Tax and Legal Insights | 5 min read

POPIA explained – Part 2

We will start off with a quick recap of exactly what is meant by the term “processing”, and then move on to the types of personal information which may be processed and the different requirements applicable to each.

Quick recap – what does “processing” cover?

Before we get into the detail, let’s quickly recap on what exactly processing covers.

POPI applies to the processing of personal information of a data subject by (or on behalf of) a responsible party. In its simplest form – processing covers everything imaginable that can be done with personal information. It includes (but is not limited to) the collection, receipt, collation, storage, updating, retrieval, use, destruction and the alteration or distribution of a record which has personal information in it.

(*PS: remember, the act does not apply to the processing of personal information in the course of a purely household or personal activity or which has been de-identifed.)  

Different categories of personal information

You will recall I mentioned last week that the definition of “data subject” refers to the person to whom the personal information relates.

In essence, POPIA distinguishes between three categories of personal information, i.e.:

  1. Personal information in general;
  2. Special personal information; and
  3. Personal information of children.

Let’s look at each in more detail.

General personal information

General personal information refers to information relating to an identifiable, living natural person or juristic person. The definition in section 1 includes (but is not limited to) the following:

  • information relating to race, gender, sex, pregnancy, marital status, age, physical and mental health, disability, religion, culture and language of the person;
  • information about the persons education or medical, financial, criminal or employment history;
  • any identifying numbers (ID number, telephone numbers, email address, physical address, etc); and
  • a persons’ biometric information (*e.g.: DNA, fingerprints).

Chapter 3 of POPIA sets out the eight conditions for lawful processing of personal information. Put differently: in order for processing of personal information to be lawful, it must comply with the minimum requirements as set out in Chapter 3.

(*PS: these conditions will be discussed individually in later editions).

Special personal information

Some personal information, however, is of such a sensitive nature that the processing thereof can cause a serious infringement on the data subject’s privacy.

As such, Section 26 creates a special category of personal information called “special personal information” which is afforded a higher degree of protection than the processing of general personal information.

Special personal information includes information about a data subject’s:

  • religious or philosophical beliefs;
  • race or ethnic origin;
  • trade union membership;
  • political persuasions;
  • health or sex life;
  • biometric info; or
  • criminal behaviour.

The processing of special personal information is prohibited UNLESS one of the exemptions as set out in section 27 applies.

These exemptions can be summarised as follows:

  1. The data subject has *consented to the processing (*which consent must be explicit OPT IN consent – but don’t worry, we will cover the concept of consent in more detail in a later edition); OR
  2. The processing is necessary to establish, exercise or defend a right or obligation in law (*for example where the responsible party has to disclose information about a data subject in legal proceedings or, in the case of HR, where fit and proper evaluations are conducted on representatives as required in terms of FAIS); OR
  3. The processing is necessary to comply with an obligation of international public law (*for example where the responsible party has to disclose information about a data subject to comply with international tax compliance laws such as FATCA); OR
  4. if the Regulator granted authority in terms of section 27(2) and appropriate guarantees have been put in place to protect the data subject’s privacy; OR
  5. if the processing is for historical, statistical or research purposes; OR
  6. if the information has been deliberately made public by the data subject (for example, the data subject posted the information on social media).

Also take note that, in addition to the general exemptions listed above, there are also certain special exemptions which apply in respect of different types of special personal information.

(*PS: if you’d like more info on these exemptions, take a look at section 28 to 33 of the act).

Personal information of children

Special rules apply to the processing of personal information of children as well. A “child” is defined as anyone under the age of 18 who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.

The processing of personal information of children is prohibited UNLESS one of the exemptions as set out in section 35 applies.

These exemptions can be summarised as follows:

  1. Processing is carried out with the prior consent of a competent person (*consent must be explicit OPT IN consent – but don’t worry, we will cover the concept of consent in more detail in a later edition); OR
  2. The processing is necessary to establish, exercise or defend a right or obligation in law (for example where the trustees of a fund must determine whether children are entitled to fund s in terms of section 37C of the Pension Funds Act); OR
  3. The processing is necessary to comply with an obligation of international public law (* for example where the responsible party has to comply with a request made in aid of the protection of children’s rights under international treaty law); OR
  4. if the Regulator granted authority in terms of section 35(2); OR
  5. if the processing is for historical, statistical or research purposes; OR
  6. if the information has been deliberately made public by the child with the consent of a competent person.

The importance of the distinction between different categories of personal information

As you can see from the above, special personal information and personal information of children have been afforded extra protection in the act.

Retirement funds, product providers and financial intermediaries, however, all process special personal information and/or personal information of children (being that of the data subject’s or their beneficiaries, where applicable) from time to time in order to provide the required service to clients and/or members and the fund.

Having regard to the stringent requirements for the lawful processing of these types of information as discussed above, it is vital that responsible parties ensure staff are adequately trained on the requirements for lawful processing thereof and that they have the appropriate security measures in place to safeguard this information.

Equally important: ensure that you do not ask more information than what is absolutely required for the purpose for which it is collected. Put differently, carefully check what types of personal information you request in your documentation (application forms, process documents, etc) and remove fields requesting special personal information that it’s not absolutely necessary for the intended purpose.

Conclusion

Now that we have discussed what processing entails as well as the different types of personal information, we can move on to the conditions for lawful processing of personal information – we’ll discuss this in the next edition.

Your Next Read

Investment Insights | 1 min read
New opportunity to invest in The Glacier Top Brands Return Enhancer
Investment Insights | 1 min read
Wealth Edge Endowment Plan now open for AIFA relationship advice advisers

We use cookies to give you the very best possible online experience. By continuing, you confirm that you’re on board with our privacy policy.

What Glacier Insights is…and isn’t

Glacier Insights provides investment professionals and financial intermediaries with information on the markets in general, Glacier products, and the services we offer. This website is not primarily for private individuals, but we are pretty sure that everyone interested in investing would find the content useful. If you are a private individual, please seek financial advice from a registered financial intermediary before you invest. A trained financial intermediary will help you determine which of our products are most appropriate for your needs. Glacier Insights is not designed to replace the job and expertise of a professional financial intermediary.

Content use and ownership

We love that you want to browse Glacier Insights, and please let us know if there is any more information that you would like us to provide. Also know that the intellectual property rights in the content are protected by local and international laws and agreements. So, our intellectual property may not be used in any way without our consent or the consent of any business that licensed us to use its intellectual property. This includes reproducing, changing, publishing, displaying, distributing, licensing or creating by-products of the content on this site, unless you receive our permission in writing. The website with all its content is owned by or licensed to Glacier by Sanlam, and includes text, graphics, icons, hyperlinks, private information and designs.

I have read the above and understand the purpose of the Glacier Insights website.

No, I do not agree

Receive the latest Glacier Insights delivered to your inbox


Please enabled javascript to view Glacier.