorrespondence;
(g)theviewsoropinionsofanotherindividualabouttheperson;and
(h)thenameofthepersonifitappearswithotherpersonalinformationrelatingtothepersonorifthedisclosureofthenameitselfwouldrevealinformationabouttheperson;
‘‘prescribed’’ meansprescribedbyregulationorbyacodeofconduct;
‘‘private body’’ means—
(a) a natural person who carries or has carried on any trade, businessorprofession,butonlyinsuchcapacity;
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
16
(b) a partnership which carries or has carried on any trade, business or profession;or
(c)anyformerorexistingjuristicperson,butexcludesapublicbody;
‘‘processing’’ meansanyoperationoractivityoranysetofoperations,whether or
notbyautomaticmeans,concerningpersonalinformation,including—
(a) the collection, receipt, recording, organisation, collation, storage,updatingormodification,retrieval,alteration,consultationoruse;
(b) dissemination by means of transmission, distribution or makingavailableinanyotherform;or
(c) merging, linking, as well as restriction, degradation, erasure ordestructionofinformation;
‘‘professional legal adviser’’ means any legally qualified person,whetherinprivatepracticeornot,wholawfullyprovidesaclient,athisorheroritsrequest,withindependent,confidentiallegaladvice;
‘‘Promotion of Access to Information Act’’ means the Promotion ofAccesstoInformationAct,2000(ActNo.2of2000);
‘‘public body’’ means—
(a) any department of state or administration in the national orprovincial sphere of government or anymunicipality in the localsphereofgovernment;or
(b)anyotherfunctionaryorinstitutionwhen—
(i) exercising a power or performing a duty in terms of theConstitutionoraprovincialconstitution;or
(ii) exercising a public power or performing a public function intermsofanylegislation;
‘‘public record’’ means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whetherornotitwascreatedbythatpublicbody;
‘‘record’’ meansanyrecordedinformation—
17Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(a)regardlessofformormedium,includinganyofthefollowing:
(i)Writingonanymaterial;
(ii)informationproduced,recordedorstoredbymeansofanytape-recorder,computerequipment,whetherhardwareorsoftwareor both, or other device, and any material subsequently derived frominformationsoproduced,recordedorstored;
(iii)label,markingorotherwritingthatidentifiesordescribesanythingofwhichitformspart,ortowhichitisattachedbyanymeans;
(iv)book,map,plan,graphordrawing;
(v)photograph,film,negative,tapeorotherdeviceinwhichoneormorevisualimagesareembodiedsoastobecapable,withorwithouttheaidofsomeotherequipment,ofbeingreproduced;
(b)inthepossessionorunderthecontrolofaresponsibleparty;
(c)whetherornotitwascreatedbyaresponsibleparty;and
(d)regardlessofwhenitcameintoexistence;
‘‘Regulator’’ means the InformationRegulatorestablished in terms ofsection39;
‘‘re-identify’’, in relation to personal information of a data subject,means toresurrectanyinformationthathasbeende-identified,that—
(a)identifiesthedatasubject;
(b) can be used or manipulated by a reasonably foreseeable method to identifythedatasubject;or
(c) can be linked by a reasonably foreseeable method to other informationthatidentifiesthedatasubjectand
‘‘re-identified’’ hasacorrespondingmeaning;
‘‘Republic’’ meanstheRepublicofSouthAfrica;
‘‘responsible party’’ means a public or private body or any other person which,alone or in conjunction with others, determines the purposeof and means forprocessingpersonalinformation;
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
18
‘‘restriction’’ meanstowithholdfromcirculation,useorpublicationanypersonal20informationthat formspartofafilingsystem,butnottodeleteordestroysuchinformation;
‘‘special personal information’’ means personal information asreferred to insection26;
‘‘this Act’’ includesanyregulationorcodeofconductmadeunderthisAct;and
‘‘unique identifier’’ means any identifier that is assigned to a datasubject and is used by a responsible party for the purposes of theoperationsof that responsibleparty and that uniquely identifies thatdatasubjectinrelationtothatresponsibleparty.
Purpose of Act
2. The purpose of this Act is to—
(a) give effect to the constitutional right toprivacy, by safeguardingpersonal information when processed by a responsible party,subjecttojustifiablelimitationsthatareaimedat—
(i) balancingtherighttoprivacyagainstotherrights,particularlytherightofaccesstoinformation;and
(ii) protectingimportantinterests,includingthefreeflowofinformationwithintheRepublicandacrossinternationalborders;
(b) regulate the manner in which personal information may beprocessed, by establishing conditions, in harmony withinternational standards, that prescribe the minimum thresholdrequirementsforthelawfulprocessingofpersonalinformation;
(c)providepersonswithrightsandremediestoprotecttheirpersonalinformationfromprocessingthatisnotinaccordancewiththisAct;and
(d)establish voluntary and compulsory measures, including theestablishment of an Information Regulator, to ensure respect forandtopromote,enforceandfulfiltherightsprotectedbythisAct.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
20
CHAPTER 2
APPLICATION PROVISIONS
Application and interpretation of Act 1. (1)ThisActappliestotheprocessingofpersonalinformation—
(c)samesmelting,koppeling,asookinperking,degradasie,uitwissingofvernietigingvaninligting;
‘‘Reguleerder’’ dieInligtingsreguleerderingevolgeartikel39ingestel;
‘‘rekord’’ enigeopgetekendeinligting—
(a) ongeag vorm of medium, met inbegrip van enige van dievolgende:
(i)Skrifopenigemateriaal;
(ii) inligtinggeproduseer,opgetekenofgestoorbywysevanenigebandopnemer,rekenaartoerusting,hetsyhardewareofsagteware of beide, of ander toestel, en enige materiaalvervolgens verkry uit die inligting aldus geproduseer,opgetekenofgestoor;
(iii)etiket,merk,ofanderskrifwatenigevoorwerpwaarvanditdeeluitmaak, of waaraandit op enigewyse geheg is, identifiseerofbeskryf;
(iv)boek,kaart,plan,grafiekoftekening;
(v)foto,film,negatief,bandofandertoestelwaarineenofmeervisuelebeeldevervat is sodatdit geskik is,metof sonderdiehulpvanandertoerusting,virreproduksie;
(b)indiebesitofonderdiebeheervan’nverantwoordelikeparty;
(c)hetsyditdeurdieverantwoordelikepartygeskepisaldannie;en
(d)ongeagwanneerdittotstandgekomhet;
‘‘Republiek’’ dieRepubliekvanSuid-Afrika;
‘‘spesiale persoonlike inligting’’ persoonlikeinligtingsoosbyartikel26bedoel;
21Protection Of Personal Information Act, 2013
Act No. 4 of 2013
‘‘toestemming’’ enige vrywillige,bepaaldeen ingeligtewilsuitdrukkingingevolgewaarvanverloftotdieprosesseringvanpersoonlikeinligtinggegeeword;
‘‘unieke identifiseerder’’ enige identifiseerder wat aan ’n datasubjektoegewyswordenwatdeur’nverantwoordelikepartyvirdoeleindesvandiebedrywighede
vandaardieverantwoordelikepartygebruikwordenwaarmeedaardie
verantwoordelikepartydiedatasubjekopuniekewyseidentifiseer;
‘‘verantwoordelike party’’ ’nopenbareofprivaatliggaamofenigeanderpersoonwat, eiehandig of in samewerkingmet andere, die oogmerkvanenmiddelevanprosesseringvanpersoonlikeinligtingbepaal;
‘‘voorgeskryf ’’ voorgeskryfbyregulasieofby’ngedragskode;en
‘‘Wet op Bevordering van Toegang tot Inligting’’ dieWetopBevorderingvan
ToegangtotInligting,2000(WetNo.2van2000).
Oogmerk van Wet
2. DieoogmerkvanhierdieWetisom—
(a) gevolg te gee aan die grondwetlike reg op privaatheid,deur persoonlike inligting te beskerm wanneer dit deur ’nverantwoordelike party geprosesseer word, onderhewig aanregverdigbarebeperkingswatgerigisopdie—
(i) balanseringvandieregopprivaatheidteenooranderregte,inbesonderdieregoptoegangtotinligting;en
(ii)beskermingvanbelangrikebelange,metinbegripvandievryevloei van inligting binne die Republiek en oor internasionalegrense;
(b) die wyse waarop persoonlike inligting geprosesseer mag word,te reguleer deur voorwaardes, in harmonie met internasionalestandaarde,tevestigwatdieminimumvereistesvirdieregmatigeprosesseringvanpersoonlikeinligtingvoorskryf;
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
22
(c)personevanregteenremediestevoorsienteneindehulpersoonlikeinligtingteenprosesseringwatnieinooreenstemmingmethierdieWetisnie,tebeskerm;en
(d) vrywillige en verpligtemaatreëls, met inbegrip van die instellingvan’nInligtingsreguleerder,intestel,teneinderespekvir,endiebevordering, afdwinging en verwesenliking van, die regte wat inhierdie Wet beskerm word, te verseker.
HOOFSTUK 2
TOEPASSINGSBEPALINGS
Toepassing en uitleg van Wet
3. (1)HierdieWet is van toepassingopdieprosesseringvanpersoonlikeinligting—
(a) entered in a record by or for a responsible party bymaking useof automated or non-automated means: Provided that when the recorded personal informa- tion is processed by non-automatedmeans,it formspartofafilingsystemoris intendedto formpartthereof;and
(b) where the responsible party is—
(i)domiciledintheRepublic;or
(ii) not domiciled in the Republic, but makes use ofautomated ornon-automatedmeansin theRepublic,unlessthosemeans are used only to forward personal informationthroughtheRepublic.
(2)(a) ThisActapplies,subjecttoparagraph(b),totheexclusionofany provision ofanyotherlegislationthatregulatestheprocessing
ofpersonalinformationandthatismateriallyinconsistentwith
anobject,oraspecificprovision,ofthisAct.
(b) If any other legislationprovides for conditions for the lawfulprocessing of personal information that are more extensivethanthosesetoutinChapter3,theextensiveconditionsprevail.
23Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(3) This Act must be interpreted in a manner that—
(a)giveseffecttothepurposeoftheActsetoutinsection2;and
(b) does not prevent any public or private body from exercisingorperformingitspowers,dutiesandfunctionsintermsofthelawas far as suchpowers,dutiesand functions relate to theprocessing of personal information and such processing is inaccordancewith thisActor anyother legislation, as referredtoinsubsection(2),thatregulatestheprocessingofpersonalinformation.
(4) ‘‘Automated means’’, for the purposesof this section,means any
equipmentcapableofoperatingautomaticallyinresponsetoinstructions
givenforthepurposeofprocessinginformation.
Lawful processing of personal information
4. (1)Theconditionsforthelawfulprocessingofpersonalinformationbyorforaresponsiblepartyarethefollowing:
(a)‘‘Accountability’’,asreferredtoinsection8;
(b)‘‘Processinglimitation’’,asreferredtoinsections9to12;
(c)‘‘Purposespecification’’,asreferredtoinsections13and14;
(d)‘‘Furtherprocessinglimitation’’,asreferredtoinsection15;
(e)‘‘Informationquality’’,asreferredtoinsection16;
(f)‘‘Openness’’,asreferredtoinsections17and18;
(g)‘‘Securitysafeguards’’,asreferredtoinsections19to22;and
(h)‘‘Datasubjectparticipation’’,asreferredtoinsections23to25.
(2)Theconditions,asreferredtoinsubsection(1),arenotapplicableto theprocessingofpersonal informationto theextent thatsuchprocessingis—
(a)excluded,intermsofsection6or7,fromtheoperationofthisAct;or
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
24
(b)exemptedintermsofsection37or38,fromoneormoreoftheconditionsconcernedinrelationtosuchprocessing.
(3)Theprocessingofthespecialpersonalinformationofadatasubjectisprohibitedintermsofsection26,unlessthe—
(a)provisionsofsections27to33areapplicable;or
(b) Regulator has granted an authorisation in terms of section27(2),inwhichcase,subjecttosection37or38,theconditionsforthelawfulprocessingofpersonalinformationasreferredtoinChapter3mustbecompliedwith.
(4) Theprocessingofthepersonalinformationofachildisprohibitedin termsofsection34,unlessthe—
(a)provisionsofsection35(1)areapplicable;or
(b)Regulatorhasgrantedanauthorisationintermsofsection35(2),
in which case, subject to section 37, the conditions for thelawful processing of personal information as referred to inChapter3mustbecompliedwith.
(5) The processing of the special personal information of a child isprohibited in terms of sections 26 and 34 unless the provisionsof sections 27 and 35 are applicable inwhich case, subject tosection37,theconditionsforthelawfulprocessingofpersonalinformationasreferredtoinChapter3mustbecompliedwith.
(6)Theconditionsforthelawfulprocessingofpersonalinformationbyor for a responsibleparty for thepurposeof directmarketingbyanymeansarereflectedinChapter3,readwithsection69insofarasthatsectionrelatestodirectmarketingbymeansofunsolicitedelectroniccommunications.
(7) Sections 60 to 68 provide for the development, in appropriatecircumstances, of codes of conduct for purposes of clarifyinghow the conditions referred to in subsection (1), subject to anyexemptionswhichmayhavebeengranted intermsofsection37,are to be applied, or are to be compliedwithwithin a particularsector.
25Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Rights of data subjects
5. Adatasubjecthastherighttohavehis,heroritspersonalinformationprocessedinaccordancewith theconditionsfor the lawfulprocessingofpersonalinformationasreferredtoinChapter3,includingtheright—
(a)tobenotifiedthat—
(i)personalinformationabouthim,heroritisbeingcollectedasprovidedforintermsofsection18;or
(ii)his, her or its personal information has been accessed oracquired by an unauthorised person as provided for in terms of section22;
(b)toestablishwhetheraresponsiblepartyholdspersonalinformationofthatdatasubjectandtorequestaccesstohis,heroritspersonalinformationasprovidedforintermsofsection23;
(c)torequest,wherenecessary,thecorrection,destructionordeletionofhis,heror itspersonal informationasprovided for in termsofsection24;
(d)toobject,onreasonablegroundsrelatingtohis,heroritsparticularsituationtotheprocessingofhis,heroritspersonalinformationasprovidedforintermsofsection11(3)(a);
(e)toobjecttotheprocessingofhis,heroritspersonalinformation—
(i)atanytimeforpurposesofdirectmarketingintermsofsection11(3)(b);or
(ii)intermsofsection69(3)(c);
(f) not to have his, her or its personal information processed forpurposes of direct marketing by means of unsolicited electroniccommunicationsexceptasreferredtoinsection69(1);
(g)nottobesubject,undercertaincircumstances,toadecisionwhichisbasedsolelyonthebasisoftheautomatedprocessingofhis,heroritspersonalinformationintendedtoprovideaprofileofsuchpersonasprovidedforintermsofsection71;
(h) to submit a complaint to the Regulator regarding the allegedinterferencewiththeprotectionofthepersonalinformationofany
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
26
datasubjectortosubmitacomplainttotheRegulatorinrespectofadeterminationofanadjudicatorasprovidedforintermsofsection74;and
(i) toinstitutecivilproceedingsregardingtheallegedinterferencewiththeprotectionofhis,heroritspersonalinformationasprovidedforinsection99.
Exclusions
6. (1)ThisActdoesnotapplytotheprocessingofpersonalinformation—
(a)inthecourseofapurelypersonalorhouseholdactivity;
(b) that has been de-identified to the extent that it cannot be re-identifiedagain;
(c) by or on behalf of a public body—
(i) which involves national security, including activities that areaimed at assisting in the identification of the financing ofterroristandrelatedactivities,defenceorpublicsafety;or
(ii) thepurposeofwhich is theprevention,detection, includingassistanceintheidentificationoftheproceedsofunlawfulactivities and thecombatingofmoney launderingactivities,investigationorproofofoffences,theprosecutionofoffendersor the execution of sentences or security measures, to theextent that adequate safeguards have been established inlegislationfortheprotectionofsuchpersonalinformation;
(d) by the Cabinet and its committees or the Executive Council of aprovince;or
(e)relatingtothejudicialfunctionsofacourtreferredtoinsection166oftheConstitution.
(2) ‘‘Terrorist and related activities’’, for purposes of subsection (1)(c),meansthoseactivitiesreferredtoinsection4oftheProtectionofConstitutionalDemocracyagainstTerroristandRelatedActivitiesAct, 2004 (Act No. 33 of 2004).
27Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Exclusion for journalistic, literary or artistic purposes
7. (1)ThisActdoesnotapplytotheprocessingofpersonalinformation solelyforthepurposeofjournalistic,literaryorartisticexpressionto
theextentthatsuchanexclusionisnecessarytoreconcile,asamatterofpublicinterest,therighttoprivacywiththeright to freedomofexpression.
(2)Wherearesponsiblepartywhoprocessespersonalinformationforexclusivelyjournalisticpurposesis,byvirtueofoffice,employmentorprofession,subjecttoacode20ofethicsthatprovidesadequatesafeguards for the protection of personal information, such codewillapplytotheprocessingconcernedtotheexclusionofthisActand any alleged interferencewith the protection of the personalinformation of a data subject that may arise as a result of suchprocessingmust be adjudicated as provided for in terms of thatcode.
(3) In the event that a dispute may arise in respect of whether adequate safeguardshavebeenprovidedforinacodeasrequiredintermsofsubsection(2)ornot,regardmaybehadto—
(a) the special importance of the public interest in freedom of expression;
(b)domesticandinternationalstandardsbalancingthe—
(i) public interest inallowing for the freeflowof information tothepublicthroughthemediainrecognitionoftherightofthepublictobeinformed;and
(ii) public interest in safeguarding the protection of personalinformationofdatasubjects;
(c)theneedtosecuretheintegrityofpersonalinformation;
(d) domestic and international standardsof professional integrity forjournalists;and
(e)the nature and ambit of self-regulatory forms of supervisionprovided by the profession.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
28
CHAPTER 2CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL
INFORMATION
29Protection Of Personal Information Act, 2013
Act No. 4 of 2013
CHAPTER 3CONDITIONS FOR LAWFUL PROCESSING
OF PERSONAL INFORMATION
Part AProcessing of personal information in general
Condition 1Accountability
Responsible party to ensure conditions for lawful processing
8. The responsiblepartymustensure that the conditionsset out in thisChapter,andall the measures that give effect to such conditions, arecompliedwith at the time of thedetermination of the purpose andmeansof theprocessingandduringtheprocessingitself.
Condition 2Processing limitation
Lawfulness of processing
9. Personalinformationmustbeprocessed—
(a)lawfully;and
(b) inareasonablemannerthatdoesnot infringetheprivacyofthedatasubject.
Minimality
10. Personalinformationmayonlybeprocessedif,giventhepurposeforwhich it is processed, it is adequate, relevant and not excessive.
Consent, justification and objection
11.(1)Personalinformationmayonlybeprocessedif—
(a)thedatasubjectoracompetentpersonwherethedatasubjectisachildconsentstotheprocessing;
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
30
(b)processingisnecessarytocarryoutactionsfortheconclusionorperformanceofacontracttowhichthedatasubjectisparty;
(c)processingcomplieswithanobligationimposedbylawontheresponsibleparty;
(d)processingprotectsalegitimateinterestofthedatasubject;
(e)processingisnecessaryfortheproperperformanceofapubliclawdutybyapublicbody;or
(f) processing is necessary for pursuing the legitimate interestsof the responsible party or of a third party to whom the informationissupplied.
(2) (a) The responsible party bears the burden of proof for the data subject’s orcompetentperson’sconsentasreferredtoin
subsection(1)(a).(b)Thedatasubjectorcompetentpersonmaywithdrawhis,herorits
consent,asreferredtoinsubsection(1)(a),atanytime:Providedthat the lawfulness of the processingofpersonalinformationbeforesuchwithdrawalortheprocessingofpersonalinformationintermsofsubsection(1)(b)to(f)willnotbeaffected.
(3) A data subjectmayobject,atanytime,totheprocessingof personal information—(a)intermsofsubsection(1)(d)to(f),intheprescribedmanner,on
reasonablegroundsrelatingtohis,heroritsparticularsituation,unlesslegislationprovidesforsuchprocessing;or
(b)forpurposesofdirectmarketingotherthandirectmarketingbymeansofunsolicitedelectroniccommunicationsasreferredtoinsection69.
(4) Ifadatasubjecthasobjectedtotheprocessingofpersonalinformationintermsofsubsection(3),theresponsiblepartymaynolongerprocessthepersonalinformation.
Collection directly from data subject
12. (1) Personal information must be collected directly from the datasubject,exceptasotherwiseprovidedforinsubsection(2).
31Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(2)Itisnotnecessarytocomplywithsubsection(1)if—
(a)theinformationiscontainedinorderivedfromapublicrecordorhasdeliberatelybeenmadepublicbythedatasubject;
(b)thedatasubjectoracompetentpersonwherethedatasubjectis a childhas consented to thecollectionof the informationfromanothersource;
(c) collectionof the information fromanother sourcewould notprejudicealegitimateinterestofthedatasubject;
(d)collectionoftheinformationfromanothersourceisnecessary—(i) to avoid prejudice to the maintenance of the law by
any public body, including the prevention, detection,investigation,prosecutionandpunishmentofoffences;
(ii)tocomplywithanobligationimposedbylawortoenforcelegislationconcerningthecollectionofrevenueasdefinedinsection1oftheSouthAfricanRevenueServiceAct,1997(ActNo.34of1997);
(iii)fortheconductofproceedings inanycourtortribunalthathave10commencedorarereasonablycontemplated;
(iv)intheinterestsofnationalsecurity;or(v)tomaintainthelegitimateinterestsoftheresponsibleparty
orofathirdpartytowhomtheinformationissupplied;
(e)compliancewouldprejudicealawfulpurposeofthecollection;or
(f) complianceisnotreasonablypracticableinthecircumstancesoftheparticularcase.
Condition 3Purpose specification
Collection for specific purpose
13. (1) Personal information must be collected for a specific, explicitlydefined and lawful purpose related to a function or activity of theresponsible party.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
32
(2)Stepsmustbe taken inaccordancewithsection18(1) toensure thatthe data subject is aware of the purpose of the collection of theinformationunlesstheprovisionsofsection18(4)areapplicable.
Retention and restriction of records
14. (1)Subjecttosubsections(2)and(3),recordsofpersonalinformationmustnotberetainedanylongerthanisnecessaryforachievingthepurposefor which the information was collected or subsequently processed,unless—
(a)retentionoftherecordisrequiredorauthorisedbylaw;(b) the responsible party reasonably requires the record for lawful
purposesrelatedtoitsfunctionsoractivities;(c) retention of the record is required by a contract between the
partiesthereto;or(d)thedatasubjectoracompetentpersonwherethedatasubjectis
achildhasconsentedtotheretentionoftherecord.(2)Recordsofpersonalinformationmayberetainedforperiodsinexcess
of those contemplated in subsection (1) for historical, statistical orresearch purposes if the responsible party has established appropriate safeguardsagainsttherecordsbeingusedforanyotherpurposes.
(3)Aresponsiblepartythathasusedarecordofpersonalinformationofadatasubjecttomakeadecisionaboutthedatasubject,must—(a) retain the record for such period as may be required or prescribed
bylaworacodeofconduct;or(b)ifthereisnolaworcodeofconductprescribingaretentionperiod,
retaintherecordforaperiodwhichwillaffordthedatasubjectareasonableopportunity, takingallconsiderationsrelatingtotheuseof thepersonal information intoaccount, to requestaccessto the record.
(4) A responsible party must destroy or delete a record of personal informationor de-identify it as soon as reasonably practicable aftertheresponsibleparty isno longerauthorisedtoretaintherecord intermsofsubsection(1)or(2).
33Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(5) The destruction or deletion of a record of personal information intermsof subsection (4)mustbedone inamanner thatprevents itsreconstructioninanintelligibleform.
(6)Theresponsiblepartymustrestrictprocessingofpersonalinformationif—(a)itsaccuracyiscontestedbythedatasubject,foraperiodenabling
theresponsiblepartytoverifytheaccuracyoftheinformation;(b)theresponsiblepartynolongerneedsthepersonalinformationfor
achievingthepurposeforwhichtheinformationwascollectedorsubsequently processed, but it has to be maintained for purposes ofproof;
(c) the processing is unlawful and the data subject opposes itsdestruction or deletion and requests the restriction of its useinstead;or
(d) the data subject requests to transmit the personal data intoanotherautomatedprocessingsystem.
(7) Personal information referred to in subsection (6) may, with theexceptionofstorage,onlybeprocessedforpurposesofproof,orwiththedatasubject’sconsent,orwiththeconsentofacompetentpersonin respect of a child, or for the protection of the rights of anothernaturalorlegalpersonorifsuchprocessingisinthepublicinterest.
(8) Where processing of personal information is restricted pursuant tosubsection (6), the responsible partymust inform the data subjectbeforeliftingtherestrictiononprocessing.
Condition 4Further processing limitation
Further processing to be compatible with purpose of collection
15. (1) Further processing of personal information must be inaccordanceorcompatiblewiththepurposeforwhichitwascollectedintermsofsection13.(2)Toassesswhetherfurtherprocessingiscompatiblewiththepurposeof
collection,theresponsiblepartymusttakeaccountof—
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
34
(a) the relationship between the purpose of the intended furtherprocessingandthepurposeforwhichthe informationhasbeencollected;
(b)thenatureoftheinformationconcerned;(c)theconsequencesoftheintendedfurtherprocessingforthedata
subject;(d)themannerinwhichtheinformationhasbeencollected;and(e)anycontractualrightsandobligationsbetweentheparties.
(3)Thefurtherprocessingofpersonalinformationisnotincompatiblewiththepurposeofcollectionif—(a)thedatasubjectoracompetentpersonwherethedatasubjectis
achildhasconsentedtothefurtherprocessingoftheinformation;(b)theinformationisavailableinorderivedfromapublicrecord
orhasdeliberatelybeenmadepublicbythedatasubject;(c)furtherprocessingisnecessary—
(i) to avoid prejudice to the maintenance of the law by anypublicbodyincludingtheprevention,detection,investigation,prosecutionandpunishmentofoffences;(ii) to complywith an obligation imposed by law or to enforcelegislation concerning the collection of revenue as defined insection1oftheSouthAfricanRevenueServiceAct,1997(ActNo.34of1997);(iii)fortheconductofproceedingsinanycourtortribunalthathavecommencedorarereasonablycontemplated;or(iv)intheinterestsofnationalsecurity;
(d)thefurtherprocessingoftheinformationisnecessarytopreventormitigateaseriousandimminentthreatto—(i)publichealthorpublicsafety;or(ii)thelifeorhealthofthedatasubjectoranotherindividual;
(e) the information is used for historical, statistical or researchpurposes and the responsible party ensures that the further processingiscarriedoutsolelyforsuchpurposesandwillnotbepublishedinanidentifiableform;or
(f) thefurtherprocessingoftheinformationisinaccordancewithanexemptiongrantedundersection37.
35Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Condition 5Information quality
Quality of information
16.(1)Aresponsiblepartymusttakereasonablypracticablestepstoensurethatthepersonalinformationiscomplete,accurate,notmisleadingand updated where necessary.
(2) Intakingthestepsreferredtoinsubsection(1),theresponsiblepartymust have regard to the purpose forwhich personal information iscollected or further processed.
Condition 6Openness
Documentation
17.Aresponsiblepartymustmaintainthedocumentationofallprocessingoperationsunderitsresponsibilityasreferredtoinsection14or51ofthePromotionofAccesstoInformationAct.
Notification to data subject when collecting personal information
18.(1)Ifpersonalinformationiscollected,theresponsiblepartymusttakereasonablypracticablestepstoensurethatthedatasubjectisawareof—(a) the information being collected and where the information is
notcollected fromthedatasubject, thesource fromwhich it iscollected;
(b)thenameandaddressoftheresponsibleparty;(c)thepurposeforwhichtheinformationisbeingcollected;(d)whetherornotthesupplyoftheinformationbythatdatasubject
isvoluntaryormandatory;(e)theconsequencesoffailuretoprovidetheinformation;(f) anyparticular lawauthorisingor requiring the collectionof the
information;(g) the fact that, where applicable, the responsible party intends
to transfer the information to a third country or international
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
36
organisation and the level of protection afforded to theinformationbythatthirdcountryorinternationalorganisation;
(h)anyfurtherinformationsuchasthe—(i)recipientorcategoryofrecipientsoftheinformation;(ii)natureorcategoryoftheinformation;(iii)existenceoftherightofaccesstoandtherighttorectifythe
informationcollected;(iv)existenceoftherighttoobjecttotheprocessingofpersonal
informationasreferredtoinsection11(3);and(v)righttolodgeacomplainttotheInformationRegulatorand
the contact details of the Information Regulator, which isnecessary, having regard to the specific circumstances inwhichtheinformationisorisnottobeprocessed,toenableprocessinginrespectofthedatasubjecttobereasonable.
(2)Thestepsreferredtoinsubsection(1)mustbetaken—(a) if the personal information is collected directly from the data
subject, before the information is collected, unless the datasubject is already aware of the information referred to in thatsubsection;or
(b)inanyothercase,beforetheinformationiscollectedorassoonasreasonablypracticableafterithasbeencollected.
(3) A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to thesubsequentcollectionfromthedatasubjectofthesameinformationorinformationofthesamekindifthepurposeof collection of theinformationremainsthesame.
(4) It isnotnecessary fora responsibleparty tocomplywithsubsection(1) if—(a)thedatasubjectoracompetentpersonwherethedatasubjectis
achildhasprovidedconsentforthenon-compliance;(b) non-compliancewouldnotprejudicethe legitimate interestsof
thedatasubjectassetoutintermsofthisAct;(c) non-compliance is necessary—
(i)toavoidprejudicetothemaintenanceofthelawbyanypublicbody, including the prevention, detection, investigation,prosecutionandpunishmentofoffences;
37Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(ii) to complywith an obligation imposed by law or to enforcelegislationconcerningthecollectionofrevenueasdefinedinsection1oftheSouthAfricanRevenueServiceAct,1997(ActNo.34of1997);
(iii) for the conduct of proceedings in any court or tribunal thathavebeencommencedorarereasonablycontemplated;or
(iv)intheinterestsofnationalsecurity;(d)compliancewouldprejudicealawfulpurposeofthecollection;(e)complianceisnotreasonablypracticableinthecircumstancesoftheparticularcase;or(f)theinformationwill—
(i) not be used in a form in which the data subject may beidentified;or
(ii)beusedforhistorical,statisticalorresearchpurposes.
Condition 7Security Safeguards
Security measures on integrity and confidentiality of personal information
19. (1)Aresponsiblepartymustsecuretheintegrityandconfidentialityofpersonal information in itspossessionorunder its controlby takingappropriate, reasonable technical and organisational measures toprevent—(a)lossof,damagetoorunauthoriseddestructionofpersonalinformation;and(b)unlawfulaccesstoorprocessingofpersonalinformation.
(2)Inordertogiveeffecttosubsection(1),theresponsiblepartymusttakereasonable measures to—(a) identifyallreasonablyforeseeableinternalandexternalrisksto
personalinformationinitspossessionorunderitscontrol;(b) establishandmaintainappropriatesafeguardsagainst the risks
identified;(c)regularlyverifythatthesafeguardsareeffectivelyimplemented;
and(d)ensurethatthesafeguardsarecontinuallyupdatedinresponseto
newrisksordeficienciesinpreviouslyimplementedsafeguards.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
38
(3) The responsible party must have due regard to generally acceptedinformationsecuritypracticesandprocedureswhichmayapplyto itgenerallyorberequiredintermsofspecificindustryorprofessionalrulesandregulations.
Information processed by operator or person acting under authority
20.Anoperatororanyoneprocessingpersonalinformationonbehalfofaresponsible party or an operator, must—(a)processsuchinformationonlywiththeknowledgeorauthorisation
oftheresponsibleparty;and(b) treat personal informationwhich comes to their knowledge as
confidentialandmustnotdiscloseit,unlessrequiredbylaworinthecourseoftheproperperformanceoftheirduties.
Security measures regarding information processed by operator
21. (1)Aresponsiblepartymust,intermsofawrittencontractbetweenthe responsible party and the operator, ensure that the operator which processespersonal informationfor theresponsiblepartyestablishesandmaintainsthesecuritymeasuresreferredtoinsection19.
(2) The operator must notify the responsible party immediately wheretherearereasonablegroundstobelievethatthepersonalinformationofadatasubjecthasbeenaccessedoracquiredbyanyunauthorisedperson.
Notification of security compromises
22. (1)Wheretherearereasonablegroundstobelievethatthepersonalinformation of a data subject has been accessed or acquired by anyunauthorised person,theresponsiblepartymustnotify—
(a)theRegulator;and(b)subjecttosubsection(3),thedatasubject,unlesstheidentityof
suchdatasubjectcannotbeestablished.(2) Thenotificationreferredtoinsubsection(1)mustbemadeassoonas
reasonablypossibleafterthediscoveryofthecompromise,takingintoaccount the legitimateneeds of lawenforcementor anymeasures
39Protection Of Personal Information Act, 2013
Act No. 4 of 2013
reasonably necessary to determine the scope of the compromise and torestoretheintegrityoftheresponsibleparty’sinformationsystem.
(3) Theresponsiblepartymayonlydelaynotificationofthedatasubjectifapublicbodyresponsiblefortheprevention,detectionorinvestigationofoffencesortheRegulatordeterminesthatnotificationwillimpedeacriminalinvestigationbythepublic30bodyconcerned.
(4) Thenotificationtoadatasubjectreferredtoinsubsection(1)mustbeinwritingandcommunicatedtothedatasubjectinatleastoneofthefollowingways:(a)Mailedtothedatasubject’slastknownphysicalorpostaladdress;(b)sentbye-mailtothedatasubject’slastknowne-mailaddress;(c)placedinaprominentpositiononthewebsiteoftheresponsible
party;(d)publishedinthenewsmedia;or(e)asmaybedirectedbytheRegulator.
(5) The notification referred to in subsection (1)must provide sufficientinformation to allow the data subject to take protective measuresagainstthepotentialconsequencesofthecompromise,including—(a) a description of the possible consequences of the security
compromise;(b)adescriptionofthemeasuresthattheresponsiblepartyintendsto
takeorhastakentoaddressthesecuritycompromise;(c) arecommendationwithregardtothemeasurestobetakenby
the data subject tomitigate the possible adverse effects of thesecuritycompromise;and
(d)ifknowntotheresponsibleparty,theidentityoftheunauthorisedperson who may have accessed or acquired the personal information.
(6) The Regulator may direct a responsible party to publicise, inanymannerspecified, the fact of any compromise to the integrity orconfidentiality of personalinformation, if the Regulator has reasonablegrounds to believe that such publicitywouldprotectadatasubjectwhomay be affected by the compromise.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
40
Condition 8Data subject participation
Access to personal information 5
23.(1)Adatasubject,havingprovidedadequateproofofidentity,hastherightto—(a)requestaresponsiblepartytoconfirm,freeofcharge,whetheror
not the responsiblepartyholdspersonal informationabout thedatasubject;and
(b) request froma responsibleparty the recordoradescriptionofthe personal information about the data subject held by theresponsibleparty, including informationabouttheidentityofallthirdparties,orcategoriesofthirdparties,whohave,orhavehad,accesstotheinformation—
(i)withinareasonabletime;(ii)ataprescribedfee,ifany;(iii)inareasonablemannerandformat;and(iv)inaformthatisgenerallyunderstandable.
(2) If, in response to a request in terms of subsection (1), personalinformationiscommunicatedtoadatasubject,thedatasubjectmustbeadvisedoftherightintermsofsection24torequestthecorrectionofinformation.
(3) If a data subject is required by a responsible party to pay a fee forservicesprovidedtothedatasubjectintermsofsubsection(1)(b)toenable the responsible party to respond to a request, the responsible party—(a) must give the applicant a written estimate of the fee before
providingtheservices;and(b) may require the applicant to pay a deposit for all or part of the fee.
(4) (a) A responsible party may or must refuse, as the case may be, to discloseanyinformationrequestedintermsofsubsection(1)towhichthegroundsforrefusalofaccesstorecordssetoutintheapplicablesectionsofChapter4ofPart2andChapter4ofPart3ofthePromotionofAccesstoInformationActapply.
41Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(b)Theprovisionsofsections30and61ofthePromotionofAccesstoInformationActareapplicableinrespectofaccesstohealthorother records.
(5) Ifarequestforaccesstopersonalinformationismadetoaresponsiblepartyandpartofthatinformationmayormustberefusedintermsofsubsection(4)(a),everyotherpartmustbedisclosed.
Correction of personal information
24.(1)Adatasubjectmay,intheprescribedmanner,requestaresponsibleparty to— (a) correct or delete personal information about thedatasubject in itspossessionorunder itscontrol that is inaccurate,irrelevant,excessive,outofdate,incomplete,misleadingorobtainedunlawfully;or(b)destroyordeletearecordofpersonalinformationaboutthedata
subjectthat40theresponsiblepartyisnolongerauthorisedtoretainintermsofsection14.
(2) Onreceiptofarequestintermsofsubsection(1)aresponsiblepartymust,assoonasreasonablypracticable—(a)correcttheinformation;(b)destroyordeletetheinformation;(c)providethedatasubject,tohisorhersatisfaction,withcredible
evidenceinsupportoftheinformation;or(d) where agreement cannot be reached between the responsible
partyand thedata subject, and if thedata subject so requests,takesuchstepsasarereasonableinthecircumstances,toattachtotheinformationinsuchamannerthatitwillalwaysbereadwiththeinformation,anindicationthatacorrectionoftheinformationhas been requested but has not been made.
(3)Iftheresponsiblepartyhastakenstepsundersubsection(2)thatresultinachange to the informationand thechanged informationhasanimpact on decisions that have been or will be taken in respect of the data subject in question, the responsible partymust, if reasonablypracticable,informeachpersonorbodyorresponsiblepartytowhomthepersonalinformationhasbeendisclosedofthosesteps.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
42
(4) The responsible party must notify a data subject, who has made arequest intermsofsubsection(1),oftheactiontakenasaresultofthe request.
Manner of access
25. The provisions of sections 18 and 53 of the Promotion of Access toInformationActapplytorequestsmadeintermsofsection23ofthisAct.
Part BProcessing of special personal information
Prohibition on processing of special personal information
26. A responsible party may, subject to section 27, not process personalinformationconcerning—(a) thereligiousorphilosophicalbeliefs,raceorethnicorigin,trade
union membership, political persuasion, health or sex life orbiometricinformationofadatasubject;or
(b)thecriminalbehaviourofadatasubjecttotheextentthatsuchinformationrelatesto—(i)theallegedcommissionbyadatasubjectofanyoffence;or(ii)anyproceedingsinrespectofanyoffenceallegedlycommitted
byadatasubjectorthedisposalofsuchproceedings.
General authorisation concerning special personal information
27.(1)Theprohibitiononprocessingpersonalinformation,asreferredtoinsection
26,doesnotapplyifthe—(a)processingiscarriedoutwiththeconsentofadatasubjectreferred
toinsection26;(b)processingisnecessaryfortheestablishment,exerciseordefence
ofarightorobligationinlaw;(c)processing is necessary to comply with an obligation of
internationalpubliclaw;(d)processingisforhistorical,statisticalorresearchpurposestothe
extent that—
43Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(i)thepurposeservesapublicinterestandtheprocessingisnecessaryforthepurposeconcerned;or
(ii)itappearstobeimpossibleorwouldinvolveadisproportionateeffort to ask for consent, and sufficient guarantees areprovidedfortoensurethattheprocessingdoesnotadverselyaffect the individual privacy of the data subject to adisproportionateextent;
(e)information has deliberately been made public by the datasubject;or
(f) provisionsofsections28to33are,asthecasemaybe,compliedwith.
(2) The Regulator may, subject to subsection (3), upon application by aresponsiblepartyandbynotice intheGazette,authorisearesponsibleparty toprocessspecial personal information if such processing is inthepublicinterestandappropriatesafeguardshavebeenputinplacetoprotectthepersonalinformationofthedatasubject.(3)TheRegulatormayimposereasonableconditionsinrespectofanyauthorisationgrantedundersubsection(2).
Authorisation concerning data subject’s religious or philosophical beliefs
28.(1)Theprohibitiononprocessingpersonalinformationconcerningadatasubject’s religiousor philosophical beliefs, as referred to in section26,doesnotapplyiftheprocessingiscarriedoutby—
(a)spiritualorreligiousorganisations,orindependentsectionsofthoseorganisationsif—(i)theinformationconcernsdatasubjectsbelongingtothoseorganisations;or
(ii)itisnecessarytoachievetheiraimsandprinciples;(b) institutions founded on religious or philosophical principles
with respect to their members or employees or other persons belongingtotheinstitution,ifitisnecessarytoachievetheiraimsandprinciples;or
(c) other institutions: Provided that theprocessing is necessary toprotectthespiritualwelfareofthedatasubjects,unlesstheyhaveindicatedthattheyobjecttotheprocessing.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
44
(2) In the cases referred to in subsection (1)(a), the prohibition does notapply to processingofpersonal informationconcerningthereligionorphilosophyoflifeoffamilymembersofthedatasubjects,if—(a)theassociationconcernedmaintainsregularcontactwiththose
familymembersinconnectionwithitsaims;and(b)thefamilymembershavenotobjectedinwritingtotheprocessing.
(3) Inthecasesreferredtoinsubsections(1)and(2),personalinformationconcerningadatasubject’sreligiousorphilosophicalbeliefsmaynotbesuppliedtothirdpartieswithouttheconsentofthedatasubject.
Authorisation concerning data subject’s race or ethnic origin
29. The prohibition on processing personal information concerning a datasubject’sraceorethnicorigin,asreferredtoinsection26,doesnotapplyiftheprocessingiscarriedoutto—(a) identify data subjects and only when this is essential for that
purpose;and(b) comply with laws and other measures designed to protect or
advance persons, or categories of persons, disadvantaged byunfairdiscrimination.
Authorisation concerning data subject’s trade union membership
30. (1)Theprohibitiononprocessingpersonalinformationconcerningadatasubject’stradeunionmembership,asreferredtoinsection26,doesnotapplytotheprocessingbythetradeuniontowhichthedatasubjectbelongsorthetradeunionfederationtowhichthattradeunionbelongs,ifsuchprocessingisnecessarytoachieve40theaimsofthetradeunionortradeunionfederation.
(2) Inthecasesreferredtoundersubsection(1),nopersonalinformationmaybesuppliedtothirdpartieswithouttheconsentofthedatasubject.
Authorisation concerning data subject’s political persuasion
31.(1)Theprohibitiononprocessingpersonalinformationconcerningadatasubject’spoliticalpersuasion,asreferredtoinsection26,doesnotapplytoprocessingbyorforaninstitution,foundedonpoliticalprinciples,ofthepersonalinformationof—
45Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(a) its members or employees or other persons belonging to theinstitution,ifsuchprocessingisnecessarytoachievetheaimsorprinciplesoftheinstitution;or
(b)adatasubjectifsuchprocessingisnecessaryforthepurposesof—(i)formingapoliticalparty;(ii)participatingintheactivitiesof,orengagingintherecruitment
of members for or canvassing supporters or voters for, apoliticalpartywiththeviewto—(aa) an electionof theNationalAssembly or the provincial
legislature as regulated in terms of the ElectoralAct,1998(ActNo.73of1998);
(bb) municipalelections as regulated in terms of the LocalGovernment: Municipal Electoral Act, 2000 (Act No. 27 of2000);or
(cc) areferendumasregulatedintermsoftheReferendumsAct,1983(ActNo.108of1983);or
(iii)campaigningforapoliticalpartyorcause.
(2) Inthecasesreferredtoundersubsection(1),nopersonalinformationmaybesuppliedtothirdpartieswithouttheconsentofthedatasubject.
Authorisation concerning data subject’s health or sex life
32. (1)Theprohibitiononprocessingpersonalinformationconcerningadatasubject’shealthorsexlife,asreferredtoinsection26,doesnotapplytotheprocessingby—(a)medicalprofessionals,healthcareinstitutionsorfacilitiesorsocial
services,ifsuchprocessingisnecessaryforthepropertreatmentand care of the data subject, or for the administration of theinstitutionorprofessionalpracticeconcerned;
(b) insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if suchprocessingisnecessaryfor—(i)assessingtherisktobeinsuredbytheinsurancecompanyor
coveredbythemedicalschemeandthedatasubjecthasnotobjectedtotheprocessing;
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
46
(ii) the performance of an insurance or medical scheme agreement;or
(iii)theenforcementofanycontractualrightsandobligations;(c)schools,ifsuchprocessingisnecessarytoprovidespecialsupport
forpupilsormakingspecialarrangementsinconnectionwiththeirhealthorsexlife;(d)anypublicorprivatebodymanagingthecareofachildifsuchprocessingisnecessaryfortheperformanceoftheirlawfulduties;
(e)anypublicbody,ifsuchprocessingisnecessaryinconnectionwiththe implementationofprisonsentencesordetentionmeasures;or
(f) administrative bodies, pension funds, employers or institutionsworkingforthem,ifsuchprocessingisnecessaryfor—(i) the implementation of the provisions of laws, pension
regulations or collective agreements which create rightsdependentonthehealthorsexlifeofthedatasubject;or
(ii)thereintegrationoforsupportforworkersorpersonsentitledtobenefitinconnectionwithsicknessorworkincapacity.
(2) Inthecasesreferredtoundersubsection(1),theinformationmayonlybeprocessedbyresponsiblepartiessubjecttoanobligationofconfidentialityby virtue of office, employment, profession or legal provision, orestablishedbyawrittenagreementbetweentheresponsiblepartyandthedatasubject.
(3) Aresponsiblepartythatispermittedtoprocessinformationconcerningadatasubject’shealthorsexlifeintermsofthissectionandisnotsubjecttoanobligationofconfidentiality by virtue of office, profession orlegalprovision,musttreattheinformationasconfidential,unlesstheresponsibleparty is requiredby lawor in connectionwith theirdutiestocommunicatetheinformationtootherpartieswhoareauthorisedtoprocesssuchinformationinaccordancewithsubsection(1).
(4) The prohibition on processing any of the categories of personalinformationreferredtoinsection26,doesnotapplyifitisnecessarytosupplementtheprocessingofpersonalinformationconcerningadatasubject’shealth,asreferredtoundersubsection(1)(a),withaviewto
47Protection Of Personal Information Act, 2013
Act No. 4 of 2013
thepropertreatmentorcareofthedatasubject.
(5) Personal information concerning inherited characteristics may not beprocessed in respect of a data subject from whom the informationconcerned has been obtained, unless—(a)aseriousmedicalinterestprevails;or(b) the processing is necessary for historical, statistical or research
activity.
(6) More detailed rules may be prescribed concerning the application ofsubsection(1)(b)and(f).
Authorisation concerning data subject’s criminal behaviour or biometric information
33.(1)Theprohibitiononprocessingpersonalinformationconcerningadatasubject’s criminal behaviour or biometric information, as referred toinsection26,doesnotapply if theprocessing iscarriedoutbybodieschargedbylawwithapplyingcriminallaworbyresponsiblepartieswhohaveobtainedthatinformationinaccordancewiththelaw.
(2)Theprocessingofinformationconcerningpersonnelintheserviceoftheresponsible party must take place in accordance with the rules established incompliancewithlabourlegislation.
(3)Theprohibitiononprocessinganyofthecategoriesofpersonalinformationreferredto insection26doesnotapply ifsuchprocessing isnecessaryto supplement the processing of informationon criminal behaviour orbiometricinformationpermittedbythissection.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
48
Part CProcessing of personal information of children
Prohibition on processing personal information of children
34. A responsible party may, subject to section 35, not process personalinformationconcerningachild.
General authorisation concerning personal information of children
35. (1) The prohibition on processing personal information of children, asreferredtoinsection34,doesnotapplyiftheprocessingis—(a)carriedoutwiththepriorconsentofacompetentperson;(b)necessaryfortheestablishment,exerciseordefenceofarightor
obligationinlaw;(c)necessarytocomplywithanobligationofinternationalpubliclaw;(d)forhistorical,statisticalorresearchpurposestotheextentthat—
(i) the purpose serves a public interest and the processing isnecessaryforthepurposeconcerned;or
(ii)itappearstobeimpossibleorwouldinvolveadisproportionate effort to ask for consent, and sufficient guarantees are
providedfortoensurethattheprocessingdoesnotadverselyaffecttheindividualprivacyofthechildtoadisproportionateextent;or
(e)ofpersonalinformationwhichhasdeliberatelybeenmadepublicby the child with the consent of a competent person.
(2)TheRegulatormay,notwithstandingtheprohibitionreferredtoinsection34,butsubjecttosubsection(3),uponapplicationbyaresponsiblepartyandbynoticeintheGazette,authorisearesponsiblepartytoprocessthepersonalinformationofchildreniftheprocessingisinthepublicinterestandappropriatesafeguardshavebeenputinplacetoprotectthepersonalinformationofthechild.
(3) The Regulator may impose reasonable conditions in respect of anyauthorisation granted under subsection (2), including conditions withregardtohowaresponsiblepartymust—
49Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(a) upon request of a competent person provide a reasonable means for that person to—(i)reviewthepersonalinformationprocessed;and(ii)refusetopermititsfurtherprocessing;
(b)providenotice—(i)regardingthenatureofthepersonalinformationofchildren
thatisprocessed;(ii)howsuchinformationisprocessed;and(iii)regardinganyfurtherprocessingpractices;
(c)refrainfromanyactionthatisintendedtoencourageorpersuadeachildto10disclosemorepersonalinformationabouthim-orherselfthanisreasonablynecessarygiventhepurposeforwhichitisintended;and
(d) establish and maintain reasonable procedures to protect the integrityandconfidentialityofthepersonalinformationcollectedfrom children.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
50
CHAPTER 4EXEMPTION FROM CONDITIONS FOR PROCESSING OF PERSONAL
INFORMATION
51Protection Of Personal Information Act, 2013
Act No. 4 of 2013
CHAPTER 4EXEMPTION FROM CONDITIONS
FOR PROCESSING OF PERSONAL INFORMATION
General
36.Processingofpersonalinformationisnotinbreachofaconditionfortheprocessingofsuchinformationifthe—(a)Regulatorgrantsanexemptionintermsofsection37;or(b)processingisinaccordancewithsection38.
Regulator may exempt processing of personal information
37. (1)TheRegulatormay,bynoticeintheGazette,grantanexemptiontoaresponsiblepartytoprocesspersonalinformation,evenifthatprocessingisinbreachofaconditionfortheprocessingofsuchinformation,oranymeasurethatgiveseffecttosuchcondition, iftheRegulator issatisfiedthat, in the circumstances of the case—(a) thepublic interest in theprocessingoutweighs, toa substantial
degree,anyinterferencewiththeprivacyofthedatasubjectthatcouldresultfromsuchprocessing;or
(b)theprocessinginvolvesaclearbenefittothedatasubjectorathirdparty that outweighs, to a substantial degree, any interferencewiththeprivacyofthedatasubjectorthirdpartythatcouldresultfromsuchprocessing.
(2)Thepublicinterestreferredtoinsubsection(1)includes—(a)theinterestsofnationalsecurity;(b)theprevention,detectionandprosecutionofoffences;(c)importanteconomicandfinancialinterestsofapublicbody;(d) fostering compliance with legal provisions established in the
interestsreferredtounderparagraphs(b)and(c);(e)historical,statisticalorresearchactivity;or(f) the special importance of the interest in freedom of expression.
(3) The Regulator may impose reasonable conditions in respect of anyexemptiongrantedundersubsection(1).
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
52
Exemption in respect of certain functions
38. (1) Personal information processed for the purpose of discharging arelevantfunctionisexemptfromsections11(3)and(4),12,15and18inanycasetotheextenttowhichtheapplicationofthoseprovisionstothepersonalinformationwouldbelikelytoprejudicetheproperdischargeofthatfunction.
(2)‘‘Relevantfunction’’forpurposesofsubsection(1),meansanyfunction—(a)ofapublicbody;or(b) conferred on any person in terms of the law, which is performed
withtheviewtoprotectingmembersofthepublicagainst—(i)financiallossduetodishonesty,malpracticeorotherseriously
improper conduct by, or the unfitness or incompetence of,persons concerned in the provision of banking, insurance,investmentorotherfinancialservicesorinthemanagementofbodiescorporate;or
(ii) dishonesty,malpracticeorotherseriouslyimproperconductby,ortheunfitnessor incompetenceof,personsauthorisedtocarryonanyprofessionorotheractivity.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
54
CHAPTER 5SUPERVISION
Part A Information Regulator
Establishment of Information Regulator
39. ThereisherebyestablishedajuristicpersontobeknownastheInformation
Regulator,which—(a)hasjurisdictionthroughouttheRepublic;(b)isindependentandissubjectonlytotheConstitutionandtothe
lawandmustbeimpartialandperformitsfunctionsandexerciseitspowerswithoutfear,favourorprejudice;
(c)mustexerciseitspowersandperformitsfunctionsinaccordancewiththisActandthePromotionofAccesstoInformationAct;and
(d)isaccountabletotheNationalAssembly.
Powers, duties and functions of Regulator
40.(1)Thepowers,dutiesandfunctionsoftheRegulatorintermsofthisActare— (a)toprovideeducationby—
(i)promotinganunderstandingandacceptanceoftheconditionsforthelawfulprocessingofpersonalinformationandoftheobjectsofthoseconditions;
(ii) undertaking educational programmes, for the purpose ofpromoting the protection of personal information, on theRegulator’sownbehalforinco-operationwithotherpersonsorauthoritiesactingonbehalfoftheRegulator;
(iii)making public statements in relation to any matteraffectingtheprotectionofthepersonalinformationofadatasubjectorofanyclassofdatasubjects;
(iv) givingadvicetodatasubjectsintheexerciseoftheirrights;and
(v) providingadvice,uponrequestoronitsowninitiative,toaMinisterorapublicorprivatebodyontheirobligationsundertheprovisions, andgenerallyonanymatter relevant to theoperation,ofthisAct;
55Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(b) to monitor and enforce compliance by—(i)publicandprivatebodieswiththeprovisionsofthisAct;(ii) undertaking research into, and monitoring developments
in, information processing and computer technology toensurethatanyadverseeffectsofsuchdevelopmentsontheprotectionofthepersonalinformationofdatasubjectsareminimised,andreportingtotheMinistertheresultsofsuchresearchandmonitoring;
(iii)examining any proposed legislation, including subordinatelegislation, or proposed policy of the Government that theRegulatorconsidersmayaffecttheprotectionofthepersonalinformation of data subjects, and reporting to theMinistertheresultsofthatexamination;
(iv)reportinguponrequestoron itsownaccord, toParliamentfrom time to time on any policy matter affecting theprotection of the personal information of a data subject,including the need for, or desirability of, taking legislative,administrative, or other action to give protection or betterprotectiontothepersonalinformationofadatasubject;
(v)submittingareporttoParliament,withinfivemonthsoftheendofitsfinancialyear,onallitsactivitiesintermsofthisActduringthatfinancialyear;
(vi) conducting an assessment, on its own initiative or whenrequested to do so, of a public or private body, in respect of the processing of personal information by that body forthepurposeofascertainingwhetherornotthe informationis processed according to the conditions for the lawfulprocessingofpersonalinformation;
(vii)monitoring the use of unique identifiers of data subjects,and reporting to Parliament from time to time on theresults of that monitoring, including any recommendationrelating to the need of, or desirability of taking, legislative,administrative,orother action to giveprotection,orbetterprotection,tothepersonalinformationofadatasubject;
(viii)maintaining,publishingandmakingavailableandprovidingcopiesofsuchregistersasareprescribedinthisAct;and
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
56
(ix)examininganyproposedlegislationthatmakesprovisionforthe—(aa) collection of personal information by any public or
privatebody;or(bb) disclosure of personal information by one public or
private body to any other public or private body, or both, to haveparticular regard, in the course ofthat examination, to thematterssetout insection44(2), in any case where theRegulatorconsidersthattheinformationmightbeusedforthepurposesofan information matching programme, and reportingto the Minister and Parliament the results of that examination;
(c) to consult withinterestedpartiesby—(i) receivingand invitingrepresentationsfrommembersofthe
publicon anymatteraffectingthepersonal informationofadatasubject;
(ii)co-operating on a national and international basis withotherpersonsandbodiesconcernedwith theprotectionofpersonalinformation;and
(iii)actingasmediatorbetweenopposingpartiesonanymatterthat concerns the need for, or the desirability of, actionbyaresponsiblepartyintheinterestsoftheprotectionofthepersonalinformationofadatasubject;
(d) to handle complaints by—(i)receiving and investigating complaints about alleged
violationsof theprotectionofpersonal informationofdatasubjects and reporting to complainants in respect of suchcomplaints;
(ii)gatheringsuchinformationasintheRegulator’sopinionwillassisttheRegulatorindischargingthedutiesandcarryingouttheRegulator’sfunctionsunderthisAct;
(iii) attempting to resolve complaints by means of disputeresolutionmechanisms such asmediation and conciliation;and
57Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(iv)servinganynoticesintermsofthisActandfurtherpromotingtheresolutionofdisputes inaccordancewiththeprescriptsofthisAct;
(e) to conduct research and to report to Parliament—(i) fromtimetotimeon thedesirabilityof theacceptance,by
SouthAfrica,ofany international instrumentrelatingtotheprotectionofthepersonalinformationofadatasubject;and
(ii) on any other matter, including necessary legislativeamendments,relatingtoprotectionofpersonal informationthat, in the Regulator’s opinion, should be drawn toParliament’sattention;
(f) in respect of codes of conduct to—(i)issue,fromtimetotime,codesofconduct,amendcodesand
torevokecodesofconduct;(ii)makeguidelinestoassistbodiestodevelopcodesofconduct
ortoapplycodesofconduct;and(iii) consider afresh, upon application, determinations by
adjudicatorsunderapprovedcodesofconduct;(g) to facilitate cross-border cooperation in the enforcement of
privacylawsbyparticipatinginanyinitiativethatisaimedatsuchcooperation;and
(h) in general to—(i)doanythingincidentalorconducivetotheperformanceofany
oftheprecedingfunctions;(ii)exerciseandperformsuchotherfunctions,powers,andduties
asareconferredorimposedontheRegulatorbyorunderthisActoranyotherlegislation;
(iii) require the responsible party to disclose to any person affectedbyacompromisetotheintegrityorconfidentialityofpersonal information, such compromise in accordancewithsection22;and
(iv)exercisethepowersconferredupontheRegulatorbythisActinmattersrelatingtotheaccessofinformationasprovidedbythePromotionofAccesstoInformationAct.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
58
(2) The Regulatormay, from time to time, in the public interest or in thelegitimate interests of any person or body of persons, publish reportsrelatinggenerallytotheexerciseoftheRegulator’sfunctionsunderthisActortoanycaseorcasesinvestigatedbytheRegulator,whetherornotthematterstobedealtwithinanysuchreporthavebeenthesubjectofareport to the Minister.
(3)Theprovisionsofsections3and4oftheCommissionsAct,1947(ActNo.8of1947),willapply,withthenecessarychanges,totheRegulator.(4)ThepowersanddutiesoftheRegulatorintermsofthePromotionofAccesstoInformationActaresetoutinParts4and5ofthatAct.
Appointment, term of office and removal of members of Regulator41. (1) (a) TheRegulatorconsistsofthefollowingmembers:
(i)AChairperson;and(ii)fourotherpersons,asordinarymembersoftheRegulator.
(b)MembersoftheRegulatormustbeappropriatelyqualified,fitand proper persons—(i) at least one of whom must be appointed on account of
experienceasapractisingadvocateorattorneyoraprofessoroflawatauniversity;and
(ii) the remainder of whom must be appointed on account of any otherqualifications,expertiseandexperiencerelatingtotheobjectsoftheRegulator.
(c)TheChairpersonoftheRegulatormustbeappointedinafull-timecapacityandmay,subjecttosubsection(4),notperformorundertaketoperformanyotherremunerativeworkduringtheperiodinwhichheorsheholdsofficeasChairperson.
(d) The ordinary members of the Regulator must be appointed asfollows: (i)Twoordinarymembersinafull-timecapacity;and(ii)twoordinarymembersinafull-timeorpart-timecapacity.
(e)Themembers referred to inparagraph (d)whoareappointed inafull-timecapacity,may,subjecttosubsection(4),notperformorundertaketoperformanyotherremunerativeworkduringtheperiodinwhichtheyholdoffice.
59Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(f)TheChairpersonmustdirecttheworkoftheRegulatorandthestaffoftheRegulator.
(g)ApersonmaynotbeappointedasamemberoftheRegulator ifhe or she— (i)isnotacitizenoftheRepublic;(ii)isapublicservant;(iii)isamemberofParliament,anyprovinciallegislatureorany
municipalcouncil;(iv)isanoffice-beareroremployeeofanypoliticalparty;(v)isan
unrehabilitatedinsolvent;(vi)hasbeendeclaredbyacourttobementallyillorunfit;or(vii)hasatanytimebeenconvicted,whether intheRepublicor
elsewhere,ofanyoffenceinvolvingdishonesty.
(2) (a) The Chairperson and the members of the Regulator referred toin subsection (1)(a) must be appointed by the President on therecommendationoftheNationalAssembly,whichrecommendationmustalsoindicatewhichordinarymembersmustbeappointedinafull-timeorpart-timecapacity.(b)TheNationalAssemblymustrecommendpersons—
(i) nominated by a committee of the Assembly composed ofmembersofpartiesrepresentedintheAssembly;and
(ii) approved by the Assembly by a resolution adopted with asupportingvoteofamajorityofthemembersofthe
Assembly.
(3) ThemembersoftheRegulatorwillbeappointedforaperiodofnotmorethanfiveyearsandwill,attheexpirationofsuchperiod,beeligibleforreappointment.
(4) TheChairpersonoftheRegulatororamemberwhohasbeenappointedinafull-timecapacitymay,notwithstandingtheprovisionsofsubsection(1)(c)or(e),onlyperformorundertaketoperformanyotherremunerativework during the period that he or she holds office as Chairperson ormemberwiththepriorwrittenconsentoftheMinister.
(5) A person appointed as amember of the Regulatormay, uponwrittennoticetothePresident,resignfromoffice.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
60
(6)(a)Amembermayberemovedfromofficeonlyon—(i)thegroundofmisconduct,incapacityorincompetence;(ii) a finding to that effect by a committee of the National
Assembly;and(iii)theadoptionbytheNationalAssemblyofaresolutioncalling
forthatperson’sremovalfromoffice.(b) A resolution of the National Assembly concerning the removal
fromofficeofamemberoftheRegulatormustbeadoptedwithasupportingvoteofamajorityofthemembersoftheAssembly.
(c) The President—(i) maysuspenda memberfromofficeat anytimeafter
thestartoftheproceedingsofacommitteeoftheNationalAssemblyfortheremovalofthatmember;and
(ii) must remove amember from office upon adoption by theAssemblyoftheresolutioncallingforthatmember’sremoval.
Vacancies
42. (1)AvacancyintheRegulatoroccursifamember—(a)becomessubjecttoadisqualificationreferredtoinsection41(1)
(g);(b) tendershisorherresignationascontemplated insection41(5)
andtheresignationtakeseffect;(c)isremovedfromofficeintermsofsection41(6);(d)dies;or(e)becomespermanentlyincapableofdoinghisorherwork.
(2) (a)Where a vacancy has arisen as contemplated in subsection (1), theprocedurecontemplatedinsection41(2)applies.(b)Anymemberappointedunderthissubsectionholdsofficeforthe
rest of the period of the predecessor’s term of office, unlessthePresident,uponrecommendationbytheNationalAssembly,appointsthatmemberforalongerperiodwhichmaynotexceedfiveyears.
61Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Powers, duties and functions of Chairperson and other members
43.(1)TheChairperson—(a) mustexercisethepowersandperformthedutiesandfunctions
conferredonorassignedtohimorherbytheRegulatorintermsofthisActandthePromotionofAccesstoInformationAct;and
(b)is,forthepurposesofexercisingthepowersandperformingthedutiesand functions conferredonorassigned tohimorherbytheRegulatorintermsofthisActandthePromotionofAccesstoInformationAct,accountabletotheRegulator.
(2) (a) The members referred to in section 41(1)(d)(i) must exercise theirpowersandperformtheirdutiesandfunctionsasfollows:
(i)OnememberintermsofthisAct;and(ii) one member in terms of the Promotion of Access to
InformationAct.(b)Themembersreferredtoinsection41(1)(d)(ii)mustexercisetheir
powersandperformtheirdutiesandfunctionseitherintermsofthisActorthePromotionofAccesstoInformationAct,orboth.
(c) Themembers, referred to inparagraphs (a) and (b), are, for thepurposesofexercisingtheirpowersandperformingtheirdutiesandfunctions,accountabletotheChairperson.
Regulator to have regard to certain matters
44. (1) In theperformanceof its functions, and theexerciseof its powers,underthisActtheRegulatormust—(a)have due regard to the conditions for the lawful processing of
personalinformationasreferredtoinChapter3;(b) have due regard for the protection of all human rights and
social interests thatcompetewithprivacy, including thegeneraldesirabilityofafreeflowofinformationandtherecognitionofthelegitimateinterestsofpublicandprivatebodiesinachievingtheirobjectivesinanefficientway;
(c)takeaccountofinternationalobligationsacceptedbySouthAfrica;and
(d)consideranydevelopinggeneralinternationalguidelinesrelevanttothebetterprotectionofindividualprivacy.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
62
(2)Inperformingitsfunctionsintermsofsection40(1)(b)(ix)(bb)withregardtoinformationmatchingprogrammes,theRegulatormusthaveparticularregardtowhetherornotthe—(a)objectiveoftheprogrammerelatestoamatterofsignificant
publicimportance;(b) use of the programme to achieve that objective will result in
monetarysavingsthatarebothsignificantandquantifiableorinothercomparablebenefitstosociety;
(c)useofanalternativemeansofachievingthatobjectivewouldgiveeitheroftheresultsreferredtoinparagraph(b);
(d)publicinterestinallowingtheprogrammetoproceedoutweighsthe public interest in adhering to the conditions for the lawfulprocessing of personal information that the programme wouldotherwisecontravene;and
(e) programme involves information matching on a scale that isexcessive,havingregardto—(i) thenumberof responsiblepartiesoroperators thatwillbe
involvedintheprogramme;and(ii)theamountofdetailaboutadatasubjectthatwillbematched
undertheprogramme.
(3) In determining whether the processing of personal information forexclusivelyjournalisticpurposesbyaresponsiblepartywhois,byvirtueofoffice,employmentorprofession,notsubject toacodeofethicsasreferredtoinsection7(1),constitutesaninterferencewiththeprotectionofthepersonalinformationofthedatasubjectinterms
ofsection73,theRegulatormusthaveparticularregardtothefactorsreferredtoinsection7(3)(a)to(d).
Conflict of interest
45. (1) If any member of the Regulator or any person appointed by theRegulatorintermsofthisActhasamaterialinterestinanymatterwhichcouldconflictwiththeproperperformanceofhisorherdutiesintermsofthisActorthePromotionofAccess
63Protection Of Personal Information Act, 2013
Act No. 4 of 2013
toInformationAct,heorshemustdisclosethatinterest,asprescribed,assoonaspracticableaftertherelevantfactscametohisorherknowledge.
(2)(a)IfamemberoftheRegulatororpersonreferredtoinsubsection(1)—(i)ispresentatameetingoftheRegulatororcommitteereferred
to in section 49 or 50 at which a matter contemplated inthat subsection is tobe considered, thememberorpersonconcerned must disclose the nature of his or her interest to themeetingbeforethematterisconsidered;or
(ii)failstomakeadisclosureasrequiredbythissubsectionandis present at a meeting of the Regulator or committee, asthecasemaybe,orinanyothermannerparticipatesintheproceedings, such proceedings in relation to the relevantmattermust,assoonasthenon-disclosureisdiscovered,bereviewedandbevariedorsetasidebytheRegulatororthecommittee,asthecasemay
be,withouttheparticipationofthememberorpersonconcerned.(b)AmemberoftheRegulatororpersonreferredtoinsubsection(1)
who isobligedto makeadisclosure intermsofthissubsectionmaynotbepresentduringanydeliberation,or takepart inanydecision,inrelationtothematterinquestion.
(c) AnydisclosuremadeintermsofthissubsectionmustbenotedintheminutesoftherelevantmeetingoftheRegulatororcommittee.
(3)AmemberoftheRegulatororpersonreferredtoinsubsection(1)whohasdisclosedaconflictofinterestintermsofsubsection(1)—(a) may perform all duties relating to thematter in question if a
decisionhasbeentakenthattheinterestistrivialorirrelevant;or(b) mustberelievedofalldutiesrelatingtothematterinquestion
and suchdutiesmustbeperformedbyanothermemberof theRegulatororbyanotherpersonreferredto insubsection(1),asthecasemaybe,whohasnosuchconflictofinterest.
Remuneration, allowances, benefits and privileges of members
46.(1)AmemberoftheRegulatororapersonreferredtoinsection49(1)(b)or
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
64
50(1)(b)whoisnotsubjecttotheprovisionsofthePublicServiceAct,1994(ProclamationNo.103of1994),orwhoisnotajudgeoftheHighCourtofSouthAfricaoramagistratewillbeentitledtosuchremuneration,allowances, including allowances for reimbursement of travelling andsubsistence expenses incurred by him or her in the performance of his or herfunctionsunderthisActandthePromotionofAccesstoInformationAct, benefits and privileges as the Minister in consultation with theMinister of Finance may determine.
(2)Theremuneration,allowances,benefitsorprivilegesofdifferentmembersoftheRegulatormaydifferaccordingtothedifferent—(a)positionsheldbythemintheRegulator;or(b)functionsperformed,whetherinapart-timeorfull-timecapacity,
bythemfromtimetotime.
Staff
47.(1)TheRegulatormustestablishitsownadministrationtoassistitintheperformanceofitsfunctionsandtothisendtheRegulatormustappoint,orsecurethesecondmentintermsofsubsection(6)of—(a) a suitably qualified and experienced person as chief executive
officeroftheRegulatorforthepurposeofassistingtheRegulator,subject to the Regulator’s direction and supervision, in theperformanceofallfinancialandadministra-
tive functions in terms of this Act and the Promotion of Access toInformation
Act,workarisingfromtheadministrationofthisActandthePromotionof
Access to Information Act and to exercise any power delegated bytheRegulatortohimorher;and
(b)suchothermemberofstaffastheRegulatormaydeemnecessarytoassisttheRegulatorandthechiefexecutiveofficer,asthecasemaybe,withallsuchworkasmayarisethroughtheperformanceofitsfunctions.
(2) (a) The chief executive officer may appoint a senior member of staffas acting chief executive officer to perform the functions of the chiefexecutiveofficerinhisorherabsence.
65Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(b)AmemberoftheRegulatormaynotbeappointedasactingchiefexecutiveofficer.
(c)Intheeventthatavacancyoccursintheofficeofthechiefexecutiveofficer the Regulator must appoint an acting chief executiveofficer.
(3)TheRegulatormust,intheappointmentofthestaffoftheRegulator—(a) provide for the advancement of persons disadvantaged by
unfairdiscrimina-tion,with theaim that its staff,whenviewedcollectively,representsabroadcross-sectionofthepopulationoftheRepublic;and
(b) subject toparagraph (a), applyequalopportunityemploymentpractices.
(4)TheRegulatormaypaytothepersonsinitsemploysuchremunerationandallowances and provide them with such pension and other employment benefitsasareconsistentwiththatpaidinthepublicsector.
(5)Inexercisingitspowersintermsofsubsections(1)and(4),theRegulatormust consult with the Minister of Finance.
(6)TheRegulatormay,intheperformanceofthefunctionscontemplatedinsubsection(1),atitsrequest,beassistedbyofficialsinthePublicServicesecondedtotheserviceoftheRegulatorintermsofanylawregulatingsuch secondment: Provided that the secondment of an official to theserviceoftheRegulatormaynotexceed12monthsandthattheinitialperiod of secondment may only be extended once for a subsequent periodnotexceeding12months.
(7) The Regulator may, in consultation with theMinister of Finance, on atemporarybasisorforaparticularmatterwhichisbeinginvestigatedbyit,employanypersonwithspecialknowledgeofanymatterrelatingtotheworkoftheRegulator,orobtainthe30co-operationofanybody,toadviseorassisttheRegulatorintheperformanceofitsfunctionsunderthis Act and the Promotion of Access to Information Act, and fix theremuneration, including reimbursement for travelling, subsistence andother expenses, of such person or body.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
66
Powers, duties and functions of chief executive officer
48. Thechiefexecutiveofficer—(a)istheheadofadministrationandtheaccountingofficer,asreferred
toinsection52(3),oftheRegulator;(b) mayappointaseniormemberofstaffasactingchiefexecutive
officerasreferredtoinsection47(2);(c) is responsible for the—
(i)managementoftheaffairsandoperationsoftheRegulator;(ii)formationanddevelopmentofanefficientadministration;(iii)organisationandmanagementof,andadministrativecontrol
over,allthemembersofstaffappointedintermsofsection47(1)(b)andallthe45personssecondedintermsofsection47(6);
(iv)maintenanceofdisciplineinrespectofthemembersofstaff;and
(v)executionofthedecisionsoftheRegulator,andisforthosepurposes accountable to the Regulator and must reportthereontotheRegulatorasoftenasmayberequiredbytheRegulator;and
(d)mustexercisethepowersandperformthedutiesandfunctionswhich the
Regulatormayfromtimetotimeconferuponorassigntohimorherin order
to achieve the objects of the Regulator, and is for those purposesaccountabletotheRegulator.
Committees of Regulator
49. (1) The Regulator may, if it considers it necessary for the properperformanceof its functionsestablishoneormorecommittees,whichmust consist of— (a)suchmembersoftheRegulatorastheRegulatormaydesignate;or(b) suchmembersoftheRegulatorastheRegulatormaydesignate
andotherpersonsappointedbytheRegulator,as referredto insection47(7),fortheperioddeterminedbytheRegulator.
67Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(2) The Regulator may at any time extend the period of an appointmentreferred to in subsection (1)(b) or, if in its opinion good reasons existtherefor, revoke any such appointment.
(3)TheRegulatormustdesignatethechairpersonand,iftheRegulatordeemsit necessary, the vice-chairperson of a committee established undersubsection(1).
(4)(a)Acommitteereferredtoinsubsection(1)must,subjecttothedirectionsoftheRegulator,performthosefunctionsoftheRegulatorassignedtoitbytheRegulator.(b) Any function so performed by a committee referred to in
subsection (1) will be deemed to have been performed by theRegulator.
(5)TheRegulatormayatanytimedissolveanycommitteeestablishedbytheRegulator.
(6) The provisions of sections 40(4) and 51 will apply, with the necessarychanges,toacommitteeoftheRegulator.
Establishment of Enforcement Committee
50. (1)TheRegulatormustestablishanEnforcementCommitteewhichmustconsist of— (a)atleastonememberoftheRegulator;and(b)suchotherpersonsappointedbytheRegulator,asreferredtoin
section47(7),fortheperioddeterminedbytheRegulator.
(2)TheRegulatormust—(a)inconsultationwiththeChiefJusticeandMinister,appointa—
(i)judgeoftheHighCourtofSouthAfrica,whetherinactiveserviceornot;or
(ii) magistrate with at least 10 years’ appropriate experience,whetherinactiveserviceornot;or
(b)appointanadvocateorattorneywithatleast10years’appropriateexperience,asChairpersonoftheEnforcementCommittee.
(3) TheChairpersonoftheEnforcementCommitteemustmanagetheworkofandpresideathearingsoftheEnforcementCommittee.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
68
(4) (a) A member referred toinsubsection (1)(a) maynotparticipatein any proceedings of the Regulator in terms of which a decision istakenwith regard to arecommendationbytheEnforcementCommitteeasreferredtoinsection93.
(b)Apersonreferredtoinsubsection(1)(b)mustbeafitandproperpersonandmustcomplywiththecriteria,referredto insection41(1)(g),forappointmentasamemberoftheRegulator.
Meetings of Regulator
51. (1) Meetings of the Regulator must be held at the times and placesdeterminedbytheChairpersonoftheRegulator.
(2)ThreemembersoftheRegulatorconstituteaquorumforameeting.
(3)(a)TheChairpersonmayregulatetheproceedingsatmeetingsasheorshemaythinkfitandmustkeepminutesoftheproceedings.(b)IftheChairpersonisabsentfromameetingthememberspresent
shallelectoneoftheirnumbertopresideatthatmeeting.
(4) (a) Subject to subsection (2), a decision of the Regulator is taken byresolutionagreedtobythemajorityofmembersatanymeetingoftheRegulator.(b) In the event of an equality of votes regarding any matter the
Chairpersonhasacastingvoteinadditiontohisorherdeliberativevote.
Funds
52.(1)FundsoftheRegulatorconsistof—(a) such sums of money that Parliament appropriates annually, for the
useoftheRegulatorasmaybenecessaryfortheproperexercise,performanceanddischarge,bytheRegulator,ofitspowers,dutiesand functions under this Actand the Promotion of Access toInformationAct;and
(b)feesasmaybeprescribedintermsofsection111(1).
(2)ThefinancialyearoftheRegulatoristheperiodfrom1Aprilinanyyearto31Marchinthefollowingyear,exceptthatthefirstfinancialyearofthe
69Protection Of Personal Information Act, 2013
Act No. 4 of 2013
RegulatorbeginsonthedatethatthisChaptercomesintooperation,andendson31Marchnextfollowingthatdate.
(3)ThechiefexecutiveofficeroftheRegulator isforpurposesofthePublicFinanceManagementAct,1999(ActNo.1of1999),theaccountingofficerandmustexecutehisorherdutiesinaccordancewiththatAct.
(4) Withinsixmonthsaftertheendofeachfinancialyear,theRegulatormustpreparefinancialstatementsinaccordancewithestablishedaccountingpractice,principlesand20procedures,comprising—(a)astatementreflecting,withsuitableandsufficientparticulars,the
income and expenditure of the Regulator during the precedingfinancialyear;and
(b) a balance sheet showing the state of its assets, liabilities andfinancialpositionasattheendofthatfinancialyear.
(5)TheAuditor-GeneralmustaudittheRegulator’sfinancialrecordseachyear.
Protection of Regulator
53.AnypersonactingonbehalforunderthedirectionoftheRegulator,isnotcivillyorcriminallyliableforanythingdoneingoodfaithintheexerciseorperformance or purported exercise or performance of any power, duty or functionoftheRegulatorintermsofthisActorthePromotionofAccesstoInformationAct.
Duty of confidentiality
54.ApersonactingonbehalforunderthedirectionoftheRegulator,must,both during or after his or her term of office or employment, treatas confidential the personal information which comes to his or herknowledge in the courseof theperformanceofhis 35orherofficialduties,exceptifthecommunicationofsuchinformationisrequiredbylaworintheproperperformanceofhisorherduties.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
70
Part B Information Officer
Duties and responsibilities of Information Officer
55. (1)Aninformationofficer’sresponsibilitiesinclude—(a)theencouragementofcompliance,bythebody,withtheconditions
forthelawfulprocessingofpersonalinformation;(b)dealingwithrequestsmadetothebodypursuanttothisAct;(c)workingwiththeRegulatorinrelationtoinvestigationsconducted
pursuanttoChapter6inrelationtothebody;(d) otherwiseensuringcompliancebythebodywiththeprovisions
ofthisAct;and(e) as may be prescribed.
(2) Officers must take up their duties in terms of this Act only after theresponsiblepartyhasregisteredthemwiththeRegulator. 5
Designation and delegation of deputy information officers
56. Each public and private body must make provision, in the manner prescribedinsection17ofthePromotionofAccesstoInformationAct,withthenecessarychanges,forthedesignationof—(a)suchanumberofpersons,ifany,asdeputyinformationofficersas
isnecessary10toperformthedutiesandresponsibilitiesassetoutinsection55(1)ofthisAct;and
(b)anypowerordutyconferredorimposedonaninformationofficerbythisActtoadeputyinformationofficerofthatpublicorprivatebody.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
72
CHAPTER 6PRIOR AUTHORISATION
Prior authorisation
Processing subject to prior authorisation
57. (1) The responsible party must obtain prior authorisation from theRegulator,intermsofsection58,priortoanyprocessingifthatresponsibleparty plans to—(a)processanyuniqueidentifiersofdatasubjects—
(i)forapurposeotherthantheoneforwhichtheidentifierwasspecificallyintendedatcollection;and
(ii) with the aim of linking the informationtogether withinformationprocessedbyotherresponsibleparties;
(b) process information on criminal behaviour or on unlawful orobjectionableconductonbehalfofthirdparties;
(c)processinformationforthepurposesofcreditreporting;or(d)transferspecialpersonalinformation,asreferredtoinsection26,
orthepersonal informationofchildrenasreferredto insection34, to a thirdparty in a foreign country that doesnot providean adequate level of protection for the processing of personalinformationasreferredtoinsection72.
(2) The provisions of subsection (1) may be applied by the Regulator toother types of information processing by law or regulation if suchprocessingcarriesaparticularriskforthelegitimateinterestsofthedatasubject.
(3)Thissectionandsection58arenotapplicableifacodeofconducthasbeenissuedandhascomeintoforceintermsofChapter7inaspecificsectororsectors of society.
(4) A responsible party must obtain prior authorisation as referred to insubsection (1) only once and not eachtime that personal informationis received or processed, except where the processing departs fromthat which has been authorised in accordance with the provisions of subsection(1).
73Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Responsible party to notify Regulator if processing is subject to prior authorisation
58. (1) Information processing as contemplated in section 57(1) must benotifiedassuchbytheresponsiblepartytotheRegulator.
(2) Responsible parties may not carry out information processing thathasbeennotifiedtotheRegulator intermsofsubsection(1)untiltheRegulator has completed its investigation or until they have receivednoticethatamoredetailedinvestigationwillnotbeconducted.
(3) Inthecaseofthenotificationofinformationprocessingtowhichsection57(1) is applicable, theRegulatormust inform the responsibleparty inwritingwithinfourweeksofthenotificationastowhetherornotitwillconductamoredetailedinvestigation.
(4) In the event that the Regulator decides to conduct a more detailedinvestigation,itmustindicatetheperiodwithinwhichitplanstoconductthisinvestigation,whichperiodmustnotexceed13weeks.
(5) Onconclusionofthemoredetailedinvestigationreferredtoinsubsection(4)theRegulatormustissueastatementconcerningthelawfulnessoftheinformationprocessing.
(6) AstatementbytheRegulatorintermsofsubsection(5),totheextentthattheinformationprocessingisnotlawful,isdeemedtobeanenforcementnoticeservedintermsofsection95ofthisAct.
(7) A responsible party that has suspended its processing as required bysubsection (2), and which has not received the Regulator’s decisionwithinthetimelimitsspecifiedinsubsections(3)and(4),maypresumeadecisioninitsfavourandcontinuewithitsprocessing.
Failure to notify processing subject to prior authorisation
59. Ifsection58(1)or(2)iscontravened,theresponsiblepartyisguiltyofanoffenceandliabletoapenaltyassetoutinsection107.
75Protection Of Personal Information Act, 2013
Act No. 4 of 2013
CHAPTER 7CODES OF CONDUCT
Issuing of codes of conduct
60. (1)TheRegulatormayfromtimetotimeissuecodesofconduct.(2)Acodeof conduct must—(a)incorporatealltheconditionsforthelawfulprocessingofpersonal
information or set out obligations that provide a functionalequivalentofalltheobligationssetoutinthoseconditions;and
(b)prescribehowtheconditionsforthelawfulprocessingofpersonalinforma-tionaretobeapplied,oraretobecompliedwith,giventheparticularfeatures
of the sector or sectors of society in which the relevant responsible partiesareoperating.
(3)Acodeofconductmayapplyinrelationtoanyoneormoreofthefollowing:(a)Anyspecifiedinformationorclassofinformation;(b)anyspecifiedbodyorclassofbodies;(c)anyspecifiedactivityorclassofactivities;or(d) any specified industry, profession, or vocation or class of
industries,professions,orvocations.
(4) A code of conduct must also—(a) specify appropriate measures—
(i)for informationmatching programmes if such programmesareusedwithinaspecificsector;or
(ii)for protecting the legitimate interests of data subjectsinsofar as automated decision making, as referred to insection71,isconcerned;
(b)provideforthereviewofthecodebytheRegulator;and(c) provide for the expiry of the code.
Process for issuing codes of conduct
61. (1)TheRegulatormayissueacodeofconductundersection60—(a) on the Regulator’s own initiative, but after consultationwithaffectedstakeholdersorabodyrepresentingsuchstakeholders;or
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
76
(b) on theapplication, in theprescribed form,byabodywhich is,in the opinion of the Regulator, sufficiently representative ofanyclassofbodies,orofanyindustry,profession,orvocationasdefined in thecode in respectof suchclassofbodiesorofanysuchindustry,professionorvocation.
(2)TheRegulatormustgivenoticeintheGazettethattheissuingofacodeofconduct isbeingconsidered,whichnoticemustcontainastatementthat—(a)thedetailsofthecodeofconductbeingconsidered,includinga
draftoftheproposedcode,maybeobtainedfromtheRegulator;and
(b)submissionsontheproposedcodemaybemadeinwritingtotheRegulatorwithinsuchperiodasisspecifiedinthenotice.
(3)TheRegulatormaynotissueacodeofconductunlessithasconsideredthesubmissionsmadetotheRegulatorintermsofsubsection(2)(b),ifany,andissatisfiedthatallpersonsaffectedbytheproposedcodehavehadareasonable opportunity to be heard.
(4)Thedecisionas towhetheranapplication for the issuingofa codehasbeen successful must be made within a reasonable period which must not exceed 13 weeks.
Notification, availability and commencement of code of conduct
62. (1) If a codeof conduct is issuedunder section60 theRegulatormustensure that—(a)thereispublishedintheGazette,assoonasreasonablypracticable
afterthecodeisissued,anoticeindicating—(i)thatthecodehasbeenissued;and(ii)wherecopiesofthecodeareavailableforinspectionfreeof
chargeandforpurchase;and(b) as long as the code remains in force, copies of it are
available— (i)ontheRegulator’swebsite;
(ii)forinspectionbymembersofthepublicfreeofchargeattheRegulator’soffices;and
77Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(iii) for purchase or copying by members of the public at areasonablepriceattheRegulator’soffices.
(2) Acodeofconductissuedundersection60comesintoforceonthe28thdayafterthedateofitsnotificationintheGazetteoronsuchlaterdateasmaybespecifiedinthecodeandisbindingoneveryclassorclassesofbody,industry,professionorvocationreferredtotherein.
Procedure for dealing with complaints
63.(1)Acodeofconductmayprescribeproceduresformakinganddealingwithcomplaintsallegingabreachofthecode,butnosuchprovisionmaylimitorrestrictanyprovisionofChapter10.
(2) Ifthecodesetsoutproceduresformakinganddealingwithcomplaints,theRegulatormustbesatisfiedthat—(a) the procedures meet the—
(i)prescribedstandards;and(ii)guidelines issued by the Regulator in terms of section 65,
relatingtothemakingofanddealingwithcomplaints;(b) the code provides for the appointment of an independent
adjudicatortowhomcomplaintsmaybemade;(c)the code provides that, in exercising his or her powers and
performinghisorher functions,under thecode,anadjudicatorforthecodemusthavedueregardtothematterslistedinsection44;
(d)thecoderequirestheadjudicatortoprepareandsubmitareport,inaform satisfactorytotheRegulator,totheRegulatorwithinfivemonthsoftheendofafinancialyearoftheRegulatorontheoperationofthecodeduringthatfinancialyear;and
(e) the code requires the report prepared for each year to specify the numberandnatureofcomplaintsmadetoanadjudicatorunderthecodeduringtherelevantfinancialyear.
(3)Aresponsiblepartyordatasubjectwhoisaggrievedbyadetermination,including any declaration, order or direction that is included in thedetermination, made by an adjudicator after having investigated acomplaint relating to the protection of personal information under an
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
78
approvedcodeofconduct,maysubmitacomplaint intermsofsection74(2)withtheRegulatoragainstthedeterminationuponpaymentofaprescribed fee.
(4)Theadjudicator’sdeterminationcontinuestohaveeffectunlessanduntiltheRegulatormakesadeterminationunderChapter10 relating to thecomplaintorunlesstheRegulatordeterminesotherwise.
Amendment and revocation of codes of conduct
64.(1)TheRegulatormayamendorrevokeacodeofconductissuedundersection60.
(2)Theprovisionsofsections60to63applyinrespectofanyamendmentorrevocationofacodeofconduct.
Guidelines about codes of conduct
65.(1)TheRegulatormayprovidewrittenguidelines—(a) to assist bodies to develop codes of conduct or to apply approved
codesofconduct;(b) relatingtomakinganddealingwithcomplaintsunderapproved
codesofconduct;and(c) aboutmatters theRegulatormayconsider indecidingwhether
toapproveacodeofconductoravariationor revocationofanapproved code of conduct.
(2)TheRegulatormusthaveregardtotheguidelinesassetoutinsection7(3)(a) to (d)when considering the approval of a codeof conduct for theprocessingof personal information for exclusively journalistic purposeswheretheresponsiblepartyisnotsubjecttoacodeofethicsasreferredtoinsection7(1).
(3) Before providing guidelines for the purposes of subsection (1)(b), theRegulator must give everyone the Regulator considers has a real andsubstantial legitimate interest in thematters covered by the proposedguidelinesanopportunitytocommentonthem.
(4)TheRegulatormustpublishguidelinesprovidedundersubsection (1) inthe Gazette.
79Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Register of approved codes of conduct
66. (1)TheRegulatormustkeeparegisterofapprovedcodesofconduct.
(2) TheRegulatormaydecidetheformoftheregisterandhowitistobekept.
(3) TheRegulatormustmaketheregisteravailabletothepublicinthewaythattheRegulatordetermines.
(4) TheRegulatormaychargereasonablefeesfor—(a)makingtheregisteravailabletothepublic;or(b)providingcopiesof,orextractsfrom,theregister.
Review of operation of approved code of conduct
67. (1)TheRegulatormay,on itsowninitiative,reviewtheoperationofanapproved code of conduct.
(2) TheRegulatormaydooneormoreofthefollowingforthepurposesofthereview:(a)Considertheprocessunderthecodeformakinganddealingwith
complaints;(b)inspecttherecordsofanadjudicatorforthecode;(c)considertheoutcomeofcomplaintsdealtwithunderthecode;(d)interviewanadjudicatorforthecode;and(e) appoint experts to review those provisions of the code that the
Regulatorbelievesrequireexpertevaluation.
(3) ThereviewmayinformadecisionbytheRegulatorundersection64torevoketheapprovedcodeofconductwithimmediateeffectoratafuturedatetobedeterminedbytheRegulator.
Effect of failure to comply with code of conduct
68. Ifacodeissuedundersection60is inforce,failuretocomplywiththecodeisdeemedto bea breachof theconditionsfor the lawfulprocessingofpersonalinformationreferredtoinChapter3andisdealtwithintermsofChapter10.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
80
CHAPTER 8RIGHTS OF DATA SUBJECTS
REGARDING DIRECT MARKETINGBY MEANS OF UNSOLICITED
ELECTRONIC COMMUNICATIONS,DIRECTORIES AND AUTOMATED
DECISION MAKING
81Protection Of Personal Information Act, 2013
Act No. 4 of 2013
CHAPTER 8RIGHTS OF DATA SUBJECTS REGARDING DIRECT MARKETING
BY MEANS OF UNSOLICITED ELECTRONIC COMMUNICATIONS,DIRECTORIES AND AUTOMATED DECISION MAKING
Direct marketing by means of unsolicited electronic communications
69. (1)Theprocessingofpersonalinformationofadatasubjectforthepurposeofdirectmarketingbymeansofanyformofelectroniccommunication,includingautomaticcallingmachines,facsimilemachines,SMSsore-mailisprohibitedunlessthedatasubject—(a)hasgivenhis,heroritsconsenttotheprocessing;or(b)is,subjecttosubsection(3),acustomeroftheresponsibleparty.
(2)(a)Aresponsiblepartymayapproachadatasubject—(i)whoseconsentisrequiredintermsofsubsection(1)(a);and(ii) who has not previously withheld such consent,onlyonceinordertorequesttheconsentofthatdatasubject.
(b) Thedata subject’s consentmust be requested in the prescribedmanner and form.
(3) A responsible party may only process the personal information of adatasubject who is a customer of the responsible party in terms of subsection(1)(b)—(a) if the responsible party has obtained the contact details of the
datasubjectinthecontextofthesaleofaproductorservice;(b)forthepurposeofdirectmarketingoftheresponsibleparty’sown
similarproductsorservices;and(c) if the data subject has been given a reasonable opportunity
to object, freeof charge and in amanner freeof unnecessaryformality, to such use of his, her or its electronic details—(i)atthetimewhentheinformationwascollected;and(ii)ontheoccasionofeachcommunicationwiththedatasubject
for the purpose of marketing if the data subject has notinitiallyrefusedsuchuse.
(4)Anycommunicationforthepurposeofdirectmarketingmustcontain—(a)detailsoftheidentityofthesenderorthepersononwhosebehalf
thecommunicationhasbeensent;and
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
82
(b) an address or other contact details to which the recipient may sendarequestthatsuchcommunicationscease.
(5) ‘‘Automatic calling machine’’,forpurposesofsubsection(1),meansa machine that is able to do automated calls without human intervention.
Directories
70. (1)Adatasubjectwhoisasubscribertoaprintedorelectronicdirectoryofsubscribersavailabletothepublicorobtainablethroughdirectoryenquiryservices,inwhichhis,heroritspersonalinformationisincluded,mustbeinformed,freeofchargeandbeforetheinformationisincludedinthedirectory—(a)aboutthepurposeofthedirectory;and(b) about any further uses to which the directory may possibly be put,
basedonsearchfunctionsembeddedinelectronicversionsofthedirectory.
(2) Adatasubjectmustbegivenareasonableopportunitytoobject,freeofchargeandinamannerfreeofunnecessaryformality,tosuchuseofhis,heroritspersonalinformationortorequestverification,confirmationorwithdrawalofsuchinformationif 5 the data subject has notinitiallyrefusedsuchuse.
(3) Subsections(1)and(2)donotapplytoeditionsofdirectoriesthatwereproducedinprintedoroff-lineelectronicformpriortothecommencementofthissection.
(4) If the personal information of data subjects who are subscribers tofixed ormobile public voice telephony services have been included ina public subscriber directory in conformitywith the conditions for thelawfulprocessingofpersonal informationprior to the commencementofthissection,thepersonalinformationofsuchsubscribersmayremainincludedinthispublicdirectoryinitsprintedorelectronicversions,afterhavingreceivedtheinformationrequiredbysubsection(1).
(5) ‘‘Subscriber’’, for purposes of this section, means any person who isparty to a contract with the provider of publicly available electronic communicationsservicesforthesupplyofsuchservices.
83Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Automated decision making
71. (1)Subjecttosubsection(2),adatasubjectmaynotbesubjecttoadecisionwhichresultsinlegalconsequencesforhim,herorit,orwhichaffectshim,herorittoa20substantialdegree,whichisbasedsolelyonthebasisoftheautomatedprocessingofpersonalinformationintendedtoprovideaprofileofsuchpersonincludinghisorherperformanceatwork,orhis,heroritscreditworthiness,reliability,location,health,personalpreferencesor conduct.
(2)Theprovisionsofsubsection(1)donotapplyifthedecision—(a)hasbeentakeninconnectionwiththeconclusionorexecutionof
a contract, and—(i) therequestofthedatasubject intermsofthecontracthas
beenmet;or(ii) appropriate measures have been taken to protect the data
subject’slegitimateinterests;or(b) is governedby a lawor codeof conduct inwhich appropriate
measuresarespecified forprotectingthe legitimate interestsofdatasubjects.
(3)Theappropriatemeasures,referredtoinsubsection(2)(a)(ii), must—(a)provideanopportunityforadatasubjecttomakerepresentations
aboutadecisionreferredtoinsubsection(1);and(b)requirearesponsiblepartytoprovideadatasubjectwith
sufficientinformationabouttheunderlyinglogicoftheautomatedprocessingoftheinformationrelatingtohimorhertoenablehimorhertomakerepresentationsintermsofparagraph(a).
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
84
CHAPTER 9TRANSBORDER
INFORMATION FLOWS
85Protection Of Personal Information Act, 2013
Act No. 4 of 2013
CHAPTER 9TRANSBORDER INFORMATION FLOWS
Transfers of personal information outside Republic
72. (1) A responsible party in the Republic may not transfer personalinformation about a data subject to a third party who is in a foreigncountry unless—(a)thethirdpartywhoistherecipientoftheinformationissubjectto
alaw,bindingcorporaterulesorbindingagreementwhichprovideanadequatelevelofprotectionthat—(i) effectively upholds principles for reasonable processing of
the informa-tion that are substantially similar to theconditionsforthelawfulprocessingofpersonalinformationrelating toadatasubjectwho isa 50naturalpersonand,whereapplicable,ajuristicperson;and
(ii)includesprovisions,thataresubstantiallysimilartothissection,relatingtothefurthertransferofpersonalinformationfromtherecipienttothirdpartieswhoareinaforeigncountry;
(b)thedatasubjectconsentstothetransfer;(c) the transfer is necessary for the performance of a contract
between the data subject and the responsible party, or for theimplementationofpre-contractualmeasurestakeninresponsetothedatasubject’srequest;
(d) the transfer is necessary for the conclusion or performance of a contractconcludedintheinterestofthedatasubjectbetweentheresponsiblepartyandathirdparty;or
(e)thetransferisforthebenefitofthedatasubject,and—(i) it isnotreasonablypracticabletoobtaintheconsentofthe
datasubjecttothattransfer;and(ii)ifitwerereasonablypracticabletoobtainsuchconsent,the
datasubjectwouldbelikelytogiveit.
(2)Forthepurposeofthissection—(a) ‘‘binding corporate rules’’ meanspersonalinformationprocessing
policies,withinagroupofundertakings,whichareadheredtobya
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
86
responsiblepartyoroperatorwithinthatgroupofundertakingswhen transferringpersonalinformation to a responsible partyor operator within that same group of 20undertakingsinaforeigncountry;and
(b) ‘‘group of undertakings’’ meansacontrollingundertakinganditscontrolledundertakings.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
88
CHAPTER 10ENFORCEMENT
Interference with protection of personal information of data subject
73. ForthepurposesofthisChapter,interferencewiththeprotectionofthepersonal informationofadatasubjectconsists, inrelationtothatdatasubject,of—(a)anybreachoftheconditionsforthelawfulprocessingofpersonal
informationasreferredtoinChapter3;(b)non-compliancewithsection22,54,69,70,71or72;or(c) a breach of the provisions of a code of conduct issued in terms of
section60.
Complaints
74.(1)AnypersonmaysubmitacomplainttotheRegulatorintheprescribedmannerandformalleginginterferencewiththeprotectionofthepersonalinformationofadatasubject.
(2) Aresponsiblepartyordatasubjectmay,intermsofsection63(3),submitacomplainttotheRegulatorintheprescribedmannerandformifhe,sheoritisaggrievedbythedeterminationofanadjudicator.
Mode of complaints to Regulator
75.(1)AcomplainttotheRegulatormustbemadeinwriting.
(2) TheRegulatormustgivesuchreasonableassistanceasisnecessaryinthecircumstances to enable a person, who wishes to make a complaint to the Regulator,toputthecomplaintinwriting.
Action on receipt of complaint
76.(1)Onreceivingacomplaintintermsofsection74,theRegulatormay—(a)conductapre-investigationasreferredtoinsection79;(b)act,atanytimeduringtheinvestigationandwhereappropriate,
asconciliator inrelationtoany interferencewiththeprotectionof the personal information of a data subject in the prescribedmanner;
89Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(c)decide, inaccordancewith section77, to takenoactionon thecomplaint or, as the casemay be, require no further action inrespectofthecomplaint;
(d)conductafullinvestigationofthecomplaint;(e) referthecomplaint, intermsofsection92,totheEnforcement
Committee;or(f) takesuchfurtheractionasiscontemplatedbythisChapter.
(2) The Regulator must, as soon as is reasonably practicable, advise thecomplainant and the responsible party to whom the complaint relates of the course of action that the Regulator proposes to adopt undersubsection(1).
(3)TheRegulatormay,onitsowninitiative,commenceaninvestigationintotheinterferencewiththeprotectionofthepersonalinformationofadatasubjectasreferredtoinsection73.
Regulator may decide to take no action on complaint
77. (1) The Regulator, after investigating a complaint received in terms ofsection73,maydecidetotakenoactionor,asthecasemaybe,requirenofurtheractioninrespectofthecomplaintif,intheRegulator’sopinion—(a)thelengthoftimethathaselapsedbetweenthedatewhenthe
subject matter of the complaint arose and the date when thecomplaintwasmadeissuchthataninvestigationofthecomplaintisnolongerpracticableordesirable;
(b)thesubjectmatterofthecomplaintistrivial;(c)thecomplaintisfrivolousorvexatiousorisnotmadeingoodfaith;(d) thecomplainantdoesnotdesirethatactionbetakenor,asthe
casemaybe,continued;(e)thecomplainantdoesnothaveasufficientpersonalinterestinthe
subjectmatterofthecomplaint;or(f) in cases where the complaint relates to amatter in respect of
which a code of conduct is in force and the code of conduct makes provision for a complaints procedure, the complainant has failed to pursue, or to pursue fully, an avenue of redress available under that complaints procedure that it would be reasonable for the complainant to pursue.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
90
(2) Notwithstanding anything in subsection (1), the Regulator may in itsdiscretiondecidenottotakeanyfurtheractiononacomplaintif,inthecourseoftheinvestigationofthecomplaint,itappearstotheRegulatorthat,havingregardtoallthecircumstancesofthecase,anyfurtheractionis unnecessary or inappropriate.
(3) InanycasewheretheRegulatordecidestotakenoaction,ornofurtheraction,onacomplaint,theRegulatormustinformthecomplainantofthatdecision and the reasons for it.
Referral of complaint to regulatory body
78. (1) If, on receiving a complaint in terms of section 74, the Regulatorconsiders that the complaint relates, in whole or in part, to amatterthatismoreproperlywithinthejurisdictionofanotherregulatorybodyestablishedintermsofanylaw,theRegulatormustforthwithdeterminewhether the complaint should be dealt with, in whole or in part, under thisActafterconsultationwiththebodyconcerned.
(2) If theRegulatordetermines that the complaint shouldbedealtwithbyanotherbody,theRegulatormustforthwithreferthecomplainttothatbodytobedealtwithaccordinglyandmustnotifythecomplainantofthereferral.
Pre-investigation proceedings of Regulator
79. BeforeproceedingtoinvestigateanymatterintermsofthisChapter,theRegulatormust,intheprescribedmanner,inform—(a)the complainant, the data subject to whom the investigation
relates (if not the complainant) and any person alleged to beaggrieved(ifnotthecomplainant),oftheRegulator’sintentiontoconducttheinvestigation;and
(b)theresponsiblepartytowhomtheinvestigationrelatesofthe—(i) detailsof thecomplaintor,asthecasemaybe, thesubject
matteroftheinvestigation;and(ii) right of that responsible party to submit to the Regulator,
withinareasonableperiod,awrittenresponseinrelationtothecomplaintor,as thecasemaybe, thesubject-matteroftheinvestigation.
91Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Settlement of complaints 10
80. Ifitappearsfromacomplaint,oranywrittenresponsemadeinrelationtoacomplaintundersection79(b)(ii),thatitmaybepossibletosecure—(a)asettlementbetweenanyofthepartiesconcerned;and(b) ifappropriate,asatisfactoryassuranceagainsttherepetitionof
anyactionthatisthesubjectmatterofthecomplaintorthedoingoffurtheractionsofasimilarkindbythepersonconcerned,theRegulatormay,withoutinvestigatingthecomplaintor,asthecasemay be, investigating the complaint further, in the prescribedmanner,useitsbestendeavourstosecuresuchasettlementandassurance.
Investigation proceedings of Regulator
81. ForthepurposesoftheinvestigationofacomplainttheRegulatormay—(a) summon and enforce the appearance of persons before the
Regulatorandcompel them togiveoralorwrittenevidenceonoath and to produce any records and things that theRegulatorconsiders necessary to investigate the complaint, in the samemannerandtothesameextentastheHighCourt;
(b)administeroaths;(c)receiveandacceptanyevidenceandotherinformation,whether
on oath, by affidavit or otherwise, that the Regulator sees fit,whetherornotitisorwouldbeadmissibleinacourtoflaw;
(d)atanyreasonabletime,subjecttosection81,enterandsearchanypremisesoccupiedbyaresponsibleparty;
(e) conduct a private interview with any person in any premises enteredundersection84subjecttosection82;and
(f) otherwise carry out in those premises any inquiries that the Regulatorseesfitintermsofsection82.
Issue of warrants
82. (1) A judgeof theHighCourt, a regionalmagistrate or amagistrate, ifsatisfiedbyinformationonoathsuppliedbytheRegulatorthattherearereasonablegroundsforsuspectingthat—
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
92
(a)aresponsiblepartyisinterferingwiththeprotectionofthepersonalinformationofadatasubject;or
(b)anoffenceunderthisActhasbeenorisbeingcommitted,andthatevidenceof thecontraventionorof thecommissionof the
offenceistobefoundonanypremisesspecifiedintheinformation,thatarewithinthejurisdictionofthatjudgeormagistrate,may,subjecttosubsection(2),grantawarranttoenterandsearchsuchpremises.
(2)Awarrant issuedundersubsection (1)authorisesanyof theRegulator’smembers or staffmembers, subject to section 84, at any timewithinsevendaysofthedateofthewarranttoenterthepremisesasidentifiedin the warrant, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processingofpersonalinformationandtoinspectandseizeanyrecord,other material or equipment found there which may be such evidence as ismentionedinthatsubsection.
Requirements for issuing of warrant
83. (1)Ajudgeormagistratemustnotissueawarrantundersection82unlesssatisfiedthat—(a) the Regulator has given seven days’ notice in writing to the
occupier of the premises in question demanding access to thepremises;
(b) either—(i) access was demanded at a reasonable hour and was
unreasonablyrefused;or(ii) although entry to the premises was granted, the occupier
unreasonably refused to comply with a request by any of the Regulator’smembersorstafftopermitthemembersorthemembersofstafftodoanyofthethingsreferredtoinsection82(2);and
(c) that the occupier, has, after the refusal, been notified by theRegulator of the application for the warrant and has had anopportunityofbeingheardonthequestionwhetherthewarrantshould be issued.
93Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(2) Subsection(1)doesnotapplyifthejudgeormagistrateissatisfiedthatthecaseisoneofurgencyorthatcompliancewiththatsubsectionwoulddefeattheobjectoftheentry.
(3) Ajudgeormagistratewhoissuesawarrantundersection82mustalsoissuetwocopiesofitandcertifythemclearlyascopies.
Execution of warrants
84. (1)Apoliceofficerwhoisassistingapersonauthorisedtoconductanentryandsearchintermsofawarrantissuedundersection82mayovercomeresistanceto theentryandsearchbyusingsuch forceas is reasonablynecessary.
(2) Awarrant issuedunder this sectionmustbeexecutedat a reasonablehourunlessitappearstothepersonexecutingitthattherearereasonablegroundsforsuspectingthattheevidenceinquestionwouldnotbefoundif it were so executed.
(3) If the person who occupies the premises in respect of which a warrant is issuedundersection82ispresentwhenthewarrantisexecuted,heorshe must be shown the warrant and supplied with a copy of it, and if that personisnotpresentacopyofthewarrantmustbeleftinaprominentplace on the premises.
(4) Apersonseizinganythinginpursuanceofawarrantundersection82mustgivea35receipttotheoccupierorleavethereceiptonthepremises.
(5) Anything so seized may be retained for as long as is necessary in allcircumstancesbutthepersoninoccupationofthepremisesinquestionmustbegivenacopyofanydocumentationthatisseizedifheorshesorequestsandthepersonexecutingthewarrantconsidersthat itcanbedone without undue delay.
(6) Apersonauthorisedtoconductanentryandsearchintermsofsection82mustbeaccompaniedandassistedbyapoliceofficer.
(7) Apersonwhoentersandsearchesanypremisesunderthissectionmustconduct theentryandsearchwithstrict regard fordecencyandorder,andwithregardtoeachperson’srighttodignity,freedom,securityandprivacy.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
94
(8)Apersonwhoentersandsearchespremisesunderthissectionmustbeforequestioninganyperson—(a) advisethatpersonoftherighttobeassistedatthetimebyan
advocateorattorney;and(b)allowthatpersontoexercisethatright.
(9)Noself-incriminatinganswergivenor statementmade toapersonwhoconducts a search in terms of a warrant issued under section 82 isadmissibleasevidenceagainstthepersonwhogavetheanswerormadethestatementincriminalproceedings,exceptincriminalproceedingsforperjuryor inwhichthatperson is tried foranoffencecontemplated insection102andthenonlytotheextentthattheanswerorstatementisrelevanttoprovetheoffencecharged.
Matters exempt from search and seizure
85. If the Regulator has granted an exemption in terms of section 37, theinformationthat isprocessedintermsofthatexemptionisnotsubjecttosearchandseizureempoweredbyawarrantissuedundersection82.
Communication between legal adviser and client exempt
86. (1) Subject to the provisions of this section, the powers of search andseizure conferred by a warrant issued under section 82 must not beexercised in respect of—(a)anycommunicationbetweenaprofessionallegaladviserandhis
orherclientinconnectionwiththegivingoflegaladvicetotheclientwithrespecttohisorherobligations,liabilitiesorrights;or
(b)anycommunicationbetweenaprofessionallegaladviserandhisor her client, or between such an adviser or his or her client and anyotherperson,madeinconnectionwithorincontemplationofproceedingsunderorarisingoutofthisAct,includingproceedingsbeforeacourt,andforthepurposesofsuchproceedings.
(2)Subsection(1)appliesalsoto—(a) any copy or other record of any such communication as is
mentionedtherein;and(b)any document or article enclosed with or referred to in any
95Protection Of Personal Information Act, 2013
Act No. 4 of 2013
such communica- tion if made in connection with the givingof any advice or, as the casemay be, in connectionwith or incontemplationofandforthepurposesofsuchproceedingsasarementionedtherein.
Objection to search and seizure
87.Ifthepersoninoccupationofanypremisesinrespectofwhichawarrantis issuedunder thisActobjects to the inspectionor seizureunder thewarrantofanymaterialonthegroundthatit—(a) contains privileged information and refuses the inspection or
removal of such article or document, the person executing thewarrant or search must, if he or she is of the opinion that the articleordocument contains information thathas abearingonthe investigationand that such information isnecessary for theinvestigation, request theRegistrarof theHighCourtwhichhasjurisdiction or his or her delegate, to attach and remove thatarticleordocumentforsafecustodyuntilacourtoflawhasmadea rulingon thequestionwhether the informationconcerned isprivilegedornot;or
(b) consistspartlyofmatters in respectofwhich thosepowersarenotexercised,heorshemust,ifthepersonexecutingthewarrantso requests, furnish that person with a copy of so much of the material as is not exempt from those powers.
Return of warrants
88. Awarrant issuedundersection82mustbereturnedtothecourtfromwhich it was issued—(a)afterbeingexecuted;or(b)ifnotexecutedwithinthetimeauthorisedforitsexecution,
and the person who has executed the warrant must make an endorsementon it statingwhatpowershavebeenexercisedbyhim or her under the warrant.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
96
Assessment
89. (1)TheRegulator,onitsowninitiative,orattherequestbyoronbehalfof the responsible party, data subject or any other personmustmakean assessment in the prescribed manner of whether an instance of processingofpersonalinformationcomplieswiththeprovisionsofthisAct.
(2)TheRegulatormustmaketheassessmentifitappearstobeappropriate,unless,wheretheassessmentismadeonrequest,theRegulatorhasnotbeensuppliedwithsuchinformationasitmayreasonablyrequireinorderto—(a)satisfyitselfastotheidentityofthepersonmakingtherequest;
and(b)enableittoidentifytheactioninquestion.
10 (3) Thematters to which the Regulatormay have regard indetermining whether it is appropriate to make an assessmentinclude—
(a)theextenttowhichtherequestappearstoittoraiseamatterofsubstance;
(b)anyunduedelayinmakingtherequest;and(c)whetherornotthepersonmakingtherequestisentitledtomake
an application in terms of section 23 or 24 in respect of thepersonalinformationinquestion.
(4) IftheRegulatorhasreceivedarequestunderthissectionitmustnotifytherequester—(a)whetherithasmadeanassessmentasaresultoftherequest;and(b) to the extent that it considers appropriate, having regard in
particular to any exemption which has been granted by theRegulatorintermsofsection37fromsection23or24applyinginrelationtothepersonalinformationconcerned,ofanyviewformedoractiontakenasaresultoftherequest.
Information notice
90.(1)IftheRegulator—(a) has received a request under section 89 in respect of any
processingofpersonalinformation;or
97Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(b) reasonably requires any information for the purpose ofdeterminingwhethertheresponsiblepartyhas interferedoris interferingwiththepersonal informationofadatasubject,theRegulatormayservetheresponsiblepartywithaninformationnotice requiring the responsible party to furnish the Regulator,withinaspecifiedperiod,inaformspecifiedinthenotice,withareportindicatingthattheprocessingistakingplaceincompliancewiththeprovisionsoftheAct,orwithsuchinformationrelatingtotherequestortocompliancewiththeActasissospecified.
(2) An information notice must contain particulars of the right of appealconferredbysection97,and—(a) in a case fallingwithin subsection (1)(a), a statement that the
Regulatorhasreceivedarequestundersection89 inrelationtothespecifiedprocessing;or
(b) in a case fallingwithin subsection (1)(b), a statement that theRegulator regards the specified information as relevant for thepurpose of determining whether the responsible party hascomplied, or is complying,with theconditions for the lawfulprocessingofpersonalinformationandthereasonsforregardingit as relevant for that purpose.
(3) Subjecttosubsection(5), theperiodspecified inan informationnoticemust not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought,the information need not be furnished pending the determination orwithdrawal of the appeal.
(4) If theRegulator considers that the information is requiredas amatterofurgency,itmayincludeinthenoticeastatementtothateffectandastatementof itsreasonsforreachingthatconclusion,andinthateventsubsection(3)doesnotapply.
(5) Anoticeintermsofsubsection(4)maynotrequiretheinformationtobefurnishedbeforetheendofaperiodofthreedaysbeginningwiththedayonwhichthenoticeisserved.
(6)AninformationnoticemaynotrequirearesponsiblepartytofurnishtheRegulatorwithanycommunicationbetweena—
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
98
(a)professionallegaladviserandhisorherclientinconnectionwiththegivingof legaladviceontheclient’sobligations, liabilitiesorrightsunderthisAct;or
(b) professional legaladviserandhisorherclient,orbetweensuchan adviser or his or her client and any other person, made inconnectionwithorincontemplationofproceedingsunderorarisingoutofthisAct(includingproceedingsbeforeacourt)andforthepurposesofsuchproceedings.
(7) Insubsection(6) referencestotheclientofaprofessional legaladviserincludeanypersonrepresentingsuchaclient.
(8) An information noticemay not require a responsible party to furnishthe Regulator with information that would, by revealing evidence ofthecommissionofanyoffenceotherthananoffenceunderthisAct,exposetheresponsiblepartytocriminalproceedings.
(9)TheRegulatormaycancelaninformationnoticebywrittennoticetothe responsible party on whom it was served.
Parties to be informed of result of assessment
91. (1) After completing the assessment referred to in section 89 theRegulator—(a) must report to the responsible party the results of the assessment
and any recommendations that the Regulator considersappropriate;and
(b) may, in appropriate cases, require the responsible party, within a specified time, to inform the Regulator of any action takenor proposed to be taken to implement the recommendationscontainedinthereportorreasonswhynosuchactionhasbeenoris proposed to be taken.
(2)TheRegulatormaymakepublicany informationrelatingto thepersonalinformationmanagementpracticesofaresponsiblepartythathasbeenthesubjectofanassessmentunderthissectioniftheRegulatorconsiders it in the public interest to do so.
(3)AreportmadebytheRegulatorundersubsection(1)isdeemedtobetheequivalentofanenforcementnoticeintermsofsection95.
99Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Matters referred to Enforcement Committee
92. (1)Aftercompletingtheinvestigationofacomplaintorothermatter intermsofthisAct,theRegulatormayrefersuchcomplaintorothermattertotheEnforcementCommitteeforconsideration,afindinginrespectofthecomplaintorothermatterandarecommendationinrespectoftheproposedactiontobetakenbytheRegulatorasreferredtoinsection93.
(2)TheRegulatormayprescribetheproceduretobefollowedbythe
EnforcementCommittee,including—(a)themannerinwhichtheresponsiblepartyanddatasubjectmay
makesubmissionstotheEnforcementCommittee;(b)theopportunityaffordedtothepartieswhomakesubmissions
to the Enforcement Committee tomake use of legal or otherrepresentation;
(c)theperiodwithinwhichtheEnforcementCommitteemustmakea finding and submit its recommendation to the Regulator inrespectofthecomplaintorothermatter;and
(d) themanner in which the Enforcement Committeemay finaliseurgentmatters.
Functions of Enforcement Committee
93. TheEnforcementCommittee—(a)mustconsiderallmattersreferredtoitbytheRegulatorinterms
ofsection92orthePromotionofAccesstoInformationActandmakeafindinginrespectthereof;and
(b) maymake any recommendation to the Regulator necessary orincidentaltoanyactionthatshouldbetakenagainst—(i)aresponsiblepartyintermsofthisAct;or(ii)aninformationofficerorheadofaprivatebody,asthecase
maybe,intermsofthePromotionofAccesstoInformationAct.
Parties to be informed of developments during and result of investigation
94.Ifaninvestigationismadefollowingacomplaint,and—(a) theRegulatorbelieves thatno interferencewith theprotection
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
100
ofthepersonalinformationofadatasubjecthastakenplaceandthereforedoesnotserveanenforcementnotice;
(b) the Regulator has referred the complaint to the EnforcementCommitteeforconsiderationintermsofsection92;
(c)anenforcementnoticeisservedintermsofsection95;(d)aservedenforcementnoticeiscancelledintermsofsection96;(e) an appeal is lodged against the enforcement notice for
cancellationorvariationofthenoticeintermsofsection97;or(f) anappealagainstanenforcementnoticeisallowed,thenoticeis
substitutedortheappealisdismissedintermsofsection98,theRegulatormustinformthecomplainantandtheresponsibleparty,assoonasreasonablypracticable,inthemannerprescribedofanydevelopmentmentionedinparagraphs(a)to(f)andtheresultoftheinvestigation.
Enforcement notice
95. (1)IftheRegulator,afterhavingconsideredtherecommendationoftheEnforcementCommitteeintermsofsection93,issatisfiedthataresponsiblepartyhasinterferedorisinterferingwiththeprotectionofthepersonalinformationofadatasubjectasreferredtoinsection73,theRegulatormayservetheresponsiblepartywithanenforcementnoticerequiringtheresponsiblepartytodoeitherorbothofthefollowing:(a)Totakespecifiedstepswithinaperiodspecifiedinthenotice,orto
refrainfromtakingsuchsteps;or(b) to stopprocessingpersonal information specified in thenotice,
ortostopprocessingpersonal informationforapurposeor inamanner specified in the noticewithin a period specified in thenotice.
(2)Anenforcementnoticemustcontain—(a) a statement indicating the nature of the interferencewith the
protectionofthepersonalinformationofthedatasubjectandthereasonsforreachingthatconclusion;and
(b)particularsoftherightsofappealconferredbysection97.
101Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(3)Subjecttosubsection(4),anenforcementnoticemaynotrequireanyoftheprovisionsofthenoticetobecompliedwithbeforetheendoftheperiodwithinwhichanappealmaybebroughtagainstthenoticeand,ifsuchanappealisbrought,thenoticeneednotbecompliedwithpendingthedeterminationorwithdrawaloftheappeal.
(4)IftheRegulatorconsidersthatanenforcementnoticeshouldbecompliedwithasamatterofurgencyitmayincludeinthenoticeastatementtothateffectandastatementofitsreasonsforreachingthatconclusion,andinthateventsubsection(3)doesnotapply.
(5)Anoticeintermsofsubsection(4)maynotrequireanyoftheprovisionsofthenoticetobecompliedwithbeforetheendofaperiodofthreedaysbeginningwiththedayonwhichthenoticeisserved.
Cancellation of enforcement notice
96. (1)Aresponsiblepartyonwhomanenforcementnoticehasbeenservedmay,atanytimeaftertheexpiryoftheperiodduringwhichanappealmaybebroughtagainstthatnotice,applyinwritingtotheRegulatorforthecancellationorvariationofthatnoticeonthegroundthat,byreasonofachangeofcircumstances,alloranyoftheprovisionsofthatnoticeneednotbecompliedwithinordertoensurecompliancewiththeconditionsforthelawfulprocessingofpersonalinformation.
(2)IftheRegulatorconsidersthatalloranyoftheprovisionsofanenforcementnoticeneednotbecompliedwithinordertoensurecompliancewithaconditionforthelawfulprocessingofpersonalinformationorconditionstowhichitrelates,itmaycancelorvarythenoticebywrittennoticetotheresponsible party on whom it was served.
Right of appeal
97. (1)Aresponsiblepartyonwhomaninformationorenforcementnoticehasbeenservedmay,within30daysofreceivingthenotice,appealtotheHighCourthavingjurisdictionforthesettingasideorvariationofthenotice.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
102
(2)Acomplainant,whohasbeeninformedoftheresultoftheinvestigationintermsofsection77(3)or96,may,within180daysofreceivingtheresult,appealtotheHighCourthavingjurisdictionagainsttheresult.
Consideration of appeal
98. (1)Ifinanappealundersection97thecourtconsiders—(a)thatthenoticeordecisionagainstwhichtheappealisbroughtis
notinaccordancewiththelaw;or(b)thatthenoticeordecisioninvolvedanexerciseofdiscretionbythe
Regulatorthatoughttohavebeenexerciseddifferently,thecourtmustallowtheappealandmaysetasidethenoticeorsubstitutesuchothernoticeordecisionasshouldhavebeenservedormadebytheRegulator.
(2)Insuchanappeal,thecourtmayreviewanydeterminationoffactonwhichthenoticeinquestionwasbased.
Civil remedies
99. (1)Adatasubjector,attherequestofthedatasubject,theRegulator,mayinstituteacivilactionfordamagesinacourthavingjurisdictionagainstaresponsible party for breach of any provision of this Act as referred to in section73,whetherornotthereisintentornegligenceonthepartoftheresponsible party.
(2) In the event of a breach the responsible party may raise any of the followingdefencesagainstanactionfordamages:(a)Vismajor;(b)consentoftheplaintiff;(c)faultonthepartoftheplaintiff;(d)compliancewasnotreasonablypracticableinthecircumstances
oftheparticularcase;or(e)theRegulatorhasgrantedanexemptionintermsofsection37.
(3) A court hearing proceedings in terms of subsection (1) may award anamountthatisjustandequitable,including—(a)paymentofdamagesascompensation forpatrimonialandnon-
patrimoniallosssufferedbyadatasubjectasaresultofbreachof
103Protection Of Personal Information Act, 2013
Act No. 4 of 2013
theprovisionsofthisAct;(b)aggravateddamages,inasumdeterminedinthediscretionofthe
Court;(c)interest;and(d)costsofsuitonsuchscaleasmaybedeterminedbytheCourt.
(4)AnyamountawardedtotheRegulatorintermsofsubsection(3)mustbedealtwithinthefollowingmanner:(a)Thefullamountmustbedepositedintoaspecificallydesignated
trust account established by the Regulatorwith an appropriatefinancialinstitution;
(b)asafirstchargeagainsttheamount,theRegulatormayrecoverall reasonable expenses incurred in bringing proceedings atthe request of a data subject in terms of subsection (1) and inadministeringthedistributionsmadetothedatasubjectintermsofsubsection(5);and
(c)thebalance,ifany(inthissectionreferredtoasthe‘‘distributablebalance’’), must be distributed by the Regulator to the datasubjectatwhoserequesttheproceedingswerebrought.
(5) Any amount not distributed within three years from the date of the firstdistributionofpayments in termsof subsection (4), accrue to theRegulatorintheRegulator’sofficialcapacity.
(6) Thedistributablebalancemustbedistributedonaproratabasistothedatasubjectreferredtoinsubsection(1).
(7) ACourtissuinganyorderunderthissectionmustorderittobepublishedintheGazetteandbysuchotherappropriatepublicmediaannouncementastheCourtconsidersappropriate.
(8) Any civil action instituted under this section may be withdrawn,abandonedorcompromised,butanyagreementorcompromisemustbemadeanorderofCourt.
(9) Ifacivilactionhasnotbeen instituted,anyagreementorsettlement, ifany,may,onapplicationtotheCourtbytheRegulatorafterduenoticetotheotherparty,bemadeanorderofCourtandmustbepublishedintheGazetteandbysuchotherpublicmediaannouncementastheCourtconsiders appropriate.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
104
CHAPTER 11OFFENCES, PENALTIES AND
ADMINISTRATIVE FINES
105Protection Of Personal Information Act, 2013
Act No. 4 of 2013
CHAPTER 11OFFENCES, PENALTIES AND ADMINISTRATIVE FINES
Obstruction of Regulator
100. Anypersonwhohinders,obstructsorunlawfullyinfluencestheRegulatororanypersonactingonbehalfoforunderthedirectionoftheRegulatorintheperformanceoftheRegulator’sdutiesandfunctionsunderthisAct,isguiltyofanoffence.
Breach of confidentiality
101. Anypersonwhocontravenestheprovisionsofsection54,isguiltyofanoffence.
Obstruction of execution of warrant
102. Any person who—(a) intentionally obstructs a person in the execution of a warrant
issuedundersection82;or(b)failswithoutreasonableexcusetogiveanypersonexecutingsuch
a warrant such assistance as he or she may reasonably require for theexecutionofthewarrant,isguiltyofanoffence.
Failure to comply with enforcement or information notices
103. (1)Aresponsiblepartywhichfailstocomplywithanenforcementnoticeservedintermsofsection95,isguiltyofanoffence.
(2)Aresponsiblepartywhich,inpurportedcompliancewithaninformationnoticeservedintermsofsection90—(a)makesastatementknowingittobefalse;or(b) recklessly makes a statement which is false, in a material respect,
isguiltyofanoffence.
Offences by witnesses
104. (1) Any person summoned in terms of section 81 to attend and giveevidence or to produce any book, document or object before theRegulatorwho,withoutsufficientcausefails—
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
106
(a)toattendatthetimeandplacespecifiedinthesummons;(b) to remain inattendanceuntil conclusionof theproceedingsor
untilheorsheisexcusedbytheChairpersonoftheRegulatorfromfurtherattendance;
(c)havingattended,refusestobeswornortomakeanaffirmationaswitnessafterheorshehasbeenrequiredbytheChairpersonoftheRegulatortodoso;
(d)havingbeenswornorhavingmadeanaffirmation,toanswerfullyandsatisfactorilyanyquestionlawfullyputtohimorher;or
(e)toproduceanybook,documentorobjectinhisorherpossessionor custody or under his or her control, which he or she has been summonedtoproduce,isguiltyofanoffence.
(2)Anypersonwhoafterhavingbeenswornorhavingmadeanaffirmation,gives falseevidencebefore theRegulatoronanymatter,knowingsuchevidencetobefalseornotknowingorbelievingittobetrue,isguiltyofanoffence.
Unlawful acts by responsible party in connection with account number
105. (1) A responsible party who contravenes the provisions of section 8insofarasthoseprovisionsrelatetotheprocessingofanaccountnumberofadatasubjectis,subjecttosubsections(2)and(3),guiltyofanoffence.
(2)Thecontraventionreferredtoinsubsection(1)must—(a)beofaseriousorpersistentnature;and(b)likelycausesubstantialdamageordistresstothedatasubject.
(3) The responsible party must—(a)haveknownoroughttohaveknownthat—
(i)therewasariskthatthecontraventionwouldoccur;or(ii)suchcontraventionwouldlikelycausesubstantialdamageor
distresstothedatasubject;and(b)havefailedtotakereasonablestepstopreventthecontravention.
(4)Wheneveraresponsiblepartyischargedwithanoffenceundersubsection(1), it isavaliddefencetosuchachargetocontendthatheorshehastaken all reasonable steps
107Protection Of Personal Information Act, 2013
Act No. 4 of 2013
tocomplywiththeprovisionsofsection8. (5) ‘‘Account number’’, for purposes of this section and section 106, means any uniqueidentifierthathasbeenassigned—(a)toonedatasubjectonly;or(b)jointlytomorethanonedatasubject,by a financial or other institution which enables the data subject,
referredtoinparagraph(a), to access his, her or its own funds or to access credit facilities
orwhichenablesadatasubject,referredtoinparagraph(b),toaccessjointfundsortoaccessjointcreditfacilities.
Unlawful acts by third parties in connection with account number
106. (1)Apersonwho knowinglyor recklessly,without the consentof theresponsible party—(a)obtainsordisclosesanaccountnumberofadatasubject;or(b)procuresthedisclosureofanaccountnumberofadatasubjectto
anotherperson,is,subjecttosubsection(2),guiltyofanoffence.
(2)Wheneverapersonischargedwithanoffenceundersubsection(1),itisavaliddefencetosuchachargetocontendthat—(a) the obtaining, disclosure or procuring of the account number
was—(i) necessary for the purpose of the prevention, detection,
investigationorproofofanoffence;or(ii) required or authorised in terms of the law or in terms of a
courtorder;(b)heorsheactedinthereasonablebeliefthatheorshewaslegally
entitledtoobtainordisclosetheaccountnumberor,asthecasemay be, to procure the disclosure of the account number to the otherperson;
(c) he or she acted in the reasonable belief that he or she would have had the consent of the responsible party if the responsible partyhadknownoftheobtaining,disclosingorprocuringandthecircumstancesofit;or
(d) in the particular circumstances the obtaining, disclosing orprocuringwasinthepublicinterest.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
108
(3) A person who sells an account number which he or she has obtained incontraventionofsubsection(1),isguiltyofanoffence.
(4)Apersonwhoofferstoselltheaccountnumberofadatasubjectwhichthat person—(a)hasobtained;or(b)subsequentlyobtained,incontraventionofsubsection(1),isguilty
ofanoffence.
(5)For thepurposesof subsection (4),anadvertisement indicating thatanaccountnumberofadatasubjectisormaybeforsaleisanoffertoselltheinformation.
Penalties
107.AnypersonconvictedofanoffenceintermsofthisAct,isliable,inthecaseofacontraventionof—(a)section100,103(1),104(2),105(1),106(1),(3)or(4)toafineor
toimprisonmentforaperiodnotexceeding10years,ortobothafineandsuchimprisonment;or
(b)section59,101,102,103(2)or104(1),toafineortoimprisonmentforaperiodnotexceeding12months,ortobothafineandsuchimprisonment.
Magistrate’s Court jurisdiction to impose penalties
108. Despiteanythingtothecontrarycontainedinanyotherlaw,aMagistrate’sCourthasjurisdictiontoimposeanypenaltyprovidedforinsection107.
Administrative fines 109. (1) If a responsible party is alleged to havecommittedanoffenceintermsofthisAct,theRegulatormaycausetobedeliveredbyhandtothatperson(hereinafterreferredtoastheinfringer)aninfringementnoticewhichmustcontaintheparticularscontemplatedinsubsection(2).
(2)Anoticereferredtoinsubsection(1)must—(a)specifythenameandaddressoftheinfringer;(b)specifytheparticularsoftheallegedoffence;
109Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(c)specify the amount of the administrative fine payable, whichamountmay,subjecttosubsection(10),notexceedR10million;
(d)informtheinfringerthat,notlaterthan30daysafterthedateofserviceoftheinfringementnotice,theinfringermay—(i)paytheadministrativefine;(ii) make arrangements with the Regulator to pay the
administrativefineininstalments;or(iii)electtobetriedincourtonachargeofhavingcommittedthe
allegedoffencereferredtointermsofthisAct;and(e)statethatafailuretocomplywiththerequirementsofthenotice
within the time permitted,will result in the administrative finebecomingrecoverableascontemplatedinsubsection(5).
(3)Whendetermininganappropriatefine,theRegulatormustconsiderthefollowingfactors:(a)Thenatureofthepersonalinformationinvolved;(b)thedurationandextentofthecontravention;(c)thenumberofdatasubjectsaffectedorpotentiallyaffectedbythe
contraven-tion;(d) whether or not the contravention raises an issue of public
importance;(e)thelikelihoodofsubstantialdamageordistress,includinginjuryto
feelingsoranxietysufferedbydatasubjects;(f) whether the responsible party or a third party could have
preventedthecontraventionfromoccurring;(g)anyfailuretocarryoutariskassessmentorafailuretooperate
good policies, procedures and practices to protect personalinformation;and
(h) whether the responsible party has previously committed anoffenceintermsofthisAct.
(4)Ifaninfringerelectstobetriedincourtonachargeofhavingcommittedthe alleged offence in terms of this Act, the Regulatormust hand thematterovertotheSouthAfricanPoliceServiceandinformtheinfringeraccordingly.
(5) If an infringer fails to comply with the requirements of a notice, the
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
110
Regulatormayfilewiththeclerkorregistrarofanycompetentcourtastatement certified by it as correct, setting forth the amount of theadministrativefinepayablebytheinfringer,andsuchstatementthereuponhasalltheeffectsofaciviljudgmentlawfullygiveninthatcourtinfavouroftheRegulatorforaliquiddebtintheamountspecifiedinthestatement.
(6) TheRegulatormaynot impose an administrativefine contemplated inthissectioniftheresponsiblepartyconcernedhasbeenchargedwithanoffenceintermsofthisActinrespectofthesamesetoffacts.
(7) No prosecution may be instituted against a responsible party if theresponsiblepartyconcernedhaspaidanadministrativefineintermsofthissectioninrespectofthesamesetoffacts.
(8) Anadministrativefineimposedintermsofthissectiondoesnotconstitutea previous conviction as contemplated in Chapter 27 of the CriminalProcedureAct,1977(ActNo.51of1977).
(9) Afinepayable in termsof this sectionmustbepaid into theNationalRevenueFundreferredtoinsection213oftheConstitution.
(10) TheMinistermay, from time to time and after consultation with theRegulator, by notice in the Gazette, adjust the amount referred to insubsection(2)(c) inaccordancewiththeaverageoftheconsumerpriceindex,aspublishedfromtimetotimeintheGazette,fortheimmediatelyprecedingperiodof12monthsmultipliedbythenumberofyearsthattheamountreferredtoinsubsection(2)(c)hasremainedthesame.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
112
CHAPTER 12GENERAL PROVISIONS
Amendment of laws
110.ThelawsmentionedintheScheduleareamendedtotheextentindicatedinthethirdcolumnoftheSchedule.
Fees
111. (1)TheMinistermay,subjecttosection113andafterconsultationwiththeRegulator,prescribefeestobepaidbydatasubjects—(a)toresponsiblepartiesasreferredtoinsection23(1)(b)(ii);and(b)totheRegulatorasreferredtoinsection63(3).
(2)Different feesmaybe prescribed in respectof differentcategoriesofresponsiblepartiesanddatasubjectsreferredto insubsection(1)(a) and (b),respectively.
Regulations
112. (1)TheMinistermay,subjecttosection113,makeregulationsrelatingto—(a)theestablishmentoftheRegulator;and(b)feesreferredtoinsection111(1).
(2) The Regulatormay, subject to section113,make regulationsrelatingto—
(a) themanner intermsofwhichadatasubjectmayobjecttotheprocessingofpersonalinformationasreferredtoinsection11(3);
(b) themanner inwhichadatasubjectmaysubmita request toaresponsiblepartyasreferredtoinsection24(1);
(c)theprocessingofhealthinformationbycertainresponsiblepartiesasreferredtoinsection32(6);
(d)theresponsibilitiesofinformationofficersasreferredtoinsection55(1)(e);
(e)theformintermsofwhichanapplicationforacodeofconductmustbesubmittedtotheRegulatorasreferredtoinsection61(1)(b);
113Protection Of Personal Information Act, 2013
Act No. 4 of 2013
(f) themannerandformwithinwhichthedatasubject’sconsentmustberequestedasreferredtoinsection69(2)
(g)the manner and form in terms of which a complaint must besubmittedintermsofsection74;
(h)theRegulatoractingasconciliatorinrelationtoanyinterferencewith the protection of personal information as referred to insection76(1)(b);
(i) thenotificationofthepartiesconcernedofaninvestigationtobeconductedasreferredtoinsection79;
(j) thesettlementofcomplaintsasreferredtoinsection80;(k)themannerinwhichanassessmentoftheprocessingofpersonal
informationwillbemadeasreferredtoinsection89(1);(l) the manner in terms of which the parties concerned must be
informedofthedevelopmentsduringandresultofaninvestigationasreferredtoinsection94;and
(m) matters incidental to the imposition of administrative fines asreferredtoinsection109.
Procedure for making regulations
113. (1)TheMinister,beforemakingoramendinganyregulationsreferredtoinsection112(1),mustpublishanoticeintheGazette—(a)settingoutthatdraftregulationshavebeendeveloped;(b)specifyingwhereacopyofthedraftregulationsmaybeobtained;
and(c) inviting written comments to be submitted on the proposed
regulationswithinaspecifiedperiod.
(2) After complying with subsection (1) and after consultation with theRegulatorinrespectofthedraftregulationsreferredtoinsection112,the Minister may—(a)amendthedraftregulations;and(b)subjecttosubsection(5),publishtheregulationsinfinalformin
theGazette.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
114
(3)TheRegulator,beforemakingoramendinganyregulationsreferredtoinsection112(2),mustpublishanoticeintheGazette—(a)settingoutthatdraftregulationshavebeendeveloped;(b)specifyingwhereacopyofthedraftregulationsmaybeobtained;
and(c) inviting written comments to be submitted on the proposed
regulationswithinaspecifiedperiod.
(4)Aftercomplyingwithsubsection(3),theRegulatormay—(a)amendthedraftregulations;and(b)subjecttosubsection(5),publishtheregulationsinfinalformin
theGazette.(5)(a)TheMinisterortheRegulator,asthecasemaybe,must,withindaysbeforepublicationoftheregulationsintheGazette,asreferredtoinsubsection(2)(b)or(4)(b),tabletheminParliament.
(b)Subsection(1)or(3)doesnotapplyinrespectofanyamendmentof the regulations as a result of the process referred to inparagraph(a).
Transitional arrangements
114. (1)AllprocessingofpersonalinformationmustwithinoneyearafterthecommencementofthissectionbemadetoconformtothisAct.
(2) Theperiodofoneyearreferredtoinsubsection(1)maybeextendedbytheMinister,onrequestorofhisorherownaccordandafterconsultationwiththeRegulator,bynoticeintheGazetteinrespectofdifferentclassorclassesof informationandbodiesbyanadditionalperiodwhichperiodmay not exceed three years.
(3) Section 58(2) does not apply to processing referred to in section 57,whichistakingplaceonthedateofcommencementofthisAct,untiltheRegulatordeterminesotherwisebynoticeinGazette.
(4) TheSouthAfricanHumanRightsCommissionmust,inconsultationwiththeInformationRegulator,finaliseorconcludeitsfunctionsreferredtoinsections83and84ofthePromotionofAccesstoInformationAct,assoonasreasonablypossibleaftertheamendmentofthosesectionsintermsofthis Act.
115Protection Of Personal Information Act, 2013
Act No. 4 of 2013
Short title and commencement
115. (1)ThisAct iscalledtheProtectionofPersonal InformationAct,2013,andcommencesonadatedeterminedbythePresidentbyproclamationin the Gazette.
(2) Different dates of commencement may be determined in respect ofdifferentprovisionsofthisActorinrespectofdifferentclassorclassesofinformationandbodies.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
116
SCHEDULELAWS AMENDED BY
SECTION 110
117Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
Act23of1994 Public Protector Act,1994
1.Theamendmentofsection6by the—(a)substitutionforparagraph
(b)ofsubsection(4)ofthefollowingparagraph:
‘‘(b) to endeavour, in his or hersolediscretion,toresolveany
disputeorrectifyanyactoromission by—(i)mediation,conciliationor
negotiation;(ii)advising,wherenecessary,
any complainant regardingappropriateremedies;or
(iii) any other means that may be ex- pedient in the circumstances;and’’;
(b)substitutionforparagraph(c)ofsubsection(4)ofthefollowingparagraph:
‘‘(c)atatimepriorto,duringorafteraninvestigation—
(i) if he or she is of the opinion that the facts disclose the commission ofanoffencebyanyperson,tobringthemattertothenoticeoftherelevantauthority;andchargedwithprosecutions;or
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
118
No. and year of law Short title Extent of repeal or amendment
Act23of1994 Public Protector Act,1994
(ii) if he or she deems it advisable, to refer anymatterwhichhasabearingonaninvestigation,totheappropriate public bodyorauthority;andaffectedbyitortomake an appropriate recommendationregardingtheredressoftheprejudiceresultingtherefrom or make any other appropriate recommendationheorshe deems expedient to theaffectedpublicbodyorauthority[;and].’’;and
(c)deletionofparagraph(d)ofsubsection(4).
119Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
Act 2 of 2000 Promotionof Access to InformationAct, 2000
1. Theamendmentofsection1bythe—
(a)insertion,afterthedefinitionof‘‘application’’ofthefollowing
definition: ‘‘ ‘biometrics’ means a
technique of personal identificationthatisbasedonphysical,physiologicalorbehaviouralcharacterisationincludingbloodtyping,fingerprinting,DNAanalysis,retinalscanningandvoicerecogni-tion;’’;
(b)omissionofthedefinitionof‘‘HumanRightsCommission’’;
(c)substitutionforthedefinitionof ‘‘personal information’’ of thefollowingdefinition:
‘‘‘personalinformation’meansinformationrelatingtoanidentifiablenaturalperson,including,butnotlimitedto—
(a)informationrelatingtotherace,gender,sex,pregnancy,maritalstatus,national,ethnicorsocialorigin,colour,sexualorientation,age,physicalormentalhealth,well-being,disability,religion,conscience,belief,culture,languageandbirthoftheperson;
(c)anyidentifyingnumber,symbol, email address, physical address, telephone number,locationinformation,online
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
120
No. and year of law Short title Extent of repeal or amendment
identifierorotherparticularassignedtotheperson;
(d)thebiometricinformationoftheperson;
(e) the personal opinions, views or preferencesoftheperson;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidentialnatureorfurthercorrespondence that would reveal the contents of the originalcorrespondence;
(g)theviewsoropinionsofanother individual about the person;and
(h) the name of the person if it appears with other personal informationrelatingtotheperson or if the disclosure of the name itself would reveal informationabouttheperson,
butexcludesinformationaboutan individual who has been deadformorethan20years;’’;
d)omissionofthedefinitionof‘‘personalrequester’’;and
(e)insertionafterthedefinitionof‘‘record’’ofthefollowingdefinition:
‘‘‘InformationRegulator’meanstheInformationRegulatorestablishedintermsofsection39oftheProtectionofPersonalInformationAct,2013;’’.
121Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
2.Theamendmentofsection10bythesubstitutionofthefollowingsection:
‘‘10.(1)The[HumanRightsCommission]InformationRegulatormust[,withinthreeyearsafterthecommencement of this section,compileineachofficiallanguagea]updateandmakeavailabletheexistingguidethathasbeencompiledbytheSouthAfricanHumanRightsCommissioncontainingsuchinformation,inaneasilycomprehensible form and manner, as may reasonably be required by a person who wishestoexerciseanyrightcontemplated in this Act and theProtectionofPersonalInformationAct,2013.
(2)Theguidemust,withoutlimitingthegeneralityofsubsection(1),includeadescriptionof—
(a)theobjectsofthisActandtheProtectionofPersonalInformationAct,2013;
[(b) the postal and street address, phone and fax number and, if available, electronic mail address of—
(i)theinformationofficerofeverypublicbody;and
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
122
No. and year of law Short title Extent of repeal or amendment
(ii)everydeputyinformationofficerofeverypublicbodydesignatedintermsofsection17(1);
(c)suchparticularsofeveryprivatebodyasarepracticable;
(d)](b) the manner and form of a request for—
(i) access to a record of a public bodycontemplatedinsection11;and
(ii) access to a record of a private bodycontemplatedinsection50;
[(e)](c) the assistance available fromtheinformationofficerof a public body in terms of thisActandtheProtectionofPersonalInformationAct,2013;
(f)](d) the assistance available fromthe[HumanRightsCommission]InformationRegulatorintermsofthisActandtheProtectionofPersonalInformationAct,2013;
[(g)](e)allremediesinlawavailableregardinganactor failure to act in respect ofarightordutyconferredor imposed by this Act and theProtectionofPersonalInformationAct,2013,includingthemanneroflodging—
(i)aninternalappeal;[and]
123Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
(ii) a complaint to theInformationRegulator;and(iii)anapplicationwithacourt
againstadecisionbytheinformationofficerofapublicbody, a decision on
internal appeal, a decision by theInformationRegulatorora decision of the head of a privatebody;
[(h)](f)theprovisionsofsections14and51requiringapublicbodyandprivatebody,respectively,to compile a manual, and how toobtainaccesstoamanual;
[(i)](g)theprovisionsofsections15and52providingforthe voluntary disclosure of categoriesofrecordsbyapublic body and private
body,respectively;[(j)](h)thenoticesissuedinterms
ofsections22and54regardingfeestobepaidinrelationtorequestsforaccess;and
[(k)](i)theregulationsmadeintermsofsection92.
(3)The[HumanRightsCommission]InformationRegulatormust,ifnecessary, update and publish theguideatintervalsofnotmore than two years.
(4)Theguidemustbemadeavailableasprescribed.’’.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
124
No. and year of law Short title Extent of repeal or amendment
3. Theamendmentofsection11bythesubstitutionforsubsection(2)ofthefollowingsubsection:‘‘(2)Arequestcontemplatedinsubsection(1) [includes] excludes a request for access to a record containingpersonalinformationabouttherequester.’’.
4.Theamendmentofsection14 by the—(a)substitutionforsubsection(1)
forthefollowingsubsection:‘‘(1)[Withinsixmonthsafterthe
commencementofthissectionorthecomingintoexistenceof a public body, the] The informationofficerof[the]a public body [concerned] must [compile] in at least threeofficiallanguagesmakeavailable, as referred to in subsection(3),amanualcontaining—
(a)ingeneral(i)adescriptionofitsstructure
andfunctions;[(b)](ii) the postal and street
address, phone and fax number and, if available, electronic mail address of theinformationofficerofthebody and of every deputy informationofficerofthebodydesignatedintermsofsection17(1);
125Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
(iii)adescriptionofallremediesavailable in respect of an act orafailuretoactbythebody;and
(iv)suchotherinformationasmaybeprescribed;
(b) insofar as this Act is concerned—(i)adescriptionoftheguidereferredtoinsection10,ifavailable,andhowtoobtainaccesstoit;
[(d)](ii)sufficientdetailtofacilitatea request for access to a record ofthebody,adescriptionofthesubjectsonwhichthebody holds records and the categoriesofrecordsheldoneachsubject;
[(e)](iii)thelatestnotice,intermsofsection15(2),ifany,regardingthecategoriesofrecords of the body which are available without a person havingtorequestaccessintermsofthisAct;
[(f)](iv)adescriptionoftheservicesavailable to members of the public from the body and howtogainaccesstothoseservices;and
[(g)](v)adescriptionofanyarrangementorprovisionfora person (other than a public bodyreferredtoinparagraph(a)or(b)(i)ofthedefinitionof
representationsorotherwise,
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
126
No. and year of law Short title Extent of repeal or amendment
toparticipateinorinfluence—[(i)](aa)theformulationof
policy;or[(ii)](bb) the exercise of powers or
perfor-manceofduties,bythebody;(c)insofarastheProtectionof
PersonalInformationAct,2013, is concerned—
(i)thepurposeoftheprocessing;(ii)adescriptionofthecategoriesofdatasubjectsandoftheinformationorcategoriesofinformationrelatingthereto;
(iii)therecipientsorcategoriesof recipients to whom the personalinformationmaybesupplied;
(iv)plannedtransborderflowsofpersonalinformation;and
(v)ageneraldescriptionallowinga preliminary assessment of the suitability of the informationsecuritymeasuresto be implemented by the responsible party to ensure theconfidential-ity,integrityand availability of the informationwhichistobeprocessed.
[(h)adescriptionofallremediesavailable in respect of an act orafailuretoactbythebody;and
127Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
(i)suchotherinformationasmaybeprescribed.]’’;and
(b)bythesubstitutionforsubsection(3)ofthefollowingsubsection:
‘‘(3) [Each manual must be made available as prescribed] The manual referred to in subsection(1),ortheupdatedversion thereof as referred toinsubsection(2)mustbemade available—
(a) on the web site, if any, of the publicbody;
(b)attheheadofficeofthepublicbodyforpublicinspectionduringnormalbusinesshours;
(c) to any person upon request and upon the payment of a reasonableamount;and
(d)totheInformationRegulatoruponrequest.’’.
5.Theamendmentofsection15by the—
(a)substitutionforthewordsprecedingparagraph(a)ofsubsection(1)ofthefollowingwords:
‘‘(1)Theinformationofficerofapublic body, referred to in paragraph(a)or(b)(i)ofthedefinitionof
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
128
No. and year of law Short title Extent of repeal or amendment
‘publicbody’insection1,must[, on a periodic basis not less frequently than once a year, submit to the Minister] make available in the prescribed manner a descriptionof—’’;
(b)deletionofsubsection(2);and(c)substitutionofsubsection(3)of
thefollowingsubsection:‘‘(3) The only fee payable (if any)
for access to a record [included inanoticeintermsofsubsection(2)]referredtoinsubsection(1)isaprescribedfeeforreproduction.’’
6.Theamendmentofsection21bythesubstitutionofparagraphs(a)and(b)ofthefollowingparagraphs:
‘‘(a)theperiodsforlodginganinternal appeal, a complaint totheInformationRegulator,anapplicationwithacourtoranappealagainstadecisionofthatcourthaveexpired;or
(b) that internal appeal, complaint totheInformationRegulator,applicationorappealagainsta decision of that court or otherlegalproceedingsinconnectionwiththerequesthasbeenfinallydetermined,’’.
7. Theamendmentofsection22bythesubstitutionfor—
(a)subsection(1)ofthefollowingsubsection:
129Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
‘‘(1)Theinformationofficerofa public body to whom a request for access is made, mustbynoticerequiretherequester[, other than a personal requester,] to pay the prescribed request fee (if any), beforefurtherprocessingtherequest.’’;
(b)subsection(2)ofthefollowingsubsection:
‘‘(2) If—(a) the search for a record of a
public body in respect of which a request for access by a requester[, other than a personal requester,] has been made;and
(b)thepreparationoftherecordfordisclosure(includinganyarrange-mentscontemplatedinsection29(2)(a)and(b)(i) and (ii)(aa)), would, in the opinionoftheinformationofficerofthebody,requiremore than the hours prescribed for this purpose for requesters,theinformationofficermustbynoticerequirethe personal requester,]
, other than a personal requester,] to pay as a deposit theprescribedportion(beingnot more than one third) of granted.’’;andtheaccessfeewhich would be payable if the request is
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
130
No. and year of law Short title Extent of repeal or amendment
(c)forsubsection(3)ofthefollowingsubsection:
‘‘(3)Thenoticereferredtoinsubsection(1)or(2)muststate—
(a) the amount of thedeposit payableintermsofsubsection(2),ifapplicable;
(b)thattherequestermaylodgean internal appeal, a complaint totheInformationRegulatororanapplicationwithacourt,asthecasemaybe,againstthe tender or payment of the request fee in terms of subsection(1),orthetenderor payment of a deposit in termsofsubsection(2),asthecasemaybe;and
(c)theprocedure(includingtheperiod)forlodgingtheinternal appeal, complaint to theInformationRegulatororapplication,asthecasemay.’’.
8.Theamendmentofsection25by the—
(a)substitutionforparagraph(c)ofsubsection(2)ofthefollowingparagraph:
‘‘(c)thattherequestermaylodgean internal appeal, a complaint totheInformationRegulatororanapplicationwithacourt,asthecasemaybe,against
the access fee to be paid or theformofaccessgranted,and
the procedure
131Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
(includingtheperiod)forlodgingtheinternalappeal,complainttotheInformationRegulatororapplication,asthecasemaybe.’’;and
(b)substitutionforparagraph(c)ofsubsection(3)ofthefollowingparagraph:
‘‘(c) state that the requester may lodgeaninternalappeal,complainttotheInformationRegulatororanapplicationwith a court, as the case may be,againsttherefusaloftherequest, and the procedure (includingtheperiod)forlodgingtheinternalappeal,complainttotheInformationRegulatororapplication,asthecasemaybe.’’.
9. Theamendmentofsection26bythesubstitutionforparagraph(c)ofsubsection(3)ofthefollowingparagraph:
‘‘(c)thattherequestermaylodgean internal appeal, complaint totheInformationRegulatororanapplicationwithacourt,as the case may be,
againsttheextension,andtheprocedure(includingtheperiod)forlodgingtheinternal appeal, complaint to theInformationRegulatororapplication,asthecasemaybe.’’.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
132
No. and year of law Short title Extent of repeal or amendment
10.Theamendmentofsection29bythesubstitutionofsubsection(9)forthefollowingsubsection:
‘‘(9)Ifaninternalappeal,complainttotheInformationRegulatororanapplicationtoacourt,asthecasemaybe,islodgedagainstthegrantingofarequest for access to a record, access to the record may be givenonlywhenthedecisiontogranttherequestisfinallyconfirmed.’’
11.Theamendmentofsection49by the—
(a)substitutionofparagraphs(b)and(c)ofsubsection(3)forthefollowingparagraphs:
‘‘(b)thatthethirdpartymaylodgean internal appeal, complaint totheInformationRegulatororanapplication,asthecasemaybe,againstthedecisionwithin30daysafternoticeisgiven,andtheprocedureforlodgingtheinternalappeal,complainttotheInformationRegulatororapplication,asthecasemaybe;and
(c)thattherequesterwillbegivenaccesstotherecordaftertheexpiry of the applicable period contemplatedinparagraph(b),unless such internal appeal, complainttotheInformationRegulatororapplicationwitha
133Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
courtislodgedwithinthatperiod.’’;and
.‘‘(4)Iftheinformationofficerofapublic body decides in terms ofsubsection(1)togranttherequest for access concerned, heorshemustgivetherequester access to the record concernedaftertheexpiryof30daysafternoticeisgivenintermsofsubsection(1)(b), unless an internal appeal, complainttotheInformationRegulatororanapplicationwith a court, as the case maybe,islodgedagainstthedecisionwithinthatperiod.’’.
12. Theamendmentofsection51by—
(a)bythesubstitutionofsubsection(1)forthefollowingsubsection:
‘(1)[Withinsixmonthsafterthecommencementofthissectionorthecomingintoexistenceof the private body concerned, the] The head of a private body must [compile] make a manual available in terms of subsection(3)containing—(a)ingeneral—
(i) the postal and street address, phone and fax number and, if available, electronic mail address of the head of the body;and
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
134
No. and year of law Short title Extent of repeal or amendment
(ii)suchotherinformationasmaybeprescribed;
(b) insofar as this Act is concerned—
[(b)](i)adescriptionoftheguidereferredtoinsection10,ifavailable, and how to obtain accesstoit;
[(c)](ii)thelatestnoticeintermsofsection52(2),ifany,regardingthecategoriesofrecordofthe body which are available withoutapersonhavingtorequest access in terms of thisAct;
[(d)](iii)adescriptionoftherecordsof the body which are available in accordance with any other legislation;and
[(e)](iv)sufficientdetailtofacilitatea request for access to a record ofthebody,adescriptionofthesubjectsonwhichthebody holds records and the categoriesofrecordsheldoneachsubject;[and]
(c)insofarastheProtectionofPersonalInformationAct,2013, is concerned—
(i)thepurposeoftheprocessing;(ii)adescriptionofthecategories
ofdatasubjectsandoftheinformationorcategoriesofinformationrelatingthereto;
(iii)therecipientsorcategoriesof recipients to whom the personalinformationmaybesupplied;
135Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
(iv)plannedtransborderflowsofpersonalinformation;and
(v)ageneraldescriptionallowinga preliminary assessment of the suitability of the informationsecuritymeasuresto be implemented by the responsible party to ensure theconfidential-ity,integrityand availability of the informationwhichistobeprocessed.’’.
[(f)ingeneralsuchotherinformationasmaybeprescribed.]’’;and
(b)bythesubstitutionforsubsection(3)ofthefollowingsubsection:
‘(3) [Each manual must be made available as prescribed] The manual referred to in subsection(1),ortheupdatedversion thereof as referred toinsubsection(2)mustbemade available—
(a) on the web site, if any, of the privatebody;
(b) at the principal place of business of the private body forpublicinspectionduringnormalbusinesshours;
(c) to any person upon request and upon the payment of a reasonableamount;and
(d)totheInformationRegulatoruponrequest.’’.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
136
No. and year of law Short title Extent of repeal or amendment
13. Theamendmentofsection52by the—
(a)substitutionforthewordsprecedingparagraph(a)ofsubsection(1)ofthefollowingwords:
‘‘(1) The head of a private body may, on a voluntary [and periodic] basis, [submit to the Minister] make available in the prescribed manner a descriptionof—’’;
(b)deletionofsubsection(2);and(c)substitutionofsubsection(3)of
thefollowingsubsection:‘‘(3) The only fee (if any) for access
to a record [included in a noticeintermsofsubsection(2)]referredtoinsubsection(1) is a prescribed fee for reproduction.’’.
14.Theamendmentofsection54bythesubstitutionfor—
(a)subsection(1)ofthefollowingsubsection:
‘‘(1) The head of a private body to whom a request for access is mademustbynoticerequirethe requester[, other than a personal requester,] to pay the prescribed request fee (if any), beforefurtherprocessingtherequest.’’;
(b)subsection(2)ofthefollowingsubsection:‘‘(2)If—
137Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
(a) the search for a record of aprivate body in respect of which
a request for access by a requester [, other than a personal requester,] has been made;and
(b)thepreparationoftherecordfordisclosure(includinganyarrangementscontemplatedinsection29(2)(a)and(b)(i)and(ii)(aa)), would, in the opinion of the head of the private body concerned, require more than the hours prescribed for this purpose for requesters, the headmustbynoticerequirethe requester[, other than a personal requester,] to pay as a deposit the prescribed portion(beingnotmorethanone third) of the access fee which would be payable if the requestisgranted.’’;and
(c)paragraphs(b)and(c)ofsubsection(3)
ofthefollowingparagraphs:‘‘(b)thattherequestermaylodge
acomplainttotheInformationRegulatororanapplicationwithacourtagainstthetenderor payment of the request fee intermsofsubsection(1),orthe tender or payment of a depositintermsofsubsection(2),asthecasemaybe;and
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
138
No. and year of law Short title Extent of repeal or amendment
(c)theprocedure(includingtheperiod)forlodgingthecomplainttotheInformationRegulatorortheapplication.’’.
15.Theamendmentofsection56by the—
(a)substitutionforparagraph(c)ofsubsection(2)ofthefollowingparagraphbetween:
‘‘(c)thattherequestermaylodgeacomplainttotheInformationRegulatororanapplicationwithacourtagainsttheaccess fee to be paid or the formofaccessgranted,andtheprocedure,includingtheperiodallowed,forlodgingacomplainttotheInformationRegulatorortheapplication.’’;and
(b)substitutionforparagraph(c)ofsubsection(3)ofthefollowingparagraph:
‘‘(c) state that the requester maylodgeacomplainttotheInformationRegulatoranapplicationwithacourtagainsttherefusaloftherequest, and the procedure (includingtheperiod)forlodgingacomplainttotheInformationRegulatorortheapplication.’’.
16.Theamendmentofsection57bythesubstitutionforparagraph(c)ofsubsection(3)ofthefollowingparagraph:
139Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
‘‘(c) that the requester may lodgeacomplainttotheInformationRegulatororanapplicationwithacourtagainsttheextension,andtheprocedure(includingtheperiod)forlodgingtheapplication.’’.
17.Theamendmentofsection73by the—
(a)substitutionforparagraphs(b)and(c)ofsubsection(3)ofthefollowingparagraphs:
‘‘(b)thatthethirdpartymaylodgeacomplainttotheInformationRegulatororanapplicationwithacourtagainstthedecision of the head within 30 daysafternoticeisgiven,andtheprocedureforlodgingthecomplainttotheInformationRegulatorortheapplication;and
(c)thattherequesterwillbegivenaccesstotherecordaftertheexpiry of the applicable period contemplatedinparagraph(b), unless a complaint to the InformationRegulatororanapplicationwithacourtislodgedwithinthatperiod.’’;and
(b)substitutionofsubsection(4)ofthefollowingsubsection:
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
140
No. and year of law Short title Extent of repeal or amendment
‘‘(4) If the head of the private body decides in terms of subsection(1)togranttherequest for access
concerned, he or she must givetherequesteraccesstotherecordconcernedaftertheexpiryof30daysafternoticeisgivenintermsofsubsection(1)(b), unless a complaint to theInformationRegulatororanapplicationwithacourtislodgedagainstthedecisionwithinthatperiod.’’.
18.TheamendmentofChapter1ofPart4bytheinsertionaftersection77ofthefollowingsections:
‘‘CHAPTER1ACOMPLAINTSTOREGULATORComplaints
77A. (1) A requester or third party referredtoinsection74mayonly submit a complaint to theInformationRegulatorintermsofthissectionafterthatrequester or third party has exhausted the internal appeal procedureagainstadecisionoftheinformationofficerofa public body provided for in section74.(2)Arequester—
(a) that has been unsuccessful in an internal appeal to the relevant authorityofapublicbody;
141Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
(b)aggrievedbyadecisionoftherelevant authority of a public body to disallow the late lodgingofaninternalappealintermsofsection75(2);
(c)aggrievedbyadecisionoftheinformationofficerofapublicbodyreferredtoinparagraph(b)ofthedefinitionof’publicbody’insection1—
(3) A third party—(a) that has been unsuccessful in an
internal appeal to the relevant authorityofapublicbody;
(b)aggrievedbyadecisionoftheinformationofficerofapublicbodyreferredtoinparagraph(b)ofthedefinitionof‘publicbody’insection1tograntarequestforaccess;or
(c)aggrievedbyadecisionofthehead of a private body in relationtoarequestforaccessto a record of that body,
may within 180 days of the decision, submit a complaint, allegingthatthedecisionwas not in compliance with thisAct,totheInformationRegulatorintheprescribedmanner and form for appropriate relief.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
142
No. and year of law Short title Extent of repeal or amendment
ModesofcomplaintstoRegulator
77B. (1) A complaint to the Information
Regulatormustbemadeinwriting.(2)TheInformationRegulator
mustgivesuchreasonableassistance as is necessary in the circumstances to enable a person, who wishes to make a complainttotheInformationRegulator,toputthecomplaintinwriting.
Actiononreceiptofcomplaint
77C.(1)TheInformationRegulator,afterreceiptofacomplaintmadeintermsofsection77A,must—
(a)investigatethecomplaintintheprescribedmanner;
(b) refer the complaint to the EnforcementCommitteeestablished in terms of section50oftheProtectionofPersonalInformationAct,2013;or
(c) decide, in accordance with section77D,totakenoactionon the complaint or, as the case may be, require no furtheractioninrespectofthecomplaint.
(2)DuringtheinvestigationtheInformationRegulatormay—
143Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
(a) act, where appropriate, as conciliatorinrelationtosuchcomplaint in the prescribed manner;or
(b)takesuchfurtheractionasis contem- plated by this Chapter.
(3)TheInformationRegulatormust, as soon as is reasonably practicable,afterreceiptof a complaint, advise the complainant and the informationofficerorheadofa private body, as the case may be, to whom the complaint relatesofthecourseofactionthattheInformationRegulatorproposes to adopt under subsection(1).
77D.(1)TheInformationRegulator,afterinvestigatingacomplaintreceivedintermsofsection77A, may decide to take no
actionor,asthecasemaybe,requirenofurtheractioninrespect of the complaint if, in theInformationRegulator’sopinion—
(a) the complaint has not been submittedwithintheperiodreferredtoinsection
77A(2) and there are no reasonable groundstocondonethelatesubmission;
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
144
No. and year of law Short title Extent of repeal or amendment
(b) the complaint is frivolous or vexatiousorisnotmadeingoodfaith;or
(c)itappearstotheInformationRegulatorthat,havingregardto all the circum- stances of thecase,anyfurtheractionisunnecessary or inappropriate.
(2) In any case where the InformationRegulatordecidestotakenoaction,ornofurtheraction,onacomplaint,theInformationRegulatormustinform the complainant of that decision and the reasons for it.
Pre-investigation proceedings of Regulator
77E.BeforeproceedingtoinvestigateanymatterintermsofthisChapter,theInformationRegulatormust,in the
prescribed manner, inform—(a) the complainant of the
InformationRegulator’sintentiontoconducttheinvestigation;and
(b)theinformationofficerofthepublic body or the head of the private body, as the case may be, to whom the complaint relates of the—
(i)detailsofthecomplaint;and(ii)rightoftheinformationofficer
or the head to submit to the Informa-tionRegulator,within
145Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
areasonableperiod,awrittenresponseinrelationtothecomplaint.
Settlement of complaints77F. If it appears from a complaint,
oranywrittenresponsemadeinrelationtoacomplaintundersection77E(b)(ii),that it may be possible to secureasettlementbetweenthepartiesconcerned,theInformationRegulatormay,withoutinvestigatingthecomplaint or, as the case maybe,investigatingthecomplaint further, in the prescribed manner, use its best endeavours to secure such a settlement.
Investigation proceedings of Regulator
77G. (1) For the purposes of the investigationofacomplainttheInformationRegulatorhaspowers similar to those of the HighCourtintermsofsection80relatingtothedisclosureof records to it and non-disclosure of records by it.
(2)Section81oftheProtectionofPersonalInformationAct, 2013, applies to the investigationofcomplaintsintermsofthisChapter.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
146
No. and year of law Short title Extent of repeal or amendment
Assessment77H.(1)TheInformationRegulator,
onitsowninitiative,oratthe request by or on behalf ofaninformationofficerorhead of a private body or any other person may make an assessment in the manner prescribed of whether a public orprivatebodygenerallycomplies with the provisions of this Act insofar as its policiesandimplementationprocedures are concerned.
(2)TheInformationRegulatormust make the assessment if it appears to be appropri- ate, unless, where the assessment is made on request, the InformationRegulatorhasnot been supplied with suchinformationasitmayreasonably require in order to—
(a)satisfyitselfastotheidentityofthepersonmakingtherequest;and
(b)enableittoidentifytheprivateor public body concerned.
(3)ThematterstowhichtheInformationRegulatormayhaveregardindeterminingwhether it is appropriate to make an assessment include—
(a) the extent to which the request appearstoittoraiseamatterofsubstance;
147Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
(b)determiningthattherequestisnotfrivolousorvexatious;and
(c) whether or not the person makingtherequestisentitledtomakeanapplicationinterms of this Act in respect of theinformationinquestion.
(4)IftheInformationRegulatorhas received a request under thissectionitmustnotifythe person referred to in subsection(1)—
(a) whether it has made an assessment as a result of the request;and
(b)ofanyviewformedoractiontaken as a result of the request.
Information Notice77I. (1) For the purposes of the
investigationofacomplainttheInformationRegulatormayservetheinformationofficeror head of a private body withaninformationnoticerequiringsaidpartytofurnishtheInformationRegulator,withinaspecifiedperiod,inaformspecifiedinthenotice,withtheinformationspecifiedinthenotice.
(2)Aninformationnoticeintermsofsub-section(1)mustbeaccompanied by—
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
148
No. and year of law Short title Extent of repeal or amendment
(a)reasonsfortheissuingofthenotice;and(b)particularsoftherighttoappealconferredbysection78(4).
(3)Section90(3)to(9)oftheProtectionofPersonalInformationAct,2013,appliestotheservingofaninformationnoticeintermsofthisChapter.
(4)Acopyofthenoticereferredtoinsubsection(1)thathasbeencertifiedbytheInformationRegulatoris,forpurposesoftheapplicationreferredtoinsection78,conclusiveproof of the contents of the enforcementnoticethathasbeenservedbytheRegulator.
Non-compliance with Enforcement Notice
77K.Aninformationofficerofa public body or head of a private body who refuses to comply with an enforcement noticereferredtoinsection77J,isguiltyofanoffenceandliableuponconvictiontofineortoimprisonmentforaperiodnotexceedingthreeyearsortobothsuchafine
andsuchimprisonment.’’.19.Theamendmentofsection78
bythesubstitutionforthefollowingsection:
149Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
‘‘Applications regarding decisions of information officers or relevant authori- ties of public bodies or heads of private bodies or Regulator
78. (1) A requester or third party [referred to in section 74] may only apply to a court for appropriate relief in terms ofsection82[after that requester or third party has exhausted the internal appeal procedure against a decision of the information officer of a public body provided for in section 74]inthefollowingcircumstances:
(a)Afterthatrequesterorthirdparty has exhausted the internal appeal procedure referredtoinsection74;or
(b)afterthatrequesterorthirdparty has exhausted the complaints procedure referred toinsection77A.
(2) A requester—(a) that has been unsuccessful in an
internal appeal to the relevant authorityofapublicbody;
(b)aggrievedbyadecisionoftherelevant authority of a public body to disallow the late lodgingofaninternalappealintermsofsection75(2);
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
150
No. and year of law Short title Extent of repeal or amendment
(c)aggrievedbyadecisionoftheinformationofficerofapublicbodyreferredtoinparagraph(b)ofthedefinitionof‘publicbody’insection1—(i)torefusearequestforaccess;or
(ii)takenintermsofsection22,26(1)or29(3);[or]
(e)thatisaggrievedbyanydecisionoftheInformationRegulator,may,bywayofanapplication,within [30] 180 days apply to a court for appropriate relief in termsofsection82.
(3) A third party—(a) that has been unsuccessful in an
internal appeal to the relevant authorityofapublicbody;
(b)aggrievedbyadecisionoftheinformationofficerofapublicbodyreferredtoinparagraph(b)ofthedefinitionof‘publicbody’insection1tograntarequestforaccess;[or]
(c)aggrievedbyadecisionofthehead of a private body in relationtoarequestforaccesstoarecordofthatbody[,];or
(d)thatisaggrievedbyanydecisionoftheInformationRegulator,may,bywayofanapplication,within [30] 180 days apply to a court for appropriate relief in termsofsection82.
(4)Aninformationofficerorrelevant authority of a public body or the head of a private
151Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
body, as the case may be, aggrievedbyadecisionoftheInformationRegulatorintermsofsection77E(2)(b)or(c)may,bywayofanapplication,within 180 days apply to a court for appropriate relief in termsofsection82.’’.
20.TheamendmentoftheheadingofPart5bysubstitutingthewords‘‘HumanRightsCommission’’withthewords‘‘InformationRegulator’’.
21.Theamendmentofsections32,83,84and85bysubstitutingthewords‘‘HumanRightsCommission’’whereverthey occur, with the words ‘‘InformationRegulator’’.
22.Therepealofsection88.23.Theamendmentofthelong
titleforthefollowinglongtitle:‘‘To give effect to the constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights; to provide that the Information Regulator, established in terms of the Protection of Personal Information Act, 2013, must exercise certain powers and perform certain duties and functions in terms of this Act; and to provide for matters connected therewith.’’
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
152
No. and year of law Short title Extent of repeal or amendment
Act 25 of 2002 Electronic Communi-cationsandTransactionsAct, 2002
1.Theamendmentofsection1bythesubstitutionforthedefinitionof‘‘personalinformation’’ofthefollowingdefinition:
‘‘ ‘personal information’ means informationrelatingtoanidentifiablenaturalperson,including,butnotlimitedto—
(a)informationrelatingtotherace,gender,sex,pregnancy,maritalstatus,national,ethnicorsocialorigin,colour,sexualorientation,age,physicalormentalhealth,well-being,disability,religion,conscience,belief,culture,languageandbirthoftheperson;
(b)informationrelatingtotheeducationorthemedical,financial,criminaloremployment history of the person;
(c)anyidentifyingnumber,symbol,email address, physical address, telephone number, locationinformation,onlineidentifierorotherparticularassignedtotheperson;
(d)thebiometricinformationoftheperson;
(e) the personal opinions, views or preferencesoftheperson;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidentialnatureor
153Protection Of Personal Information Act, 2013
Act No. 4 of 2013
No. and year of law Short title Extent of repeal or amendment
Act 34 of 2005 NationalCreditAct,2005
further correspondence that would reveal the contents of theoriginalcorrespon-dence;
(g)theviewsoropinionsofanother individual about the person;and
(h) the name of the person if it appears with other personal informationrelatingtotheperson or if the disclosure of the name itself would reveal informationabouttheperson,
butexcludesinformationaboutan individual who has been deadformorethan20years;’’.
2.Therepealofsections45,50and 51.
1.Theamendmentofsection1bythesubstitutionofthedefinitionof‘‘prohibitedconduct’’withthefollowingdefinition:
‘‘ ‘prohibited conduct’ means any act or omission incontraventionoftheAct,other than an act or omission ascontemplatedinsection55(2)(b)orthatconstitutesanoffenceunderthisAct,
by—(a)anunregisteredpersonwhois
requiredtoberegisteredtoengageinsuchanact;or
(b) a credit provider, credit bureau ordebtcounselor;’’.
Protection Of Personal Information Act, 2013
Act No. 4 of 2013
154
No. and year of law Short title Extent of repeal or amendment
2.Theamendmentofsection55bythesubstitutionforsubsection(2)ofthefollowingsubsection:
‘‘(2)(a)Beforeissuinganoticeintermsofsubsection(1)(a)toaregulatedfinancialinstitution,theNationalCreditRegulatormustconsultwiththeregulatoryauthoritythat issued a licence to that regulatedfinancialinstitution.
(b)Sections68,70(1),(2)(b)to(g)and(i),(3)and(4)and 72(1), (3) and (5) will be subjecttothecomplianceproceduressetoutinChapters10and11oftheProtectionofPersonalInformationAct,
2013.’’.3.Theamendmentofsection68
bythedeletionofsubsection(2).
4.Theamendmentofsection136bythesubstitutionforsubsection(1)ofthefollowingsubsection:
‘‘(1)Anypersonmay,subjecttosection55(2)(b),submitacomplaintconcerninganallegedcontraventionofthisActtotheNationalCreditRegulatorintheprescribedmannerandform.’’
5.Theamendmentofsection137bythedeletionofsubparagraph(a)ofsubsection(1).