Data protection for civil society: A guide to the Protection of Personal Information Act
- The Protection of Personal Information Act (POPIA) will have implications for all sectors across South Africa, including civil society organisations.
- There are certain provisions of POPIA that are likely to be of particular interest or relevance to organisations working on public interest issues and fundamental rights.
- Civil society organisations are also well-placed to raise awareness about the role and importance of data protection and to support individuals to realise their privacy rights and hold wrongdoers to account.
The Protection of Personal Information Act 4 of 2013 (POPIA) will have implications for all sectors across South Africa once the remaining provisions come into force. Enacted to give effect to the constitutional right to privacy, it also provides a framework for striking a balance between privacy and the protection of other important interests, including the free flow of information within South Africa and across international borders.
POPIA applies to personal information entered into a record – through either automated or non-automated means – where the responsible party is either domiciled in South Africa or makes use of means in the country. Subject to the exclusions set out in sections 6 and 7 of POPIA, the law applies to all processing of personal information by both the state and private sector.
This includes civil society organisations (CSOs), which will also be required to comply with the provisions of POPIA. Among these requirements are eight conditions for lawful processing of personal information; limitations on cross-border data transfers and processing for direct marketing; and the realisation of data subject rights. (An overview of POPIA is accessible here.)
CSOs should take care to ensure reasonable and responsible data processing, particularly by limiting the amount of personal information that is collected. At this stage, there is no special dispensation for CSOs, which means that CSOs will need to prepare for compliance with the legislation as a whole. However, our experience having worked in and on behalf of civil society has given us insight into certain aspects of POPIA that are likely to be of particular interest or relevance to CSOs. These aspects are highlighted below.
Exemptions in the public interest
As a point of departure, and of direct applicability to CSOs, section 37 of POPIA provides that the Information Regulator may grant an exemption from complying with POPIA, provided that one or both of the following requirements are met: (i) the Regulator is satisfied that the public interest in processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from the processing; or (ii) that the processing involves a clear benefit to the data subject or third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from the processing.
The public interest includes, in this context, the interests of national security; the prevention, detection and prosecution of offences; important economic and financial interests of a public body; historical, statistical or research activity; or the special importance of freedom of expression.
Given that the requirements under POPIA are certainly onerous, and compliance may be a resource-intensive exercise, CSOs may consider applying to the Information Regulator for an exemption in respect of certain processing activities. For instance, CSOs with a focus on historical, statistical or research activities will likely have a strong basis to argue that such an exemption should be granted in the public interest. Furthermore, although the provision only expressly refers to the right to freedom of expression, it may be argued that the pursuance of any constitutional rights – such as health, education or housing – would similarly be in the public interest, and therefore subject to a possible exemption being granted.
Even if the Information Regulator were to impose conditions on such an exemption, it can be expected that this would still assist in reducing the compliance burden. Similarly-placed CSOs may consider approaching the Information Regulator jointly to secure an exemption that has broad application to the public interest sector.
Grounds for lawful processing
Section 11(1) of POPIA sets out the grounds on which personal information may be processed. Consent is one such ground, where the data subject has consented to their personal information being processed. In order for consent to be valid, it must be voluntary, specific and informed.
CSOs should take care to ensure that the consent obtained is meaningful, and that the data subject has retained agency in determining how their personal information is to be used. As explained in recital 32 to the General Data Protection Regulation (GDPR) of the European Union, consent should be given by a clear affirmative act:
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
If a CSO chooses to rely on consent as the ground for the processing of personal information, that CSO should ensure that it is able to prove that the data subject has provided the appropriate consent. Further, it is also necessary to ensure that the data subject to able to withdraw consent and to have the processing consequently stopped. According to the Information Commissioner’s Office in the United Kingdom, consent is not valid if any of the following apply:
- you have any doubts over whether someone has consented;
- the individual doesn’t realise they have consented;
- you don’t have clear records to demonstrate they consented;
- there was no genuine free choice over whether to opt-in;
- the individual would be penalised for refusing consent;
- there is a clear imbalance of power between you and the individual;
- consent was a precondition of a service, but the processing is not necessary for that service;
- the consent was bundled up with other terms and conditions;
- the consent request was vague or unclear;
- you use pre-ticked opt-in boxes or other methods of default consent;
- your organisation was not specifically named;
- you did not tell people about their right to withdraw consent;
- people cannot easily withdraw consent; or
- your purposes or activities have evolved beyond the original consent.
Meaningful consent is perhaps not the silver bullet that some would like to believe. In practical terms for CSOs, who may be based a distance away from the clients or partners with whom they are working – and which may further be exacerbated by barriers such as language and access to technology – it is not always simple or practicable to obtain meaningful consent. It is therefore important to note that consent is not the only ground for lawful processing.
Another ground that may be relied on is where the processing is in the legitimate interests of the data subject. While section 26 of POPIA makes clear that this ground does not apply to the processing of special personal information, it does nevertheless apply to the other types of personal information, such as names and contact details. POPIA does not set out what factors should be taken into account when determining the legitimate interests, but it is certainly arguable that seeking to vindicate the fundamental rights of the data subject would meet these criteria.
While any of the grounds set out in section 11(1) of POPIA may be relied on in the appropriate circumstances, it bears mention that, to the extent possible, CSOs may want to consider both obtaining consent and establishing another ground of lawful processing, to ensure that the processing of the personal information is fully compliant with the will and interests of the data subject.
Special personal information
POPIA creates a sub-category of personal information – referred to as “special personal information” – which is afforded additional protections in terms of the legislation, given the sensitive nature of this information. As set out in section 26 of POPIA, this includes religious or philosophical beliefs, race or ethnic origin, political persuasion, and information regarding one’s health or sex life.
As a general principle, the processing of special personal information is not permitted unless one or more of the exceptions apply. The exceptions provided in respect of special personal information are much narrower than ordinarily applies, and for instance, does not include the legitimate interests of the data subject as one of the grounds on which processing is permissible. Grounds that can, however, be relied on include consent from the data subject, or where the information has deliberately been made public by the data subject.
This provision is relevant given that various CSOs deal directly with matters pertaining to special personal information, such as the right to health, freedom of religion or racial discrimination. For these organisations, the processing of special personal information is both necessary and unavoidable, which will, therefore, require appropriate measures to be put in place to ensure compliance with POPIA. On the other hand, for those CSOs that do not deal directly with these issues, it may be advisable to endeavour to process as little special personal information as possible, given the more stringent requirements that apply.
Sections 34-35 of POPIA put in place special protections for the processing of personal information of children. As with special personal information, it would be advisable to limit such processing to the extent possible given the heightened protections that apply.
As a general principle, POPIA contemplates that the processing of personal information of children is not permissible unless one or more of the exceptions apply. These exceptions include the prior consent of a competent person, or where the personal information has deliberately been made public by the child with the consent of a competent person.
For any CSO that processes personal information of children as a key part of its work, section 35(2) of POPIA may be helpful. This provides for an application to be made to the Information Regulator for authorisation to process personal information of children, as long as this is in the public interest and appropriate safeguards are in place to protect the information. CSOs working on children’s rights, for example, certainly have a strong basis to apply for this authorisation. The Information Regulator is empowered to impose reasonable conditions if this authorisation is granted.
Cross-border data transfers
Many CSOs work with partners, donors and other stakeholders based outside of South Africa. In such instances, where personal information will be transferred to third parties in another country, it is necessary to comply with the cross-border transfer provisions contained in section 72 of POPIA. In sum, section 72(1) provides a general principle that personal information about a data subject may not be transferred to a third party in a foreign country unless one of the exceptions apply.
Two of the grounds of exception that may be expected to be commonly relied on are where the data subject consents to the transfer of personal information; or where the third party is subject to a law or binding agreement that provides an adequate level of protection substantially similar to POPIA. Provision is also made for a cross-border transfer that is for the benefit of the data subject, where it is not reasonably practicable to obtain the consent of the data subject and the data subject would be likely to consent.
In the event of either special personal information, or any personal information about children, being transferred to a third party in a country that does not provide an adequate level of protection, section 57(1) of POPIA requires prior authorisation to be obtained from the Information Regulator before the transfer takes place.
Section 69 of POPIA deals with direct marketing through unsolicited electronic means. Direct marketing includes any approach to a data subject – whether in person, by mail or electronic communication – to request the data subject “to make a donation of any kind for any reason”. This has the potential to impact the fundraising efforts of CSOs that seek donations to support the work being done. POPIA makes clear that data subjects have an express a right to object to the processing of personal information for direct marketing at any time.
As a general principle, such processing is prohibited unless the data subject has given consent to the processing or is a “customer” of the organisation. In respect of the former, the Regulations in terms of POPIA (the Regulations), published in December 2018, provide that consent for the processing of personal information for direct marketing by electronic communications must be obtained in writing and in accordance with Form 4 contained in the Regulations.
Furthermore, in respect of the latter, for instance, when engaging with a former donor, the CSO must ensure that the data subject has a reasonable opportunity to object to the marketing, free of charge and without unnecessary formality. In order to facilitate this, any communication for the purpose of direct marketing must contain the relevant contact details for the recipient to be able to request the CSO to stop sending such communications.
When engaging with existing or potential donors, it would be advisable for CSOs to maintain a written record of the persons who may be approached and the basis on which it appropriate to make such an approach (for instance, if consent has been obtained). It would also be advisable for CSOs to keep a record of those persons who have objected to receiving marketing communications, to ensure that the organisation does not inadvertently continue to send them communications in breach of these provisions.
Exclusions in terms of POPIA
Sections 6 and 7 of POPIA provide for certain exclusions to which POPIA will not apply. This includes information that has been de-identified to the extent that it cannot be re-identified or the processing of personal information relating to the judicial functions of a court.
Further, section 7 of POPIA contains a specific exclusion for journalistic, literary or artistic expression. In this regard, POPIA does not apply to the processing of personal information solely for the purpose of journalistic, literary or artistic expression, to the extent that it is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression. As such, in order to rely on this exclusion, the following requirements must be met: (i) the processing is solely for the purpose of journalistic, literary or artistic expression; (ii) it pertains to a matter of public interest; and (iii) it is necessary to reconcile the right to privacy with the right to freedom of expression.
Should an exclusion apply to any processing of personal information, CSOs will not be required to comply with POPIA for the purposes of that exclusion. However, until such time as further guidance is given, it would not be advisable to adopt too broad an interpretation of these exclusions, to avoid the risk of falling foul of POPIA.
Exceptions for historical, research or statistical purposes
POPIA contemplates that where personal information is processed for historical, research or statistical purposes, it is possible to be exempted from having to comply with certain conditions in the legislation. For instance, POPIA provides that the personal information may be retained for a longer period than would ordinarily be permitted, and that notification to the data subject is not required as it would be in the ordinary course. In respect of personal information of children, this exception only applies if it is in the public interest or would constitute a disproportionate effort to obtain consent, and appropriate safeguards are established over the personal information.
This exception is useful for CSOs undertaking research or that maintain archives of information. It should, however, be noted that this exception is not a complete exclusion under POPIA; rather, there are still certain conditions that would need to be complied with, such as the requirement to maintain appropriate security safeguards over the personal information. To the extent practicable, CSOs may consider de-identifying the personal information being used for historical, research or statistical purposes, to offer more complete protection to the data subjects to whom the information pertains.
Use of third party operators
Many CSOs are likely to outsource certain functions to third party operators to provide support and capacity to the organisation. This may include, for instance, external service providers that perform the accounting and auditing functions, facilitate payroll, manage the pension fund, or provide monitoring and evaluation services. Many of these functions will require the organisation to share personal information about its staff, clients and others with the third party operator in order for this function to be effectively completed.
Section 20 of POPIA provides that where an operator processes personal information on behalf of the organisation, the operator must treat the personal information as confidential and not disclose it, unless required by law or in the course of their duties. In the event of there being a data breach, the operator is required to notify the organisation immediately where there are grounds to believe that personal information has been accessed or acquired by an unauthorised person.
Of particular importance, CSOs engaging the services of third party operators must ensure that they have a written contract in place with the operator, requiring the operator to take appropriate, reasonable technical and organisational measures to prevent a data breach. This contract should also require that the operator, among other things, ensures that its safeguards are continually updated and that it has due regard to generally accepted information security practices and procedures.
In addition to the written contract, it would also be good practice for the CSO to exercise a reasonable measure of due diligence over whether the operator is appropriately implementing this contract, and taking the necessary steps to protect the personal information that it has under its control. Ultimately, in the event of a data breach, it will remain the responsibility of the CSO to notify the Information Regulator and the affected data subjects; it is also the CSO that faces the risk of reputational harm if appropriate measures have not been taken.
Data protection should not be seen simply as a compliance issue, but also as a public interest issue that is provided for in a framework that seeks to give effect to a range of constitutional rights, including privacy, freedom of expression and access to information. Given that personal information is inherent to who are as people, this is certainly an aspect worth protecting.
There is therefore an urgent need for the remaining provisions of POPIA to be brought into force to ensure that the substantive protections of the legislation are implemented. Once in force, CSOs would be well-placed to use their voices to raise awareness about the role and importance of data protection, as well as to support data subjects in realising their rights and holding wrongdoers to account.
Avani Singh is a Director and Co-founder of ALT Advisory. Avani writes in her personal capacity and her views do not necessarily constitute the views of ALT Advisory. This Insight is based on a workshop hosted by ALT Advisory on 20 August 2019, in which Avani presented to civil society organisations on data protection compliance in South Africa.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].