POPIA Lawful Collection and Processing of Personal Information
POPIA contains requirements for the lawful collection and processing of personal information. These are contained in Condition 2: Processing Limitation and Condition 3: Purpose Specification. These are outlined below based on extracts from POPIA and additional wording where possible. The obligations in Conditions 2 and 3 relate to decisions made by the Responsible Party in POPIA.
Condition 2: Processing Limitation
POPIA includes the following in Condition 2: Processing Limitation
Section 9. Lawfulness of Processing: POPIA requires that personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. It should, therefore, not be collected covertly or in a manner with which the data subject would feel aggrieved.
Section 10. Minimality: In addition to the above, personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive. This is referred to as Minimality i.e. only collecting sufficient PI for the intended purpose and not collecting more information than is required.
Section 11: Consent, justification and objection
Section 11 contains the lawful basis/bases for collecting and processing personal information. The Processing Lawfulness Assessment tool provided by IACT-Africa is based on section 11 below. The lawful bases are:
- (1) Personal information may only be processed if
(a) the data subject (or a competent person such as a parent or legal guardian where the data subject is a child) consents to the processing. Note: It is normally best to obtain consent when personal information is initially collected directly collected from the data subject if possible as it will serve as valuable evidence should a dispute arise;
(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
(c) processing complies with an obligation imposed by law on the responsible party;
(d) processing protects a legitimate interest of the data subject;
(e) processing is necessary for the proper performance of a public law duty by a public body;
(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
2) (a) The responsible party bears the burden of proof for the data subject’s or competent person’s consent as referred to in subsection (1)(a). It will, therefore, be important for records of consent to be stored by the Responsible Party.
(b) The data subject or competent person may withdraw his, her or its consent, as referred to in subsection (1)(a), at any time: Provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information in terms of subsection (1)(b) to (f) will not be affected.
Section 12: Collection directly from data subject
- (1) Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2) below.
(2) It is not necessary to comply with subsection (1) if—
(a) the information is contained in or derived from a public record or has deliberately been made public by the data subject;
(b) the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
(c) collection of the information from another source would not prejudice a legitimate interest of the data subject;
(d) collection of the information from another source is necessary;
(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
(iii) for the conduct of proceedings in any court or tribunal that have 10 commenced or are reasonably contemplated;
(iv) in the interests of national security; or
(v) to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
(e) compliance would prejudice a lawful purpose of the collection;
(f) compliance is not reasonably practicable in the circumstances of the particular case.
Condition 3
Purpose specification
In addition to the lawful bases outlined in Condition 1 above, POPIA also requires that there is a valid purpose for collecting and processing personal information. The requirements are shown below. The Consent Compliance Assessment provided by IACT-Africa is based on section 12 below.
Section 13: Collection for specific purpose.
- (1) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
(2) Steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.
Part B
Processing of special personal information
Prohibition on processing of special personal information
- A responsible party may, subject to section 27, not process personal information concerning —
(a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
(b) the criminal behaviour of a data subject to the extent that such information relates to
- (1) The prohibition on processing personal information, as referred to in section 26, does not apply if the—
(a) processing is carried out with the consent of a data subject referred to in section 26
Note: It is not permitted to obtain special personal information on the basis of it being required for the performance of a contract