Tax and Legal Insights | 4 min read

POPIA explained – Part 3

In this edition of POPIA Explained we will start off with clarifying exactly what is meant when we say processing must be “lawful”, and then move on to the eight conditions for the lawful processing of personal information (which will be discussed separately over the course of the next few weeks).

Processing must be lawful

Before we get into the detail, let’s quickly look at what we mean when we say that processing must be “lawful”.

POPIA requires the responsible party to process personal information lawfully and in a manner that does not infringe on the privacy of data subjects. In order for such processing to be “lawful” it must comply with the minimum requirements as set out in Chapter 3 of the act (hereafter referred to as the “conditions”).

The eight conditions for lawful processing

Section 4 of POPI lists eight conditions for the lawful processing of personal information, namely:

  1. Accountability (as referred to in section 8);
  2. Processing Limitation (as referred to in sections 9 to 12);
  3. Purpose specification (as referred to in sections 13 and 14)
  4. Further processing limitation (as referred to in section 15);
  5. Information Quality (as referred to in section 16);
  6. Openness (as referred to in sections 17 and 18);
  7. Security safeguards (as referred to in sections 19 to 22); and
  8. Data subject participation (as referred to in sections 23 to 25).

Let’s look at the first two conditions in more detail.

1. Accountability – section 8

The responsible party is accountable for compliance with the act. As such, section 8 of POPIA requires a responsible party to ensure that the conditions for lawful processing (and all measures that give effect to such conditions) are complied with at all times, i.e.: at the time of determination of the purpose and means of the processing, as well as during the processing itself.

The responsible party is therefore required to appoint an Information Officer who is responsible for ensuring compliance with the act (*PS: we will focus on the duties of the Information Officer in a later edition).

2. Processing Limitation – sections 9 to 12

As stated previously, personal information must be processed:

  • Lawfully; and
  • in a reasonable manner that does not infringe on the privacy of the data subject.

Section 10 again stresses this point: it states that personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

Put differently: the responsible party should only process the minimum information they need to adequately fulfil the purpose for which it is being used.

It is therefore vital to understand what is meant by “adequate, relevant and not excessive” as stated in section 10. In essence, the personal information being processed must tie up with the purpose for which it was obtained. Responsible parties may not process data which goes over and above the stated purpose. (*For example, a responsible party should not collect details of marital status or race if it is not relevant to the product or services being rendered.)

Section 11 is an extremely important section of the act. Section 11 deals with the consent required for processing, the justification of processing and the objection thereto by the data subject.

It states that personal information may only be processed IF:

  1. the data subject consented (*which consent must be specific – we will however cover the concept of “consent” and exactly when its required in a later edition!); OR
  • processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party (*for example, where a product provider processes information contained in an application form for an investment contract); OR
  • processing complies with an obligation imposed by law on the responsible party (*for example, where personal information is provided to SARS in terms of the Income Tax Act or to comply with a court order); OR
  • processing protects a legitimate interest of the data subject (*for example where a retirement fund is required to trace a “dependant” as defined in the Pension Funds Act and discloses the dependant’s details to a tracing agent); OR
  • processing is necessary for the proper performance of a public law duty by a public body (*for example, where the police request information from a responsible party regarding one of its clients in connection with an investigation); OR
  • processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied (*for example, where processing is necessary for the investigation of fraud or other misconduct).

To summarise: responsible parties must always be able to base their processing of personal information on at least ONE of the grounds set out above, otherwise they will NOT be allowed to process the information.

(Ps: despite the common misconception that the data subject’s consent is always required, you can now clearly see that consent is merely ONE of the grounds for lawful processing. Not to worry – we will come back to the concept of consent in a later edition.)

Section 12 then goes on to state that the personal information must be collected directly from the data subject, unless one of the exceptions apply. These exceptions are:

  • Where the information is contained in or derived from a public record or has deliberately been made public by the data subject; or
  • The data subject has consented to the collection of information from another source; or
  • The collection of information from another source would not prejudice the legitimate interest of the data subject; or
  • Where collection of information from another source is necessary:
    • To avoid prejudice to the maintenance of the law by any public body;
    • To comply with an obligation imposed by law;
    • For the conduct of court proceedings;
    • In the interest of national security; or
    • To maintain the legitimate interests of the responsible party or a third party to whom the information is supplied.
  • Compliance would prejudice a lawful purpose for collection; or
  • Compliance is not reasonably practical in the circumstances.

Objection by the data subject

A data subject may at any time object (on reasonable grounds!) to processing conducted on the basis of (d), (e) and (f) as summarised above, unless legislation provides otherwise. Once the data subject has objected, the responsible party may no longer process the information.

The following are examples of instances where an objection to processing

would not be considered reasonable:

  1. where the responsible party is performing its obligations in terms of a contract; or
  2. where the responsible party is exercising its rights in line with agreed terms of a contract.

Conclusion

We have now covered the first two conditions for lawful processing of personal information– in the next edition we will discuss the next two conditions, being Purpose specification (as referred to in sections 13 and 14) and Further processing limitation (as referred to in section 15).

Glacier Financial Solutions (Pty) Ltd and Sanlam Life Insurance Ltd are licensed financial services providers

Your Next Read

Investment Insights | 1 min read
New opportunity to invest in The Glacier Top Brands Return Enhancer
Investment Insights | 1 min read
Wealth Edge Endowment Plan now open for AIFA relationship advice advisers

We use cookies to give you the very best possible online experience. By continuing, you confirm that you’re on board with our privacy policy.

What Glacier Insights is…and isn’t

Glacier Insights provides investment professionals and financial intermediaries with information on the markets in general, Glacier products, and the services we offer. This website is not primarily for private individuals, but we are pretty sure that everyone interested in investing would find the content useful. If you are a private individual, please seek financial advice from a registered financial intermediary before you invest. A trained financial intermediary will help you determine which of our products are most appropriate for your needs. Glacier Insights is not designed to replace the job and expertise of a professional financial intermediary.

Content use and ownership

We love that you want to browse Glacier Insights, and please let us know if there is any more information that you would like us to provide. Also know that the intellectual property rights in the content are protected by local and international laws and agreements. So, our intellectual property may not be used in any way without our consent or the consent of any business that licensed us to use its intellectual property. This includes reproducing, changing, publishing, displaying, distributing, licensing or creating by-products of the content on this site, unless you receive our permission in writing. The website with all its content is owned by or licensed to Glacier by Sanlam, and includes text, graphics, icons, hyperlinks, private information and designs.

I have read the above and understand the purpose of the Glacier Insights website.

No, I do not agree

Receive the latest Glacier Insights delivered to your inbox


Please enabled javascript to view Glacier.