At present South Africa does not have comprehensive privacy or data protection legislation. Some aspects are covered in various other statutes that are consumer protective, such as the Consumer Protection Act, the National Credit Act and the Electronic Communications and Transactions Act.

In a move to give effect to the right to privacy, which is entrenched in South Africa's constitution, and in order to align South Africa with many other international jurisdictions that have privacy or data protection legislation in place, the government introduced the Protection of Personal Information Bill in 2009 (POPI).

POPI has been in the pipelines for almost two years and, with its draft stage reaching finality, it is anticipated to be passed this year.

The objective of POPI will be a comprehensive protection of information relating to personal detail of an individual.

In the bill, "personal information" is defined as covering a very wide range of data pertaining to individuals and juristic persons. Furthermore, the bill differentiates between different types of personal information and the sensitivity thereof. The more sensitive information is defined as "special information", which is information that relates to religious beliefs, health data and personal views held by employees, and such information requires greater protection under the law.

The new laws are intended to cover any person or entity that collects, uses or stores, (in any manner whatsoever) personal information and will therefore involve the majority of organisations conducting various types of businesses having to assess how they handle personal information.

The Bill provides rights for individuals to:

  • Know the reasons that their information is collected.
  • Know the purposes for which it will be used.
  • Have the right to object, on reasonable grounds, to use of their information.
  • Enquire whether an organisation holds information about the individual, view and correct that information, and ask that it be deleted.

The bill requires organisations to only collect and use the minimum information necessary to accomplish their objectives, to maintain such information accurately, to safeguard personal information, and to delete or destroy information when it is no longer needed. Notably, organisations will be required to notify the individual(s) and the new Information Regulator of any compromises to their personal information, including loss, theft, unauthorised access or disclosure, hacking incidents, and so on.

From a practical point of view almost all businesses will need to:

  • Ensure that standard terms and conditions cover the authority to use any information submitted to the organisation for purposes which such organisation requires to use that information.
  • Be careful how the information is used and to whom the information is disclosed.
  • Devise proper secure storage of data.

Comprehensive data handling strategies, processes and procedures as well as systems will need to be devised and implemented in order to comply with the legislation.

When the POPI becomes law, it will place a notable onus on businesses that process any personal data in respect of any person. Failure to comply will in all probability result in an administrative fine of no less than R10 million for non-compliance, while violations may also result in criminal charges or lengthy prison sentences.