protection of personal information act, 2013 - hibiscus hospitals · 2020. 4. 9. · 80. issue of...

1Protection Of Personal Information Act, 2013

Act No. 4 of 2013

Protection of Personal Information

Act, 2013

Ensuring protection of your personal information and effective access to information

Protection Of Personal Information Act, 2013

Act No. 4 of 2013

2

Protection of Personal Information

Act, 2013


Act No. 4 of 2013

GENERAL EXPLANATORY NOTE:

[ ] Words in bold type in square brackets indicate omissions fromexistingenactments.

Words underlined with a solid line indicate insertions inexistingenactments.

____________________________________________________________

(English text signed by the President)(Assented to 19 November 2013)

ACT To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.

PREAMBLE PREAMBLE RECOGNISING THAT—• section14of theConstitutionof theRepublicofSouthAfrica,1996,

providesthateveryonehastherighttoprivacy;• therighttoprivacyincludesarighttoprotectionagainsttheunlawful

collection,retention,disseminationanduseofpersonalinformation;• the Statemust respect,protect,promoteand fulfil the rights in the

Bill of Rights;

AND BEARING IN MIND THAT—• consonantwiththeconstitutionalvaluesofdemocracyandopenness,

theneedforeconomicandsocialprogress,withintheframeworkofthe


Act No. 4 of 2013

4

informationsociety,requirestheremovalofunnecessaryimpedimentstothefreeflowofinformation,includingpersonalinformation;

AND IN ORDER TO—• regulate, inharmonywith internationalstandards, theprocessingof

personal informationbypublic andprivatebodies in amanner thatgiveseffecttotherighttoprivacysubjecttojustifiablelimitationsthatareaimedatprotectingotherrightsandimportantinterests,


Act No. 4 of 2013

Parliament of the republic of south africa therefore anacts as follows:-

CONTENTS OF ACTCHAPTER 1

DEFINITIONSANDPURPOSE1. Definitions2. Purpose of Act

CHAPTER 2 APPLICATIONPROVISIONS

3. ApplicationandinterpretationofAct4. Lawfulprocessingofpersonalinformation5. Rightsofdata6. Exclusions7. Exclusionforjournalistic,literaryorartisticpurposes

CHAPTER 3 CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION

Part A Processing of personal information in general

Condition 1 Accountability 8. Responsiblepartytoensureconditionsforlawfulprocessing

Condition 2Processing limitation

9. Lawfulnessofprocessing10. Minimality 11. Consent,justificationandobjection12. Collectiondirectlyfromdatasubject

Condition 3Purpose specification

13. Collectionforspecificpurpose 14. Retentionandrestrictionofrecords


Act No. 4 of 2013

6

Condition 4Further processing limitation

15. Furtherprocessingtobecompatiblewithpurposeofcollection

Condition 5 Information quality

16. Qualityofinformation

Condition 6Openness

17. Documentation18. Notificationtodatasubjectwhencollectingpersonalinformation

Condition 7Security safeguards

19. Securitymeasuresonintegrityandconfidentialityofpersonalinformation

20. Informationprocessedbyoperatororpersonactingunderauthority

21. Securitymeasuresregardinginformationprocessedbyoperator22. Notificationofsecuritycompromises

Condition 8Data subject participation

23. Accesstopersonalinformation24. Correctionofpersonalinformation25. Manner of access

Part BProcessing of special personal information

26. Prohibitiononprocessingofspecialpersonalinformation27. Generalauthorisationconcerningspecialpersonalinformation


Act No. 4 of 2013

28. Authorisationconcerningdatasubject’sreligiousorphilosophical beliefs

29. Authorisationconcerningdatasubject’sraceorethnicorigin30. Authorisationconcerningdatasubject’stradeunionmembership31. Authorisationconcerningdatasubject’spoliticalpersuasion32. Authorisationconcerningdatasubject’shealthorsexlife33. Authorisationconcerningdatasubject’scriminalbehaviour

orbiometric25information

Part CProcessing of personal information of children

34. Prohibitiononprocessingpersonalinformationofchildren35. Generalauthorisationconcerningpersonalinformationof

children 30

CHAPTER 4EXEMPTION FROM CONDITIONS FOR PROCESSING OF

PERSONAL INFORMATION

36. General37. Regulatormayexemptprocessingofpersonalinformation 3538. Exemptioninrespectofcertainfunctions

CHAPTER 5SUPERVISION

Part AInformation Regulator 40

39. EstablishmentofInformationRegulator40. Powers,dutiesandfunctionsofRegulator41. Appointment,termofofficeandremovalofmembersofRegulator42. Vacancies43. Powers,dutiesandfunctionsofChairpersonandothermembers


Act No. 4 of 2013

8

44. Regulatortohaveregardtocertainmatters45. Conflictofinterest

Remuneration,allowances,benefitsandprivilegesofmembers46. Staff47. Powers,dutiesandfunctionsofchiefexecutiveofficer48. CommitteesofRegulator49. EstablishmentofEnforcementCommittee 50. MeetingsofRegulator51. Funds52. ProtectionofRegulator53. Dutyofconfidentiality

Part B Information Officer

54. DutiesandresponsibilitiesofInformationOfficer55. Designationanddelegationofdeputyinformationofficers

CHAPTER 6PRIOR AUTHORISATION

Prior Authorisation

56. Processingsubjecttopriorauthorisation57. ResponsiblepartytonotifyRegulatorifprocessingis

subjecttopriorauthorisation58. Failuretonotifyprocessingsubjecttopriorauthorisation

CHAPTER 7CODES OF CONDUCT

59. Issuingofcodesofconduct60. Processforissuingcodesofconduct61. Notification,availabilityandcommencementofcodeofconduct62. Procedurefordealingwithcomplaints63. Amendmentandrevocationofcodesofconduct64. Guidelines about codes of conduct


Act No. 4 of 2013

65. Registerofapprovedcodesofconduct66. Reviewofoperationofapprovedcodeofconduct 67. Effectoffailuretocomplywithcodeofconduct

CHAPTER 8RIGHTS OF DATA SUBJECTS REGARDING DIRECT MARKETING

BY MEANS OF UNSOLICITED ELECTRONIC COMMUNICATIONS,DIRECTORIES AND AUTOMATED DECISION MAKING

68. Directmarketingbymeansofunsolicitedelectroniccommunications

69. Directories70. Automateddecisionmaking

CHAPTER 9TRANSBORDER INFORMATION FLOWS

72.TransfersofpersonalinformationoutsideRepublic

CHAPTER 10ENFORCEMENT5

71. Interferencewithprotectionofpersonalinformationof datasubject

72. Complaints73. ModeofcomplaintstoRegulator74. Actiononreceiptofcomplaint75. Regulatormaydecidetotakenoactiononcomplaint 76. Referralofcomplainttoregulatorybody77. Pre-investigationproceedingsofRegulator78. Settlementofcomplaints79. InvestigationproceedingsofRegulator80. Issue of warrants 81. Requirementsforissuingofwarrant82. Executionofwarrants


Act No. 4 of 2013

10

83. Mattersexemptfromsearchandseizure84. Communicationbetweenlegaladviserandclientexempt85. Objectiontosearchandseizure 86. Returnofwarrants87. Assessment88. Informationnotice89. Partiestobeinformedofresultofassessment90. MattersreferredtoEnforcementCommittee

FunctionsofEnforcementCommittee91. Partiestobeinformedofdevelopmentsduringand

resultofinvestigation92. Enforcementnotice93. Cancellationofenforcementnotice94. Rightofappeal 95. Considerationofappeal96. Civilremedies

CHAPTER 11OFFENCES, PENALTIES AND ADMINISTRATIVE FINES

97. ObstructionofRegulator Breachofconfidentiality

98. Obstructionofexecutionofwarrant99. Failuretocomplywithenforcementorinformationnotices100. Offencesbywitnesses101. Unlawfulactsbyresponsiblepartyinconnectionwith

account number 102. Unlawfulactsbythirdpartiesinconnectionwithaccount

number103. Penalties104. Magistrate’sCourtjurisdictiontoimposepenalties105. Administrativefines


Act No. 4 of 2013

CHAPTER 12 GENERAL PROVISIONS

106. Amendment of laws107. Fees108. Regulations109. Procedureformakingregulations

Transitionalarrangements110. Shorttitleandcommencement111. Fees112. Regulations113. Procedureformakingregulations114. Transitionalarrangements115. Shorttitleandcommencement


Act No. 4 of 2013

12

CHAPTER 1DEFINITIONS AND

PURPOSE


Act No. 4 of 2013

SCHEDULELawsamendedbysection110

CHAPTER 1DEFINITIONS AND PURPOSE

Definitions

1. In this Act, unless the context indicates otherwise—

‘‘biometrics’’ means a technique of personal identification thatis based on physical, physiological or behavioural characterisationincluding blood typing, fingerprinting,DNAanalysis, retinal scanningandvoicerecognition;

‘‘child’’ meansa naturalpersonunder theageof 18 yearswho is notlegally10competent,without the assistanceof a competentperson,to take any actionordecisioninrespectofanymatterconcerninghim-orherself;

‘‘code of conduct’’ meansacodeofconductissuedintermsofChapter7;

‘‘competent person’’ means any person who is legally competent to consenttoanyactionordecisionbeingtaken in respectofanymatterconcerningachild;

‘‘consent’’ meansanyvoluntary,specificandinformedexpressionofwillin terms of which permission is given for the processing of personalinformation;

‘‘Constitution’’ meanstheConstitutionoftheRepublicofSouthAfrica,1996;

‘‘data subject’’ meansthepersontowhompersonalinformationrelates;

‘‘de-identify’’, inrelationtopersonalinformationofadatasubject,meanstodelete20anyinformationthat—

(a)identifiesthedatasubject;


Act No. 4 of 2013

14

(b) can be used or manipulated by a reasonably foreseeable method to identifythedatasubject;or

(c) can be linked by a reasonably foreseeable method to other informationthat25identifiesthedatasubject,

and ‘‘de-identified’’ hasacorrespondingmeaning;

‘‘direct marketing’’ meanstoapproachadatasubject,eitherinpersonorbymailorelectroniccommunication,forthedirectorindirectpurposeof—

(a)promotingorofferingtosupply,intheordinarycourseofbusiness,anygoods30orservicestothedatasubject;or

(b)requestingthedatasubjecttomakeadonationofanykindforanyreason;

‘‘electronic communication’’ means any text, voice, sound or imagemessagesentoveranelectroniccommunicationsnetwork which is stored in the network or in therecipient’sterminalequipmentuntilitiscollectedbytherecipient;35

‘‘enforcement notice’’ meansanoticeissuedintermsofsection95;

‘‘filing system’’ means any structured set of personal information,whether centralised, decentralised or dispersed on a functional orgeographicalbasis,whichisaccessibleaccordingtospecificcriteria;

‘‘information matching programme’’ means the comparison, whether manually 40 or by means of any electronic or other device, of any document that containspersonalinformationabouttenormoredatasubjectswithoneormoredocuments

thatcontainpersonalinformationoftenormoredatasubjects,forthepurposeofproducingorverifyinginformationthatmaybeusedforthepurposeoftakinganyactioninregardtoanidentifiabledatasubject;45

‘‘information officer’’ of,orinrelationto,a—

(a) public bodymeans an informationofficeror deputy informationofficerascontemplatedintermsofsection1or17;or

(b) private body means the head of a private body as contemplated in section1,ofthePromotionofAccesstoInformationAct;50


Act No. 4 of 2013

‘‘Minister’’ means the Cabinet member responsible for theadministration ofjustice;

‘‘operator’’ meansa personwhoprocessespersonal informationfor aresponsible party in termsof a contractormandate,without comingunderthedirectauthorityofthatparty;

‘‘person’’ meansanaturalpersonorajuristicperson;

‘‘personal information’’ means informationrelating to an identifiable,living,naturalperson,andwhereitisapplicable,anidentifiable,existingjuristicperson,including,butnotlimitedto—

(a)informationrelatingtotherace,gender,sex,pregnancy,marital

status,national, ethnicor socialorigin, colour, sexualorientation,age, physical or mental health, well-being, disability, religion,conscience,belief,culture,languageandbirthoftheperson;

(b)information relating to the education or the medical, financial,criminaloremploymenthistoryoftheperson;

(c)anyidentifyingnumber,symbol,e-mailaddress,physicaladdress,telephonenumber,locationinformation,onlineidentifierorotherparticularassignmenttotheperson;

(d)thebiometricinformationoftheperson;

(e)thepersonalopinions,viewsorpreferencesoftheperson;

(f) correspondence sent by the person that is implicitly or explicitly ofaprivateorconfidentialnatureorfurthercorrespondencethatwouldrevealthecontentsoftheoriginalcorrespondence;

(g)theviewsoropinionsofanotherindividualabouttheperson;and

(h)thenameofthepersonifitappearswithotherpersonalinformationrelatingtothepersonorifthedisclosureofthenameitselfwouldrevealinformationabouttheperson;

‘‘prescribed’’ meansprescribedbyregulationorbyacodeofconduct;

‘‘private body’’ means—

(a) a natural person who carries or has carried on any trade, businessorprofession,butonlyinsuchcapacity;


Act No. 4 of 2013

16

(b) a partnership which carries or has carried on any trade, business or profession;or

(c)anyformerorexistingjuristicperson,butexcludesapublicbody;

‘‘processing’’ meansanyoperationoractivityoranysetofoperations,whether or

notbyautomaticmeans,concerningpersonalinformation,including—

(a) the collection, receipt, recording, organisation, collation, storage,updatingormodification,retrieval,alteration,consultationoruse;

(b) dissemination by means of transmission, distribution or makingavailableinanyotherform;or

(c) merging, linking, as well as restriction, degradation, erasure ordestructionofinformation;

‘‘professional legal adviser’’ means any legally qualified person,whetherinprivatepracticeornot,wholawfullyprovidesaclient,athisorheroritsrequest,withindependent,confidentiallegaladvice;

‘‘Promotion of Access to Information Act’’ means the Promotion ofAccesstoInformationAct,2000(ActNo.2of2000);

‘‘public body’’ means—

(a) any department of state or administration in the national orprovincial sphere of government or anymunicipality in the localsphereofgovernment;or

(b)anyotherfunctionaryorinstitutionwhen—

(i) exercising a power or performing a duty in terms of theConstitutionoraprovincialconstitution;or

(ii) exercising a public power or performing a public function intermsofanylegislation;

‘‘public record’’ means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whetherornotitwascreatedbythatpublicbody;

‘‘record’’ meansanyrecordedinformation—


Act No. 4 of 2013

(a)regardlessofformormedium,includinganyofthefollowing:

(i)Writingonanymaterial;

(ii)informationproduced,recordedorstoredbymeansofanytape-recorder,computerequipment,whetherhardwareorsoftwareor both, or other device, and any material subsequently derived frominformationsoproduced,recordedorstored;

(iii)label,markingorotherwritingthatidentifiesordescribesanythingofwhichitformspart,ortowhichitisattachedbyanymeans;

(iv)book,map,plan,graphordrawing;

(v)photograph,film,negative,tapeorotherdeviceinwhichoneormorevisualimagesareembodiedsoastobecapable,withorwithouttheaidofsomeotherequipment,ofbeingreproduced;

(b)inthepossessionorunderthecontrolofaresponsibleparty;

(c)whetherornotitwascreatedbyaresponsibleparty;and

(d)regardlessofwhenitcameintoexistence;

‘‘Regulator’’ means the InformationRegulatorestablished in terms ofsection39;

‘‘re-identify’’, in relation to personal information of a data subject,means toresurrectanyinformationthathasbeende-identified,that—

(a)identifiesthedatasubject;

(b) can be used or manipulated by a reasonably foreseeable method to identifythedatasubject;or

(c) can be linked by a reasonably foreseeable method to other informationthatidentifiesthedatasubjectand

‘‘re-identified’’ hasacorrespondingmeaning;

‘‘Republic’’ meanstheRepublicofSouthAfrica;

‘‘responsible party’’ means a public or private body or any other person which,alone or in conjunction with others, determines the purposeof and means forprocessingpersonalinformation;


Act No. 4 of 2013

18

‘‘restriction’’ meanstowithholdfromcirculation,useorpublicationanypersonal20informationthat formspartofafilingsystem,butnottodeleteordestroysuchinformation;

‘‘special personal information’’ means personal information asreferred to insection26;

‘‘this Act’’ includesanyregulationorcodeofconductmadeunderthisAct;and

‘‘unique identifier’’ means any identifier that is assigned to a datasubject and is used by a responsible party for the purposes of theoperationsof that responsibleparty and that uniquely identifies thatdatasubjectinrelationtothatresponsibleparty.

Purpose of Act

2. The purpose of this Act is to—

(a) give effect to the constitutional right toprivacy, by safeguardingpersonal information when processed by a responsible party,subjecttojustifiablelimitationsthatareaimedat—

(i) balancingtherighttoprivacyagainstotherrights,particularlytherightofaccesstoinformation;and

(ii) protectingimportantinterests,includingthefreeflowofinformationwithintheRepublicandacrossinternationalborders;

(b) regulate the manner in which personal information may beprocessed, by establishing conditions, in harmony withinternational standards, that prescribe the minimum thresholdrequirementsforthelawfulprocessingofpersonalinformation;

(c)providepersonswithrightsandremediestoprotecttheirpersonalinformationfromprocessingthatisnotinaccordancewiththisAct;and

(d)establish voluntary and compulsory measures, including theestablishment of an Information Regulator, to ensure respect forandtopromote,enforceandfulfiltherightsprotectedbythisAct.


Act No. 4 of 2013

CHAPTER 2APPLICATION PROVISIONS


Act No. 4 of 2013

20

CHAPTER 2

APPLICATION PROVISIONS

Application and interpretation of Act 1. (1)ThisActappliestotheprocessingofpersonalinformation—

(c)samesmelting,koppeling,asookinperking,degradasie,uitwissingofvernietigingvaninligting;

‘‘Reguleerder’’ dieInligtingsreguleerderingevolgeartikel39ingestel;

‘‘rekord’’ enigeopgetekendeinligting—

(a) ongeag vorm of medium, met inbegrip van enige van dievolgende:

(i)Skrifopenigemateriaal;

(ii) inligtinggeproduseer,opgetekenofgestoorbywysevanenigebandopnemer,rekenaartoerusting,hetsyhardewareofsagteware of beide, of ander toestel, en enige materiaalvervolgens verkry uit die inligting aldus geproduseer,opgetekenofgestoor;

(iii)etiket,merk,ofanderskrifwatenigevoorwerpwaarvanditdeeluitmaak, of waaraandit op enigewyse geheg is, identifiseerofbeskryf;

(iv)boek,kaart,plan,grafiekoftekening;

(v)foto,film,negatief,bandofandertoestelwaarineenofmeervisuelebeeldevervat is sodatdit geskik is,metof sonderdiehulpvanandertoerusting,virreproduksie;

(b)indiebesitofonderdiebeheervan’nverantwoordelikeparty;

(c)hetsyditdeurdieverantwoordelikepartygeskepisaldannie;en

(d)ongeagwanneerdittotstandgekomhet;

‘‘Republiek’’ dieRepubliekvanSuid-Afrika;

‘‘spesiale persoonlike inligting’’ persoonlikeinligtingsoosbyartikel26bedoel;


Act No. 4 of 2013

‘‘toestemming’’ enige vrywillige,bepaaldeen ingeligtewilsuitdrukkingingevolgewaarvanverloftotdieprosesseringvanpersoonlikeinligtinggegeeword;

‘‘unieke identifiseerder’’ enige identifiseerder wat aan ’n datasubjektoegewyswordenwatdeur’nverantwoordelikepartyvirdoeleindesvandiebedrywighede

vandaardieverantwoordelikepartygebruikwordenwaarmeedaardie

verantwoordelikepartydiedatasubjekopuniekewyseidentifiseer;

‘‘verantwoordelike party’’ ’nopenbareofprivaatliggaamofenigeanderpersoonwat, eiehandig of in samewerkingmet andere, die oogmerkvanenmiddelevanprosesseringvanpersoonlikeinligtingbepaal;

‘‘voorgeskryf ’’ voorgeskryfbyregulasieofby’ngedragskode;en

‘‘Wet op Bevordering van Toegang tot Inligting’’ dieWetopBevorderingvan

ToegangtotInligting,2000(WetNo.2van2000).

Oogmerk van Wet

2. DieoogmerkvanhierdieWetisom—

(a) gevolg te gee aan die grondwetlike reg op privaatheid,deur persoonlike inligting te beskerm wanneer dit deur ’nverantwoordelike party geprosesseer word, onderhewig aanregverdigbarebeperkingswatgerigisopdie—

(i) balanseringvandieregopprivaatheidteenooranderregte,inbesonderdieregoptoegangtotinligting;en

(ii)beskermingvanbelangrikebelange,metinbegripvandievryevloei van inligting binne die Republiek en oor internasionalegrense;

(b) die wyse waarop persoonlike inligting geprosesseer mag word,te reguleer deur voorwaardes, in harmonie met internasionalestandaarde,tevestigwatdieminimumvereistesvirdieregmatigeprosesseringvanpersoonlikeinligtingvoorskryf;


Act No. 4 of 2013

22

(c)personevanregteenremediestevoorsienteneindehulpersoonlikeinligtingteenprosesseringwatnieinooreenstemmingmethierdieWetisnie,tebeskerm;en

(d) vrywillige en verpligtemaatreëls, met inbegrip van die instellingvan’nInligtingsreguleerder,intestel,teneinderespekvir,endiebevordering, afdwinging en verwesenliking van, die regte wat inhierdie Wet beskerm word, te verseker.

HOOFSTUK 2

TOEPASSINGSBEPALINGS

Toepassing en uitleg van Wet

3. (1)HierdieWet is van toepassingopdieprosesseringvanpersoonlikeinligting—

(a) entered in a record by or for a responsible party bymaking useof automated or non-automated means: Provided that when the recorded personal information is processed by non-automatedmeans,it formspartofafilingsystemoris intendedto formpartthereof;and

(b) where the responsible party is—

(i)domiciledintheRepublic;or

(ii) not domiciled in the Republic, but makes use ofautomated ornon-automatedmeansin theRepublic,unlessthosemeans are used only to forward personal informationthroughtheRepublic.

(2)(a) ThisActapplies,subjecttoparagraph(b),totheexclusionofany provision ofanyotherlegislationthatregulatestheprocessing

ofpersonalinformationandthatismateriallyinconsistentwith

anobject,oraspecificprovision,ofthisAct.

(b) If any other legislationprovides for conditions for the lawfulprocessing of personal information that are more extensivethanthosesetoutinChapter3,theextensiveconditionsprevail.


Act No. 4 of 2013

(3) This Act must be interpreted in a manner that—

(a)giveseffecttothepurposeoftheActsetoutinsection2;and

(b) does not prevent any public or private body from exercisingorperformingitspowers,dutiesandfunctionsintermsofthelawas far as suchpowers,dutiesand functions relate to theprocessing of personal information and such processing is inaccordancewith thisActor anyother legislation, as referredtoinsubsection(2),thatregulatestheprocessingofpersonalinformation.

(4) ‘‘Automated means’’, for the purposesof this section,means any

equipmentcapableofoperatingautomaticallyinresponsetoinstructions

givenforthepurposeofprocessinginformation.

Lawful processing of personal information

4. (1)Theconditionsforthelawfulprocessingofpersonalinformationbyorforaresponsiblepartyarethefollowing:

(a)‘‘Accountability’’,asreferredtoinsection8;

(b)‘‘Processinglimitation’’,asreferredtoinsections9to12;

(c)‘‘Purposespecification’’,asreferredtoinsections13and14;

(d)‘‘Furtherprocessinglimitation’’,asreferredtoinsection15;

(e)‘‘Informationquality’’,asreferredtoinsection16;

(f)‘‘Openness’’,asreferredtoinsections17and18;

(g)‘‘Securitysafeguards’’,asreferredtoinsections19to22;and

(h)‘‘Datasubjectparticipation’’,asreferredtoinsections23to25.

(2)Theconditions,asreferredtoinsubsection(1),arenotapplicableto theprocessingofpersonal informationto theextent thatsuchprocessingis—

(a)excluded,intermsofsection6or7,fromtheoperationofthisAct;or


Act No. 4 of 2013

24

(b)exemptedintermsofsection37or38,fromoneormoreoftheconditionsconcernedinrelationtosuchprocessing.

(3)Theprocessingofthespecialpersonalinformationofadatasubjectisprohibitedintermsofsection26,unlessthe—

(a)provisionsofsections27to33areapplicable;or

(b) Regulator has granted an authorisation in terms of section27(2),inwhichcase,subjecttosection37or38,theconditionsforthelawfulprocessingofpersonalinformationasreferredtoinChapter3mustbecompliedwith.

(4) Theprocessingofthepersonalinformationofachildisprohibitedin termsofsection34,unlessthe—

(a)provisionsofsection35(1)areapplicable;or

(b)Regulatorhasgrantedanauthorisationintermsofsection35(2),

in which case, subject to section 37, the conditions for thelawful processing of personal information as referred to inChapter3mustbecompliedwith.

(5) The processing of the special personal information of a child isprohibited in terms of sections 26 and 34 unless the provisionsof sections 27 and 35 are applicable inwhich case, subject tosection37,theconditionsforthelawfulprocessingofpersonalinformationasreferredtoinChapter3mustbecompliedwith.

(6)Theconditionsforthelawfulprocessingofpersonalinformationbyor for a responsibleparty for thepurposeof directmarketingbyanymeansarereflectedinChapter3,readwithsection69insofarasthatsectionrelatestodirectmarketingbymeansofunsolicitedelectroniccommunications.

(7) Sections 60 to 68 provide for the development, in appropriatecircumstances, of codes of conduct for purposes of clarifyinghow the conditions referred to in subsection (1), subject to anyexemptionswhichmayhavebeengranted intermsofsection37,are to be applied, or are to be compliedwithwithin a particularsector.


Act No. 4 of 2013

Rights of data subjects

5. Adatasubjecthastherighttohavehis,heroritspersonalinformationprocessedinaccordancewith theconditionsfor the lawfulprocessingofpersonalinformationasreferredtoinChapter3,includingtheright—

(a)tobenotifiedthat—

(i)personalinformationabouthim,heroritisbeingcollectedasprovidedforintermsofsection18;or

(ii)his, her or its personal information has been accessed oracquired by an unauthorised person as provided for in terms of section22;

(b)toestablishwhetheraresponsiblepartyholdspersonalinformationofthatdatasubjectandtorequestaccesstohis,heroritspersonalinformationasprovidedforintermsofsection23;

(c)torequest,wherenecessary,thecorrection,destructionordeletionofhis,heror itspersonal informationasprovided for in termsofsection24;

(d)toobject,onreasonablegroundsrelatingtohis,heroritsparticularsituationtotheprocessingofhis,heroritspersonalinformationasprovidedforintermsofsection11(3)(a);

(e)toobjecttotheprocessingofhis,heroritspersonalinformation—

(i)atanytimeforpurposesofdirectmarketingintermsofsection11(3)(b);or

(ii)intermsofsection69(3)(c);

(f) not to have his, her or its personal information processed forpurposes of direct marketing by means of unsolicited electroniccommunicationsexceptasreferredtoinsection69(1);

(g)nottobesubject,undercertaincircumstances,toadecisionwhichisbasedsolelyonthebasisoftheautomatedprocessingofhis,heroritspersonalinformationintendedtoprovideaprofileofsuchpersonasprovidedforintermsofsection71;

(h) to submit a complaint to the Regulator regarding the allegedinterferencewiththeprotectionofthepersonalinformationofany


Act No. 4 of 2013

26

datasubjectortosubmitacomplainttotheRegulatorinrespectofadeterminationofanadjudicatorasprovidedforintermsofsection74;and

(i) toinstitutecivilproceedingsregardingtheallegedinterferencewiththeprotectionofhis,heroritspersonalinformationasprovidedforinsection99.

Exclusions

6. (1)ThisActdoesnotapplytotheprocessingofpersonalinformation—

(a)inthecourseofapurelypersonalorhouseholdactivity;

(b) that has been de-identified to the extent that it cannot be re-identifiedagain;

(c) by or on behalf of a public body—

(i) which involves national security, including activities that areaimed at assisting in the identification of the financing ofterroristandrelatedactivities,defenceorpublicsafety;or

(ii) thepurposeofwhich is theprevention,detection, includingassistanceintheidentificationoftheproceedsofunlawfulactivities and thecombatingofmoney launderingactivities,investigationorproofofoffences,theprosecutionofoffendersor the execution of sentences or security measures, to theextent that adequate safeguards have been established inlegislationfortheprotectionofsuchpersonalinformation;

(d) by the Cabinet and its committees or the Executive Council of aprovince;or

(e)relatingtothejudicialfunctionsofacourtreferredtoinsection166oftheConstitution.

(2) ‘‘Terrorist and related activities’’, for purposes of subsection (1)(c),meansthoseactivitiesreferredtoinsection4oftheProtectionofConstitutionalDemocracyagainstTerroristandRelatedActivitiesAct, 2004 (Act No. 33 of 2004).


Act No. 4 of 2013

Exclusion for journalistic, literary or artistic purposes

7. (1)ThisActdoesnotapplytotheprocessingofpersonalinformation solelyforthepurposeofjournalistic,literaryorartisticexpressionto

theextentthatsuchanexclusionisnecessarytoreconcile,asamatterofpublicinterest,therighttoprivacywiththeright to freedomofexpression.

(2)Wherearesponsiblepartywhoprocessespersonalinformationforexclusivelyjournalisticpurposesis,byvirtueofoffice,employmentorprofession,subjecttoacode20ofethicsthatprovidesadequatesafeguards for the protection of personal information, such codewillapplytotheprocessingconcernedtotheexclusionofthisActand any alleged interferencewith the protection of the personalinformation of a data subject that may arise as a result of suchprocessingmust be adjudicated as provided for in terms of thatcode.

(3) In the event that a dispute may arise in respect of whether adequate safeguardshavebeenprovidedforinacodeasrequiredintermsofsubsection(2)ornot,regardmaybehadto—

(a) the special importance of the public interest in freedom of expression;

(b)domesticandinternationalstandardsbalancingthe—

(i) public interest inallowing for the freeflowof information tothepublicthroughthemediainrecognitionoftherightofthepublictobeinformed;and

(ii) public interest in safeguarding the protection of personalinformationofdatasubjects;

(c)theneedtosecuretheintegrityofpersonalinformation;

(d) domestic and international standardsof professional integrity forjournalists;and

(e)the nature and ambit of self-regulatory forms of supervisionprovided by the profession.


Act No. 4 of 2013

28

CHAPTER 2CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL

INFORMATION


Act No. 4 of 2013

CHAPTER 3CONDITIONS FOR LAWFUL PROCESSING

OF PERSONAL INFORMATION

Part AProcessing of personal information in general

Condition 1Accountability

Responsible party to ensure conditions for lawful processing

8. The responsiblepartymustensure that the conditionsset out in thisChapter,andall the measures that give effect to such conditions, arecompliedwith at the time of thedetermination of the purpose andmeansof theprocessingandduringtheprocessingitself.

Condition 2Processing limitation

Lawfulness of processing

9. Personalinformationmustbeprocessed—

(a)lawfully;and

(b) inareasonablemannerthatdoesnot infringetheprivacyofthedatasubject.

Minimality

10. Personalinformationmayonlybeprocessedif,giventhepurposeforwhich it is processed, it is adequate, relevant and not excessive.

Consent, justification and objection

11.(1)Personalinformationmayonlybeprocessedif—

(a)thedatasubjectoracompetentpersonwherethedatasubjectisachildconsentstotheprocessing;


Act No. 4 of 2013

30

(b)processingisnecessarytocarryoutactionsfortheconclusionorperformanceofacontracttowhichthedatasubjectisparty;

(c)processingcomplieswithanobligationimposedbylawontheresponsibleparty;

(d)processingprotectsalegitimateinterestofthedatasubject;

(e)processingisnecessaryfortheproperperformanceofapubliclawdutybyapublicbody;or

(f) processing is necessary for pursuing the legitimate interestsof the responsible party or of a third party to whom the informationissupplied.

(2) (a) The responsible party bears the burden of proof for the data subject’s orcompetentperson’sconsentasreferredtoin

subsection(1)(a).(b)Thedatasubjectorcompetentpersonmaywithdrawhis,herorits

consent,asreferredtoinsubsection(1)(a),atanytime:Providedthat the lawfulness of the processingofpersonalinformationbeforesuchwithdrawalortheprocessingofpersonalinformationintermsofsubsection(1)(b)to(f)willnotbeaffected.

(3) A data subjectmayobject,atanytime,totheprocessingof personal information—(a)intermsofsubsection(1)(d)to(f),intheprescribedmanner,on

reasonablegroundsrelatingtohis,heroritsparticularsituation,unlesslegislationprovidesforsuchprocessing;or

(b)forpurposesofdirectmarketingotherthandirectmarketingbymeansofunsolicitedelectroniccommunicationsasreferredtoinsection69.

(4) Ifadatasubjecthasobjectedtotheprocessingofpersonalinformationintermsofsubsection(3),theresponsiblepartymaynolongerprocessthepersonalinformation.

Collection directly from data subject

12. (1) Personal information must be collected directly from the datasubject,exceptasotherwiseprovidedforinsubsection(2).


Act No. 4 of 2013

(2)Itisnotnecessarytocomplywithsubsection(1)if—

(a)theinformationiscontainedinorderivedfromapublicrecordorhasdeliberatelybeenmadepublicbythedatasubject;

(b)thedatasubjectoracompetentpersonwherethedatasubjectis a childhas consented to thecollectionof the informationfromanothersource;

(c) collectionof the information fromanother sourcewould notprejudicealegitimateinterestofthedatasubject;

(d)collectionoftheinformationfromanothersourceisnecessary—(i) to avoid prejudice to the maintenance of the law by

any public body, including the prevention, detection,investigation,prosecutionandpunishmentofoffences;

(ii)tocomplywithanobligationimposedbylawortoenforcelegislationconcerningthecollectionofrevenueasdefinedinsection1oftheSouthAfricanRevenueServiceAct,1997(ActNo.34of1997);

(iii)fortheconductofproceedings inanycourtortribunalthathave10commencedorarereasonablycontemplated;

(iv)intheinterestsofnationalsecurity;or(v)tomaintainthelegitimateinterestsoftheresponsibleparty

orofathirdpartytowhomtheinformationissupplied;

(e)compliancewouldprejudicealawfulpurposeofthecollection;or

(f) complianceisnotreasonablypracticableinthecircumstancesoftheparticularcase.

Condition 3Purpose specification

Collection for specific purpose

13. (1) Personal information must be collected for a specific, explicitlydefined and lawful purpose related to a function or activity of theresponsible party.


Act No. 4 of 2013

32

(2)Stepsmustbe taken inaccordancewithsection18(1) toensure thatthe data subject is aware of the purpose of the collection of theinformationunlesstheprovisionsofsection18(4)areapplicable.

Retention and restriction of records

14. (1)Subjecttosubsections(2)and(3),recordsofpersonalinformationmustnotberetainedanylongerthanisnecessaryforachievingthepurposefor which the information was collected or subsequently processed,unless—

(a)retentionoftherecordisrequiredorauthorisedbylaw;(b) the responsible party reasonably requires the record for lawful

purposesrelatedtoitsfunctionsoractivities;(c) retention of the record is required by a contract between the

partiesthereto;or(d)thedatasubjectoracompetentpersonwherethedatasubjectis

achildhasconsentedtotheretentionoftherecord.(2)Recordsofpersonalinformationmayberetainedforperiodsinexcess

of those contemplated in subsection (1) for historical, statistical orresearch purposes if the responsible party has established appropriate safeguardsagainsttherecordsbeingusedforanyotherpurposes.

(3)Aresponsiblepartythathasusedarecordofpersonalinformationofadatasubjecttomakeadecisionaboutthedatasubject,must—(a) retain the record for such period as may be required or prescribed

bylaworacodeofconduct;or(b)ifthereisnolaworcodeofconductprescribingaretentionperiod,

retaintherecordforaperiodwhichwillaffordthedatasubjectareasonableopportunity, takingallconsiderationsrelatingtotheuseof thepersonal information intoaccount, to requestaccessto the record.

(4) A responsible party must destroy or delete a record of personal informationor de-identify it as soon as reasonably practicable aftertheresponsibleparty isno longerauthorisedtoretaintherecord intermsofsubsection(1)or(2).


Act No. 4 of 2013

(5) The destruction or deletion of a record of personal information intermsof subsection (4)mustbedone inamanner thatprevents itsreconstructioninanintelligibleform.

(6)Theresponsiblepartymustrestrictprocessingofpersonalinformationif—(a)itsaccuracyiscontestedbythedatasubject,foraperiodenabling

theresponsiblepartytoverifytheaccuracyoftheinformation;(b)theresponsiblepartynolongerneedsthepersonalinformationfor

achievingthepurposeforwhichtheinformationwascollectedorsubsequently processed, but it has to be maintained for purposes ofproof;

(c) the processing is unlawful and the data subject opposes itsdestruction or deletion and requests the restriction of its useinstead;or

(d) the data subject requests to transmit the personal data intoanotherautomatedprocessingsystem.

(7) Personal information referred to in subsection (6) may, with theexceptionofstorage,onlybeprocessedforpurposesofproof,orwiththedatasubject’sconsent,orwiththeconsentofacompetentpersonin respect of a child, or for the protection of the rights of anothernaturalorlegalpersonorifsuchprocessingisinthepublicinterest.

(8) Where processing of personal information is restricted pursuant tosubsection (6), the responsible partymust inform the data subjectbeforeliftingtherestrictiononprocessing.

Condition 4Further processing limitation

Further processing to be compatible with purpose of collection

15. (1) Further processing of personal information must be inaccordanceorcompatiblewiththepurposeforwhichitwascollectedintermsofsection13.(2)Toassesswhetherfurtherprocessingiscompatiblewiththepurposeof

collection,theresponsiblepartymusttakeaccountof—


Act No. 4 of 2013

34

(a) the relationship between the purpose of the intended furtherprocessingandthepurposeforwhichthe informationhasbeencollected;

(b)thenatureoftheinformationconcerned;(c)theconsequencesoftheintendedfurtherprocessingforthedata

subject;(d)themannerinwhichtheinformationhasbeencollected;and(e)anycontractualrightsandobligationsbetweentheparties.

(3)Thefurtherprocessingofpersonalinformationisnotincompatiblewiththepurposeofcollectionif—(a)thedatasubjectoracompetentpersonwherethedatasubjectis

achildhasconsentedtothefurtherprocessingoftheinformation;(b)theinformationisavailableinorderivedfromapublicrecord

orhasdeliberatelybeenmadepublicbythedatasubject;(c)furtherprocessingisnecessary—

(i) to avoid prejudice to the maintenance of the law by anypublicbodyincludingtheprevention,detection,investigation,prosecutionandpunishmentofoffences;(ii) to complywith an obligation imposed by law or to enforcelegislation concerning the collection of revenue as defined insection1oftheSouthAfricanRevenueServiceAct,1997(ActNo.34of1997);(iii)fortheconductofproceedingsinanycourtortribunalthathavecommencedorarereasonablycontemplated;or(iv)intheinterestsofnationalsecurity;

(d)thefurtherprocessingoftheinformationisnecessarytopreventormitigateaseriousandimminentthreatto—(i)publichealthorpublicsafety;or(ii)thelifeorhealthofthedatasubjectoranotherindividual;

(e) the information is used for historical, statistical or researchpurposes and the responsible party ensures that the further processingiscarriedoutsolelyforsuchpurposesandwillnotbepublishedinanidentifiableform;or

(f) thefurtherprocessingoftheinformationisinaccordancewithanexemptiongrantedundersection37.


Act No. 4 of 2013

Condition 5Information quality

Quality of information

16.(1)Aresponsiblepartymusttakereasonablypracticablestepstoensurethatthepersonalinformationiscomplete,accurate,notmisleadingand updated where necessary.

(2) Intakingthestepsreferredtoinsubsection(1),theresponsiblepartymust have regard to the purpose forwhich personal information iscollected or further processed.

Condition 6Openness

Documentation

17.Aresponsiblepartymustmaintainthedocumentationofallprocessingoperationsunderitsresponsibilityasreferredtoinsection14or51ofthePromotionofAccesstoInformationAct.

Notification to data subject when collecting personal information

18.(1)Ifpersonalinformationiscollected,theresponsiblepartymusttakereasonablypracticablestepstoensurethatthedatasubjectisawareof—(a) the information being collected and where the information is

notcollected fromthedatasubject, thesource fromwhich it iscollected;

(b)thenameandaddressoftheresponsibleparty;(c)thepurposeforwhichtheinformationisbeingcollected;(d)whetherornotthesupplyoftheinformationbythatdatasubject

isvoluntaryormandatory;(e)theconsequencesoffailuretoprovidetheinformation;(f) anyparticular lawauthorisingor requiring the collectionof the

information;(g) the fact that, where applicable, the responsible party intends

to transfer the information to a third country or international


Act No. 4 of 2013

36

organisation and the level of protection afforded to theinformationbythatthirdcountryorinternationalorganisation;

(h)anyfurtherinformationsuchasthe—(i)recipientorcategoryofrecipientsoftheinformation;(ii)natureorcategoryoftheinformation;(iii)existenceoftherightofaccesstoandtherighttorectifythe

informationcollected;(iv)existenceoftherighttoobjecttotheprocessingofpersonal

informationasreferredtoinsection11(3);and(v)righttolodgeacomplainttotheInformationRegulatorand

the contact details of the Information Regulator, which isnecessary, having regard to the specific circumstances inwhichtheinformationisorisnottobeprocessed,toenableprocessinginrespectofthedatasubjecttobereasonable.

(2)Thestepsreferredtoinsubsection(1)mustbetaken—(a) if the personal information is collected directly from the data

subject, before the information is collected, unless the datasubject is already aware of the information referred to in thatsubsection;or

(b)inanyothercase,beforetheinformationiscollectedorassoonasreasonablypracticableafterithasbeencollected.

(3) A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to thesubsequentcollectionfromthedatasubjectofthesameinformationorinformationofthesamekindifthepurposeof collection of theinformationremainsthesame.

(4) It isnotnecessary fora responsibleparty tocomplywithsubsection(1) if—(a)thedatasubjectoracompetentpersonwherethedatasubjectis

achildhasprovidedconsentforthenon-compliance;(b) non-compliancewouldnotprejudicethe legitimate interestsof

thedatasubjectassetoutintermsofthisAct;(c) non-compliance is necessary—

(i)toavoidprejudicetothemaintenanceofthelawbyanypublicbody, including the prevention, detection, investigation,prosecutionandpunishmentofoffences;


Act No. 4 of 2013

(ii) to complywith an obligation imposed by law or to enforcelegislationconcerningthecollectionofrevenueasdefinedinsection1oftheSouthAfricanRevenueServiceAct,1997(ActNo.34of1997);

(iii) for the conduct of proceedings in any court or tribunal thathavebeencommencedorarereasonablycontemplated;or

(iv)intheinterestsofnationalsecurity;(d)compliancewouldprejudicealawfulpurposeofthecollection;(e)complianceisnotreasonablypracticableinthecircumstancesoftheparticularcase;or(f)theinformationwill—

(i) not be used in a form in which the data subject may beidentified;or

(ii)beusedforhistorical,statisticalorresearchpurposes.

Condition 7Security Safeguards

Security measures on integrity and confidentiality of personal information

19. (1)Aresponsiblepartymustsecuretheintegrityandconfidentialityofpersonal information in itspossessionorunder its controlby takingappropriate, reasonable technical and organisational measures toprevent—(a)lossof,damagetoorunauthoriseddestructionofpersonalinformation;and(b)unlawfulaccesstoorprocessingofpersonalinformation.

(2)Inordertogiveeffecttosubsection(1),theresponsiblepartymusttakereasonable measures to—(a) identifyallreasonablyforeseeableinternalandexternalrisksto

personalinformationinitspossessionorunderitscontrol;(b) establishandmaintainappropriatesafeguardsagainst the risks

identified;(c)regularlyverifythatthesafeguardsareeffectivelyimplemented;

and(d)ensurethatthesafeguardsarecontinuallyupdatedinresponseto

newrisksordeficienciesinpreviouslyimplementedsafeguards.


Act No. 4 of 2013

38

(3) The responsible party must have due regard to generally acceptedinformationsecuritypracticesandprocedureswhichmayapplyto itgenerallyorberequiredintermsofspecificindustryorprofessionalrulesandregulations.

Information processed by operator or person acting under authority

20.Anoperatororanyoneprocessingpersonalinformationonbehalfofaresponsible party or an operator, must—(a)processsuchinformationonlywiththeknowledgeorauthorisation

oftheresponsibleparty;and(b) treat personal informationwhich comes to their knowledge as

confidentialandmustnotdiscloseit,unlessrequiredbylaworinthecourseoftheproperperformanceoftheirduties.

Security measures regarding information processed by operator

21. (1)Aresponsiblepartymust,intermsofawrittencontractbetweenthe responsible party and the operator, ensure that the operator which processespersonal informationfor theresponsiblepartyestablishesandmaintainsthesecuritymeasuresreferredtoinsection19.

(2) The operator must notify the responsible party immediately wheretherearereasonablegroundstobelievethatthepersonalinformationofadatasubjecthasbeenaccessedoracquiredbyanyunauthorisedperson.

Notification of security compromises

22. (1)Wheretherearereasonablegroundstobelievethatthepersonalinformation of a data subject has been accessed or acquired by anyunauthorised person,theresponsiblepartymustnotify—

(a)theRegulator;and(b)subjecttosubsection(3),thedatasubject,unlesstheidentityof

suchdatasubjectcannotbeestablished.(2) Thenotificationreferredtoinsubsection(1)mustbemadeassoonas

reasonablypossibleafterthediscoveryofthecompromise,takingintoaccount the legitimateneeds of lawenforcementor anymeasures


Act No. 4 of 2013

reasonably necessary to determine the scope of the compromise and torestoretheintegrityoftheresponsibleparty’sinformationsystem.

(3) Theresponsiblepartymayonlydelaynotificationofthedatasubjectifapublicbodyresponsiblefortheprevention,detectionorinvestigationofoffencesortheRegulatordeterminesthatnotificationwillimpedeacriminalinvestigationbythepublic30bodyconcerned.

(4) Thenotificationtoadatasubjectreferredtoinsubsection(1)mustbeinwritingandcommunicatedtothedatasubjectinatleastoneofthefollowingways:(a)Mailedtothedatasubject’slastknownphysicalorpostaladdress;(b)sentbye-mailtothedatasubject’slastknowne-mailaddress;(c)placedinaprominentpositiononthewebsiteoftheresponsible

party;(d)publishedinthenewsmedia;or(e)asmaybedirectedbytheRegulator.

(5) The notification referred to in subsection (1)must provide sufficientinformation to allow the data subject to take protective measuresagainstthepotentialconsequencesofthecompromise,including—(a) a description of the possible consequences of the security

compromise;(b)adescriptionofthemeasuresthattheresponsiblepartyintendsto

takeorhastakentoaddressthesecuritycompromise;(c) arecommendationwithregardtothemeasurestobetakenby

the data subject tomitigate the possible adverse effects of thesecuritycompromise;and

(d)ifknowntotheresponsibleparty,theidentityoftheunauthorisedperson who may have accessed or acquired the personal information.

(6) The Regulator may direct a responsible party to publicise, inanymannerspecified, the fact of any compromise to the integrity orconfidentiality of personalinformation, if the Regulator has reasonablegrounds to believe that such publicitywouldprotectadatasubjectwhomay be affected by the compromise.


Act No. 4 of 2013

40

Condition 8Data subject participation

Access to personal information 5

23.(1)Adatasubject,havingprovidedadequateproofofidentity,hastherightto—(a)requestaresponsiblepartytoconfirm,freeofcharge,whetheror

not the responsiblepartyholdspersonal informationabout thedatasubject;and

(b) request froma responsibleparty the recordoradescriptionofthe personal information about the data subject held by theresponsibleparty, including informationabouttheidentityofallthirdparties,orcategoriesofthirdparties,whohave,orhavehad,accesstotheinformation—

(i)withinareasonabletime;(ii)ataprescribedfee,ifany;(iii)inareasonablemannerandformat;and(iv)inaformthatisgenerallyunderstandable.

(2) If, in response to a request in terms of subsection (1), personalinformationiscommunicatedtoadatasubject,thedatasubjectmustbeadvisedoftherightintermsofsection24torequestthecorrectionofinformation.

(3) If a data subject is required by a responsible party to pay a fee forservicesprovidedtothedatasubjectintermsofsubsection(1)(b)toenable the responsible party to respond to a request, the responsible party—(a) must give the applicant a written estimate of the fee before

providingtheservices;and(b) may require the applicant to pay a deposit for all or part of the fee.

(4) (a) A responsible party may or must refuse, as the case may be, to discloseanyinformationrequestedintermsofsubsection(1)towhichthegroundsforrefusalofaccesstorecordssetoutintheapplicablesectionsofChapter4ofPart2andChapter4ofPart3ofthePromotionofAccesstoInformationActapply.


Act No. 4 of 2013

(b)Theprovisionsofsections30and61ofthePromotionofAccesstoInformationActareapplicableinrespectofaccesstohealthorother records.

(5) Ifarequestforaccesstopersonalinformationismadetoaresponsiblepartyandpartofthatinformationmayormustberefusedintermsofsubsection(4)(a),everyotherpartmustbedisclosed.

Correction of personal information

24.(1)Adatasubjectmay,intheprescribedmanner,requestaresponsibleparty to— (a) correct or delete personal information about thedatasubject in itspossessionorunder itscontrol that is inaccurate,irrelevant,excessive,outofdate,incomplete,misleadingorobtainedunlawfully;or(b)destroyordeletearecordofpersonalinformationaboutthedata

subjectthat40theresponsiblepartyisnolongerauthorisedtoretainintermsofsection14.

(2) Onreceiptofarequestintermsofsubsection(1)aresponsiblepartymust,assoonasreasonablypracticable—(a)correcttheinformation;(b)destroyordeletetheinformation;(c)providethedatasubject,tohisorhersatisfaction,withcredible

evidenceinsupportoftheinformation;or(d) where agreement cannot be reached between the responsible

partyand thedata subject, and if thedata subject so requests,takesuchstepsasarereasonableinthecircumstances,toattachtotheinformationinsuchamannerthatitwillalwaysbereadwiththeinformation,anindicationthatacorrectionoftheinformationhas been requested but has not been made.

(3)Iftheresponsiblepartyhastakenstepsundersubsection(2)thatresultinachange to the informationand thechanged informationhasanimpact on decisions that have been or will be taken in respect of the data subject in question, the responsible partymust, if reasonablypracticable,informeachpersonorbodyorresponsiblepartytowhomthepersonalinformationhasbeendisclosedofthosesteps.


Act No. 4 of 2013

42

(4) The responsible party must notify a data subject, who has made arequest intermsofsubsection(1),oftheactiontakenasaresultofthe request.

Manner of access

25. The provisions of sections 18 and 53 of the Promotion of Access toInformationActapplytorequestsmadeintermsofsection23ofthisAct.

Part BProcessing of special personal information

Prohibition on processing of special personal information

26. A responsible party may, subject to section 27, not process personalinformationconcerning—(a) thereligiousorphilosophicalbeliefs,raceorethnicorigin,trade

union membership, political persuasion, health or sex life orbiometricinformationofadatasubject;or

(b)thecriminalbehaviourofadatasubjecttotheextentthatsuchinformationrelatesto—(i)theallegedcommissionbyadatasubjectofanyoffence;or(ii)anyproceedingsinrespectofanyoffenceallegedlycommitted

byadatasubjectorthedisposalofsuchproceedings.

General authorisation concerning special personal information

27.(1)Theprohibitiononprocessingpersonalinformation,asreferredtoinsection

26,doesnotapplyifthe—(a)processingiscarriedoutwiththeconsentofadatasubjectreferred

toinsection26;(b)processingisnecessaryfortheestablishment,exerciseordefence

ofarightorobligationinlaw;(c)processing is necessary to comply with an obligation of

internationalpubliclaw;(d)processingisforhistorical,statisticalorresearchpurposestothe

extent that—


Act No. 4 of 2013

(i)thepurposeservesapublicinterestandtheprocessingisnecessaryforthepurposeconcerned;or

(ii)itappearstobeimpossibleorwouldinvolveadisproportionateeffort to ask for consent, and sufficient guarantees areprovidedfortoensurethattheprocessingdoesnotadverselyaffect the individual privacy of the data subject to adisproportionateextent;

(e)information has deliberately been made public by the datasubject;or

(f) provisionsofsections28to33are,asthecasemaybe,compliedwith.

(2) The Regulator may, subject to subsection (3), upon application by aresponsiblepartyandbynotice intheGazette,authorisearesponsibleparty toprocessspecial personal information if such processing is inthepublicinterestandappropriatesafeguardshavebeenputinplacetoprotectthepersonalinformationofthedatasubject.(3)TheRegulatormayimposereasonableconditionsinrespectofanyauthorisationgrantedundersubsection(2).

Authorisation concerning data subject’s religious or philosophical beliefs

28.(1)Theprohibitiononprocessingpersonalinformationconcerningadatasubject’s religiousor philosophical beliefs, as referred to in section26,doesnotapplyiftheprocessingiscarriedoutby—

(a)spiritualorreligiousorganisations,orindependentsectionsofthoseorganisationsif—(i)theinformationconcernsdatasubjectsbelongingtothoseorganisations;or

(ii)itisnecessarytoachievetheiraimsandprinciples;(b) institutions founded on religious or philosophical principles

with respect to their members or employees or other persons belongingtotheinstitution,ifitisnecessarytoachievetheiraimsandprinciples;or

(c) other institutions: Provided that theprocessing is necessary toprotectthespiritualwelfareofthedatasubjects,unlesstheyhaveindicatedthattheyobjecttotheprocessing.


Act No. 4 of 2013

44

(2) In the cases referred to in subsection (1)(a), the prohibition does notapply to processingofpersonal informationconcerningthereligionorphilosophyoflifeoffamilymembersofthedatasubjects,if—(a)theassociationconcernedmaintainsregularcontactwiththose

familymembersinconnectionwithitsaims;and(b)thefamilymembershavenotobjectedinwritingtotheprocessing.

(3) Inthecasesreferredtoinsubsections(1)and(2),personalinformationconcerningadatasubject’sreligiousorphilosophicalbeliefsmaynotbesuppliedtothirdpartieswithouttheconsentofthedatasubject.

Authorisation concerning data subject’s race or ethnic origin

29. The prohibition on processing personal information concerning a datasubject’sraceorethnicorigin,asreferredtoinsection26,doesnotapplyiftheprocessingiscarriedoutto—(a) identify data subjects and only when this is essential for that

purpose;and(b) comply with laws and other measures designed to protect or

advance persons, or categories of persons, disadvantaged byunfairdiscrimination.

Authorisation concerning data subject’s trade union membership

30. (1)Theprohibitiononprocessingpersonalinformationconcerningadatasubject’stradeunionmembership,asreferredtoinsection26,doesnotapplytotheprocessingbythetradeuniontowhichthedatasubjectbelongsorthetradeunionfederationtowhichthattradeunionbelongs,ifsuchprocessingisnecessarytoachieve40theaimsofthetradeunionortradeunionfederation.

(2) Inthecasesreferredtoundersubsection(1),nopersonalinformationmaybesuppliedtothirdpartieswithouttheconsentofthedatasubject.

Authorisation concerning data subject’s political persuasion

31.(1)Theprohibitiononprocessingpersonalinformationconcerningadatasubject’spoliticalpersuasion,asreferredtoinsection26,doesnotapplytoprocessingbyorforaninstitution,foundedonpoliticalprinciples,ofthepersonalinformationof—


Act No. 4 of 2013

(a) its members or employees or other persons belonging to theinstitution,ifsuchprocessingisnecessarytoachievetheaimsorprinciplesoftheinstitution;or

(b)adatasubjectifsuchprocessingisnecessaryforthepurposesof—(i)formingapoliticalparty;(ii)participatingintheactivitiesof,orengagingintherecruitment

of members for or canvassing supporters or voters for, apoliticalpartywiththeviewto—(aa) an electionof theNationalAssembly or the provincial

legislature as regulated in terms of the ElectoralAct,1998(ActNo.73of1998);

(bb) municipalelections as regulated in terms of the LocalGovernment: Municipal Electoral Act, 2000 (Act No. 27 of2000);or

(cc) areferendumasregulatedintermsoftheReferendumsAct,1983(ActNo.108of1983);or

(iii)campaigningforapoliticalpartyorcause.

(2) Inthecasesreferredtoundersubsection(1),nopersonalinformationmaybesuppliedtothirdpartieswithouttheconsentofthedatasubject.

Authorisation concerning data subject’s health or sex life

32. (1)Theprohibitiononprocessingpersonalinformationconcerningadatasubject’shealthorsexlife,asreferredtoinsection26,doesnotapplytotheprocessingby—(a)medicalprofessionals,healthcareinstitutionsorfacilitiesorsocial

services,ifsuchprocessingisnecessaryforthepropertreatmentand care of the data subject, or for the administration of theinstitutionorprofessionalpracticeconcerned;

(b) insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if suchprocessingisnecessaryfor—(i)assessingtherisktobeinsuredbytheinsurancecompanyor

coveredbythemedicalschemeandthedatasubjecthasnotobjectedtotheprocessing;


Act No. 4 of 2013

46

(ii) the performance of an insurance or medical scheme agreement;or

(iii)theenforcementofanycontractualrightsandobligations;(c)schools,ifsuchprocessingisnecessarytoprovidespecialsupport

forpupilsormakingspecialarrangementsinconnectionwiththeirhealthorsexlife;(d)anypublicorprivatebodymanagingthecareofachildifsuchprocessingisnecessaryfortheperformanceoftheirlawfulduties;

(e)anypublicbody,ifsuchprocessingisnecessaryinconnectionwiththe implementationofprisonsentencesordetentionmeasures;or

(f) administrative bodies, pension funds, employers or institutionsworkingforthem,ifsuchprocessingisnecessaryfor—(i) the implementation of the provisions of laws, pension

regulations or collective agreements which create rightsdependentonthehealthorsexlifeofthedatasubject;or

(ii)thereintegrationoforsupportforworkersorpersonsentitledtobenefitinconnectionwithsicknessorworkincapacity.

(2) Inthecasesreferredtoundersubsection(1),theinformationmayonlybeprocessedbyresponsiblepartiessubjecttoanobligationofconfidentialityby virtue of office, employment, profession or legal provision, orestablishedbyawrittenagreementbetweentheresponsiblepartyandthedatasubject.

(3) Aresponsiblepartythatispermittedtoprocessinformationconcerningadatasubject’shealthorsexlifeintermsofthissectionandisnotsubjecttoanobligationofconfidentiality by virtue of office, profession orlegalprovision,musttreattheinformationasconfidential,unlesstheresponsibleparty is requiredby lawor in connectionwith theirdutiestocommunicatetheinformationtootherpartieswhoareauthorisedtoprocesssuchinformationinaccordancewithsubsection(1).

(4) The prohibition on processing any of the categories of personalinformationreferredtoinsection26,doesnotapplyifitisnecessarytosupplementtheprocessingofpersonalinformationconcerningadatasubject’shealth,asreferredtoundersubsection(1)(a),withaviewto


Act No. 4 of 2013

thepropertreatmentorcareofthedatasubject.

(5) Personal information concerning inherited characteristics may not beprocessed in respect of a data subject from whom the informationconcerned has been obtained, unless—(a)aseriousmedicalinterestprevails;or(b) the processing is necessary for historical, statistical or research

activity.

(6) More detailed rules may be prescribed concerning the application ofsubsection(1)(b)and(f).

Authorisation concerning data subject’s criminal behaviour or biometric information

33.(1)Theprohibitiononprocessingpersonalinformationconcerningadatasubject’s criminal behaviour or biometric information, as referred toinsection26,doesnotapply if theprocessing iscarriedoutbybodieschargedbylawwithapplyingcriminallaworbyresponsiblepartieswhohaveobtainedthatinformationinaccordancewiththelaw.

(2)Theprocessingofinformationconcerningpersonnelintheserviceoftheresponsible party must take place in accordance with the rules established incompliancewithlabourlegislation.

(3)Theprohibitiononprocessinganyofthecategoriesofpersonalinformationreferredto insection26doesnotapply ifsuchprocessing isnecessaryto supplement the processing of informationon criminal behaviour orbiometricinformationpermittedbythissection.


Act No. 4 of 2013

48

Part CProcessing of personal information of children

Prohibition on processing personal information of children

34. A responsible party may, subject to section 35, not process personalinformationconcerningachild.

General authorisation concerning personal information of children

35. (1) The prohibition on processing personal information of children, asreferredtoinsection34,doesnotapplyiftheprocessingis—(a)carriedoutwiththepriorconsentofacompetentperson;(b)necessaryfortheestablishment,exerciseordefenceofarightor

obligationinlaw;(c)necessarytocomplywithanobligationofinternationalpubliclaw;(d)forhistorical,statisticalorresearchpurposestotheextentthat—

(i) the purpose serves a public interest and the processing isnecessaryforthepurposeconcerned;or

(ii)itappearstobeimpossibleorwouldinvolveadisproportionate effort to ask for consent, and sufficient guarantees are

providedfortoensurethattheprocessingdoesnotadverselyaffecttheindividualprivacyofthechildtoadisproportionateextent;or

(e)ofpersonalinformationwhichhasdeliberatelybeenmadepublicby the child with the consent of a competent person.

(2)TheRegulatormay,notwithstandingtheprohibitionreferredtoinsection34,butsubjecttosubsection(3),uponapplicationbyaresponsiblepartyandbynoticeintheGazette,authorisearesponsiblepartytoprocessthepersonalinformationofchildreniftheprocessingisinthepublicinterestandappropriatesafeguardshavebeenputinplacetoprotectthepersonalinformationofthechild.

(3) The Regulator may impose reasonable conditions in respect of anyauthorisation granted under subsection (2), including conditions withregardtohowaresponsiblepartymust—


Act No. 4 of 2013

(a) upon request of a competent person provide a reasonable means for that person to—(i)reviewthepersonalinformationprocessed;and(ii)refusetopermititsfurtherprocessing;

(b)providenotice—(i)regardingthenatureofthepersonalinformationofchildren

thatisprocessed;(ii)howsuchinformationisprocessed;and(iii)regardinganyfurtherprocessingpractices;

(c)refrainfromanyactionthatisintendedtoencourageorpersuadeachildto10disclosemorepersonalinformationabouthim-orherselfthanisreasonablynecessarygiventhepurposeforwhichitisintended;and

(d) establish and maintain reasonable procedures to protect the integrityandconfidentialityofthepersonalinformationcollectedfrom children.


Act No. 4 of 2013

50

CHAPTER 4EXEMPTION FROM CONDITIONS FOR PROCESSING OF PERSONAL

INFORMATION


Act No. 4 of 2013

CHAPTER 4EXEMPTION FROM CONDITIONS

FOR PROCESSING OF PERSONAL INFORMATION

General

36.Processingofpersonalinformationisnotinbreachofaconditionfortheprocessingofsuchinformationifthe—(a)Regulatorgrantsanexemptionintermsofsection37;or(b)processingisinaccordancewithsection38.

Regulator may exempt processing of personal information

37. (1)TheRegulatormay,bynoticeintheGazette,grantanexemptiontoaresponsiblepartytoprocesspersonalinformation,evenifthatprocessingisinbreachofaconditionfortheprocessingofsuchinformation,oranymeasurethatgiveseffecttosuchcondition, iftheRegulator issatisfiedthat, in the circumstances of the case—(a) thepublic interest in theprocessingoutweighs, toa substantial

degree,anyinterferencewiththeprivacyofthedatasubjectthatcouldresultfromsuchprocessing;or

(b)theprocessinginvolvesaclearbenefittothedatasubjectorathirdparty that outweighs, to a substantial degree, any interferencewiththeprivacyofthedatasubjectorthirdpartythatcouldresultfromsuchprocessing.

(2)Thepublicinterestreferredtoinsubsection(1)includes—(a)theinterestsofnationalsecurity;(b)theprevention,detectionandprosecutionofoffences;(c)importanteconomicandfinancialinterestsofapublicbody;(d) fostering compliance with legal provisions established in the

interestsreferredtounderparagraphs(b)and(c);(e)historical,statisticalorresearchactivity;or(f) the special importance of the interest in freedom of expression.

(3) The Regulator may impose reasonable conditions in respect of anyexemptiongrantedundersubsection(1).


Act No. 4 of 2013

52

Exemption in respect of certain functions

38. (1) Personal information processed for the purpose of discharging arelevantfunctionisexemptfromsections11(3)and(4),12,15and18inanycasetotheextenttowhichtheapplicationofthoseprovisionstothepersonalinformationwouldbelikelytoprejudicetheproperdischargeofthatfunction.

(2)‘‘Relevantfunction’’forpurposesofsubsection(1),meansanyfunction—(a)ofapublicbody;or(b) conferred on any person in terms of the law, which is performed

withtheviewtoprotectingmembersofthepublicagainst—(i)financiallossduetodishonesty,malpracticeorotherseriously

improper conduct by, or the unfitness or incompetence of,persons concerned in the provision of banking, insurance,investmentorotherfinancialservicesorinthemanagementofbodiescorporate;or

(ii) dishonesty,malpracticeorotherseriouslyimproperconductby,ortheunfitnessor incompetenceof,personsauthorisedtocarryonanyprofessionorotheractivity.


Act No. 4 of 2013



Act No. 4 of 2013

54


Part A Information Regulator

Establishment of Information Regulator

39. ThereisherebyestablishedajuristicpersontobeknownastheInformation

Regulator,which—(a)hasjurisdictionthroughouttheRepublic;(b)isindependentandissubjectonlytotheConstitutionandtothe

lawandmustbeimpartialandperformitsfunctionsandexerciseitspowerswithoutfear,favourorprejudice;

(c)mustexerciseitspowersandperformitsfunctionsinaccordancewiththisActandthePromotionofAccesstoInformationAct;and

(d)isaccountabletotheNationalAssembly.

Powers, duties and functions of Regulator

40.(1)Thepowers,dutiesandfunctionsoftheRegulatorintermsofthisActare— (a)toprovideeducationby—

(i)promotinganunderstandingandacceptanceoftheconditionsforthelawfulprocessingofpersonalinformationandoftheobjectsofthoseconditions;

(ii) undertaking educational programmes, for the purpose ofpromoting the protection of personal information, on theRegulator’sownbehalforinco-operationwithotherpersonsorauthoritiesactingonbehalfoftheRegulator;

(iii)making public statements in relation to any matteraffectingtheprotectionofthepersonalinformationofadatasubjectorofanyclassofdatasubjects;

(iv) givingadvicetodatasubjectsintheexerciseoftheirrights;and

(v) providingadvice,uponrequestoronitsowninitiative,toaMinisterorapublicorprivatebodyontheirobligationsundertheprovisions, andgenerallyonanymatter relevant to theoperation,ofthisAct;


Act No. 4 of 2013

(b) to monitor and enforce compliance by—(i)publicandprivatebodieswiththeprovisionsofthisAct;(ii) undertaking research into, and monitoring developments

in, information processing and computer technology toensurethatanyadverseeffectsofsuchdevelopmentsontheprotectionofthepersonalinformationofdatasubjectsareminimised,andreportingtotheMinistertheresultsofsuchresearchandmonitoring;

(iii)examining any proposed legislation, including subordinatelegislation, or proposed policy of the Government that theRegulatorconsidersmayaffecttheprotectionofthepersonalinformation of data subjects, and reporting to theMinistertheresultsofthatexamination;

(iv)reportinguponrequestoron itsownaccord, toParliamentfrom time to time on any policy matter affecting theprotection of the personal information of a data subject,including the need for, or desirability of, taking legislative,administrative, or other action to give protection or betterprotectiontothepersonalinformationofadatasubject;

(v)submittingareporttoParliament,withinfivemonthsoftheendofitsfinancialyear,onallitsactivitiesintermsofthisActduringthatfinancialyear;

(vi) conducting an assessment, on its own initiative or whenrequested to do so, of a public or private body, in respect of the processing of personal information by that body forthepurposeofascertainingwhetherornotthe informationis processed according to the conditions for the lawfulprocessingofpersonalinformation;

(vii)monitoring the use of unique identifiers of data subjects,and reporting to Parliament from time to time on theresults of that monitoring, including any recommendationrelating to the need of, or desirability of taking, legislative,administrative,orother action to giveprotection,orbetterprotection,tothepersonalinformationofadatasubject;

(viii)maintaining,publishingandmakingavailableandprovidingcopiesofsuchregistersasareprescribedinthisAct;and


Act No. 4 of 2013

56

(ix)examininganyproposedlegislationthatmakesprovisionforthe—(aa) collection of personal information by any public or

privatebody;or(bb) disclosure of personal information by one public or

private body to any other public or private body, or both, to haveparticular regard, in the course ofthat examination, to thematterssetout insection44(2), in any case where theRegulatorconsidersthattheinformationmightbeusedforthepurposesofan information matching programme, and reportingto the Minister and Parliament the results of that examination;

(c) to consult withinterestedpartiesby—(i) receivingand invitingrepresentationsfrommembersofthe

publicon anymatteraffectingthepersonal informationofadatasubject;

(ii)co-operating on a national and international basis withotherpersonsandbodiesconcernedwith theprotectionofpersonalinformation;and

(iii)actingasmediatorbetweenopposingpartiesonanymatterthat concerns the need for, or the desirability of, actionbyaresponsiblepartyintheinterestsoftheprotectionofthepersonalinformationofadatasubject;

(d) to handle complaints by—(i)receiving and investigating complaints about alleged

violationsof theprotectionofpersonal informationofdatasubjects and reporting to complainants in respect of suchcomplaints;

(ii)gatheringsuchinformationasintheRegulator’sopinionwillassisttheRegulatorindischargingthedutiesandcarryingouttheRegulator’sfunctionsunderthisAct;

(iii) attempting to resolve complaints by means of disputeresolutionmechanisms such asmediation and conciliation;and


Act No. 4 of 2013

(iv)servinganynoticesintermsofthisActandfurtherpromotingtheresolutionofdisputes inaccordancewiththeprescriptsofthisAct;

(e) to conduct research and to report to Parliament—(i) fromtimetotimeon thedesirabilityof theacceptance,by

SouthAfrica,ofany international instrumentrelatingtotheprotectionofthepersonalinformationofadatasubject;and

(ii) on any other matter, including necessary legislativeamendments,relatingtoprotectionofpersonal informationthat, in the Regulator’s opinion, should be drawn toParliament’sattention;

(f) in respect of codes of conduct to—(i)issue,fromtimetotime,codesofconduct,amendcodesand

torevokecodesofconduct;(ii)makeguidelinestoassistbodiestodevelopcodesofconduct

ortoapplycodesofconduct;and(iii) consider afresh, upon application, determinations by

adjudicatorsunderapprovedcodesofconduct;(g) to facilitate cross-border cooperation in the enforcement of

privacylawsbyparticipatinginanyinitiativethatisaimedatsuchcooperation;and

(h) in general to—(i)doanythingincidentalorconducivetotheperformanceofany

oftheprecedingfunctions;(ii)exerciseandperformsuchotherfunctions,powers,andduties

asareconferredorimposedontheRegulatorbyorunderthisActoranyotherlegislation;

(iii) require the responsible party to disclose to any person affectedbyacompromisetotheintegrityorconfidentialityofpersonal information, such compromise in accordancewithsection22;and

(iv)exercisethepowersconferredupontheRegulatorbythisActinmattersrelatingtotheaccessofinformationasprovidedbythePromotionofAccesstoInformationAct.


Act No. 4 of 2013

58

(2) The Regulatormay, from time to time, in the public interest or in thelegitimate interests of any person or body of persons, publish reportsrelatinggenerallytotheexerciseoftheRegulator’sfunctionsunderthisActortoanycaseorcasesinvestigatedbytheRegulator,whetherornotthematterstobedealtwithinanysuchreporthavebeenthesubjectofareport to the Minister.

(3)Theprovisionsofsections3and4oftheCommissionsAct,1947(ActNo.8of1947),willapply,withthenecessarychanges,totheRegulator.(4)ThepowersanddutiesoftheRegulatorintermsofthePromotionofAccesstoInformationActaresetoutinParts4and5ofthatAct.

Appointment, term of office and removal of members of Regulator41. (1) (a) TheRegulatorconsistsofthefollowingmembers:

(i)AChairperson;and(ii)fourotherpersons,asordinarymembersoftheRegulator.

(b)MembersoftheRegulatormustbeappropriatelyqualified,fitand proper persons—(i) at least one of whom must be appointed on account of

experienceasapractisingadvocateorattorneyoraprofessoroflawatauniversity;and

(ii) the remainder of whom must be appointed on account of any otherqualifications,expertiseandexperiencerelatingtotheobjectsoftheRegulator.

(c)TheChairpersonoftheRegulatormustbeappointedinafull-timecapacityandmay,subjecttosubsection(4),notperformorundertaketoperformanyotherremunerativeworkduringtheperiodinwhichheorsheholdsofficeasChairperson.

(d) The ordinary members of the Regulator must be appointed asfollows: (i)Twoordinarymembersinafull-timecapacity;and(ii)twoordinarymembersinafull-timeorpart-timecapacity.

(e)Themembers referred to inparagraph (d)whoareappointed inafull-timecapacity,may,subjecttosubsection(4),notperformorundertaketoperformanyotherremunerativeworkduringtheperiodinwhichtheyholdoffice.


Act No. 4 of 2013

(f)TheChairpersonmustdirecttheworkoftheRegulatorandthestaffoftheRegulator.

(g)ApersonmaynotbeappointedasamemberoftheRegulator ifhe or she— (i)isnotacitizenoftheRepublic;(ii)isapublicservant;(iii)isamemberofParliament,anyprovinciallegislatureorany

municipalcouncil;(iv)isanoffice-beareroremployeeofanypoliticalparty;(v)isan

unrehabilitatedinsolvent;(vi)hasbeendeclaredbyacourttobementallyillorunfit;or(vii)hasatanytimebeenconvicted,whether intheRepublicor

elsewhere,ofanyoffenceinvolvingdishonesty.

(2) (a) The Chairperson and the members of the Regulator referred toin subsection (1)(a) must be appointed by the President on therecommendationoftheNationalAssembly,whichrecommendationmustalsoindicatewhichordinarymembersmustbeappointedinafull-timeorpart-timecapacity.(b)TheNationalAssemblymustrecommendpersons—

(i) nominated by a committee of the Assembly composed ofmembersofpartiesrepresentedintheAssembly;and

(ii) approved by the Assembly by a resolution adopted with asupportingvoteofamajorityofthemembersofthe

Assembly.

(3) ThemembersoftheRegulatorwillbeappointedforaperiodofnotmorethanfiveyearsandwill,attheexpirationofsuchperiod,beeligibleforreappointment.

(4) TheChairpersonoftheRegulatororamemberwhohasbeenappointedinafull-timecapacitymay,notwithstandingtheprovisionsofsubsection(1)(c)or(e),onlyperformorundertaketoperformanyotherremunerativework during the period that he or she holds office as Chairperson ormemberwiththepriorwrittenconsentoftheMinister.

(5) A person appointed as amember of the Regulatormay, uponwrittennoticetothePresident,resignfromoffice.


Act No. 4 of 2013

60

(6)(a)Amembermayberemovedfromofficeonlyon—(i)thegroundofmisconduct,incapacityorincompetence;(ii) a finding to that effect by a committee of the National

Assembly;and(iii)theadoptionbytheNationalAssemblyofaresolutioncalling

forthatperson’sremovalfromoffice.(b) A resolution of the National Assembly concerning the removal

fromofficeofamemberoftheRegulatormustbeadoptedwithasupportingvoteofamajorityofthemembersoftheAssembly.

(c) The President—(i) maysuspenda memberfromofficeat anytimeafter

thestartoftheproceedingsofacommitteeoftheNationalAssemblyfortheremovalofthatmember;and

(ii) must remove amember from office upon adoption by theAssemblyoftheresolutioncallingforthatmember’sremoval.

Vacancies

42. (1)AvacancyintheRegulatoroccursifamember—(a)becomessubjecttoadisqualificationreferredtoinsection41(1)

(g);(b) tendershisorherresignationascontemplated insection41(5)

andtheresignationtakeseffect;(c)isremovedfromofficeintermsofsection41(6);(d)dies;or(e)becomespermanentlyincapableofdoinghisorherwork.

(2) (a)Where a vacancy has arisen as contemplated in subsection (1), theprocedurecontemplatedinsection41(2)applies.(b)Anymemberappointedunderthissubsectionholdsofficeforthe

rest of the period of the predecessor’s term of office, unlessthePresident,uponrecommendationbytheNationalAssembly,appointsthatmemberforalongerperiodwhichmaynotexceedfiveyears.


Act No. 4 of 2013

Powers, duties and functions of Chairperson and other members

43.(1)TheChairperson—(a) mustexercisethepowersandperformthedutiesandfunctions

conferredonorassignedtohimorherbytheRegulatorintermsofthisActandthePromotionofAccesstoInformationAct;and

(b)is,forthepurposesofexercisingthepowersandperformingthedutiesand functions conferredonorassigned tohimorherbytheRegulatorintermsofthisActandthePromotionofAccesstoInformationAct,accountabletotheRegulator.

(2) (a) The members referred to in section 41(1)(d)(i) must exercise theirpowersandperformtheirdutiesandfunctionsasfollows:

(i)OnememberintermsofthisAct;and(ii) one member in terms of the Promotion of Access to

InformationAct.(b)Themembersreferredtoinsection41(1)(d)(ii)mustexercisetheir

powersandperformtheirdutiesandfunctionseitherintermsofthisActorthePromotionofAccesstoInformationAct,orboth.

(c) Themembers, referred to inparagraphs (a) and (b), are, for thepurposesofexercisingtheirpowersandperformingtheirdutiesandfunctions,accountabletotheChairperson.

Regulator to have regard to certain matters

44. (1) In theperformanceof its functions, and theexerciseof its powers,underthisActtheRegulatormust—(a)have due regard to the conditions for the lawful processing of

personalinformationasreferredtoinChapter3;(b) have due regard for the protection of all human rights and

social interests thatcompetewithprivacy, including thegeneraldesirabilityofafreeflowofinformationandtherecognitionofthelegitimateinterestsofpublicandprivatebodiesinachievingtheirobjectivesinanefficientway;

(c)takeaccountofinternationalobligationsacceptedbySouthAfrica;and

(d)consideranydevelopinggeneralinternationalguidelinesrelevanttothebetterprotectionofindividualprivacy.


Act No. 4 of 2013

62

(2)Inperformingitsfunctionsintermsofsection40(1)(b)(ix)(bb)withregardtoinformationmatchingprogrammes,theRegulatormusthaveparticularregardtowhetherornotthe—(a)objectiveoftheprogrammerelatestoamatterofsignificant

publicimportance;(b) use of the programme to achieve that objective will result in

monetarysavingsthatarebothsignificantandquantifiableorinothercomparablebenefitstosociety;

(c)useofanalternativemeansofachievingthatobjectivewouldgiveeitheroftheresultsreferredtoinparagraph(b);

(d)publicinterestinallowingtheprogrammetoproceedoutweighsthe public interest in adhering to the conditions for the lawfulprocessing of personal information that the programme wouldotherwisecontravene;and

(e) programme involves information matching on a scale that isexcessive,havingregardto—(i) thenumberof responsiblepartiesoroperators thatwillbe

involvedintheprogramme;and(ii)theamountofdetailaboutadatasubjectthatwillbematched

undertheprogramme.

(3) In determining whether the processing of personal information forexclusivelyjournalisticpurposesbyaresponsiblepartywhois,byvirtueofoffice,employmentorprofession,notsubject toacodeofethicsasreferredtoinsection7(1),constitutesaninterferencewiththeprotectionofthepersonalinformationofthedatasubjectinterms

ofsection73,theRegulatormusthaveparticularregardtothefactorsreferredtoinsection7(3)(a)to(d).

Conflict of interest

45. (1) If any member of the Regulator or any person appointed by theRegulatorintermsofthisActhasamaterialinterestinanymatterwhichcouldconflictwiththeproperperformanceofhisorherdutiesintermsofthisActorthePromotionofAccess


Act No. 4 of 2013

toInformationAct,heorshemustdisclosethatinterest,asprescribed,assoonaspracticableaftertherelevantfactscametohisorherknowledge.

(2)(a)IfamemberoftheRegulatororpersonreferredtoinsubsection(1)—(i)ispresentatameetingoftheRegulatororcommitteereferred

to in section 49 or 50 at which a matter contemplated inthat subsection is tobe considered, thememberorpersonconcerned must disclose the nature of his or her interest to themeetingbeforethematterisconsidered;or

(ii)failstomakeadisclosureasrequiredbythissubsectionandis present at a meeting of the Regulator or committee, asthecasemaybe,orinanyothermannerparticipatesintheproceedings, such proceedings in relation to the relevantmattermust,assoonasthenon-disclosureisdiscovered,bereviewedandbevariedorsetasidebytheRegulatororthecommittee,asthecasemay

be,withouttheparticipationofthememberorpersonconcerned.(b)AmemberoftheRegulatororpersonreferredtoinsubsection(1)

who isobligedto makeadisclosure intermsofthissubsectionmaynotbepresentduringanydeliberation,or takepart inanydecision,inrelationtothematterinquestion.

(c) AnydisclosuremadeintermsofthissubsectionmustbenotedintheminutesoftherelevantmeetingoftheRegulatororcommittee.

(3)AmemberoftheRegulatororpersonreferredtoinsubsection(1)whohasdisclosedaconflictofinterestintermsofsubsection(1)—(a) may perform all duties relating to thematter in question if a

decisionhasbeentakenthattheinterestistrivialorirrelevant;or(b) mustberelievedofalldutiesrelatingtothematterinquestion

and suchdutiesmustbeperformedbyanothermemberof theRegulatororbyanotherpersonreferredto insubsection(1),asthecasemaybe,whohasnosuchconflictofinterest.

Remuneration, allowances, benefits and privileges of members

46.(1)AmemberoftheRegulatororapersonreferredtoinsection49(1)(b)or


Act No. 4 of 2013

64

50(1)(b)whoisnotsubjecttotheprovisionsofthePublicServiceAct,1994(ProclamationNo.103of1994),orwhoisnotajudgeoftheHighCourtofSouthAfricaoramagistratewillbeentitledtosuchremuneration,allowances, including allowances for reimbursement of travelling andsubsistence expenses incurred by him or her in the performance of his or herfunctionsunderthisActandthePromotionofAccesstoInformationAct, benefits and privileges as the Minister in consultation with theMinister of Finance may determine.

(2)Theremuneration,allowances,benefitsorprivilegesofdifferentmembersoftheRegulatormaydifferaccordingtothedifferent—(a)positionsheldbythemintheRegulator;or(b)functionsperformed,whetherinapart-timeorfull-timecapacity,

bythemfromtimetotime.

Staff

47.(1)TheRegulatormustestablishitsownadministrationtoassistitintheperformanceofitsfunctionsandtothisendtheRegulatormustappoint,orsecurethesecondmentintermsofsubsection(6)of—(a) a suitably qualified and experienced person as chief executive

officeroftheRegulatorforthepurposeofassistingtheRegulator,subject to the Regulator’s direction and supervision, in theperformanceofallfinancialandadministra-

tive functions in terms of this Act and the Promotion of Access toInformation

Act,workarisingfromtheadministrationofthisActandthePromotionof

Access to Information Act and to exercise any power delegated bytheRegulatortohimorher;and

(b)suchothermemberofstaffastheRegulatormaydeemnecessarytoassisttheRegulatorandthechiefexecutiveofficer,asthecasemaybe,withallsuchworkasmayarisethroughtheperformanceofitsfunctions.

(2) (a) The chief executive officer may appoint a senior member of staffas acting chief executive officer to perform the functions of the chiefexecutiveofficerinhisorherabsence.


Act No. 4 of 2013

(b)AmemberoftheRegulatormaynotbeappointedasactingchiefexecutiveofficer.

(c)Intheeventthatavacancyoccursintheofficeofthechiefexecutiveofficer the Regulator must appoint an acting chief executiveofficer.

(3)TheRegulatormust,intheappointmentofthestaffoftheRegulator—(a) provide for the advancement of persons disadvantaged by

unfairdiscrimina-tion,with theaim that its staff,whenviewedcollectively,representsabroadcross-sectionofthepopulationoftheRepublic;and

(b) subject toparagraph (a), applyequalopportunityemploymentpractices.

(4)TheRegulatormaypaytothepersonsinitsemploysuchremunerationandallowances and provide them with such pension and other employment benefitsasareconsistentwiththatpaidinthepublicsector.

(5)Inexercisingitspowersintermsofsubsections(1)and(4),theRegulatormust consult with the Minister of Finance.

(6)TheRegulatormay,intheperformanceofthefunctionscontemplatedinsubsection(1),atitsrequest,beassistedbyofficialsinthePublicServicesecondedtotheserviceoftheRegulatorintermsofanylawregulatingsuch secondment: Provided that the secondment of an official to theserviceoftheRegulatormaynotexceed12monthsandthattheinitialperiod of secondment may only be extended once for a subsequent periodnotexceeding12months.

(7) The Regulator may, in consultation with theMinister of Finance, on atemporarybasisorforaparticularmatterwhichisbeinginvestigatedbyit,employanypersonwithspecialknowledgeofanymatterrelatingtotheworkoftheRegulator,orobtainthe30co-operationofanybody,toadviseorassisttheRegulatorintheperformanceofitsfunctionsunderthis Act and the Promotion of Access to Information Act, and fix theremuneration, including reimbursement for travelling, subsistence andother expenses, of such person or body.


Act No. 4 of 2013

66

Powers, duties and functions of chief executive officer

48. Thechiefexecutiveofficer—(a)istheheadofadministrationandtheaccountingofficer,asreferred

toinsection52(3),oftheRegulator;(b) mayappointaseniormemberofstaffasactingchiefexecutive

officerasreferredtoinsection47(2);(c) is responsible for the—

(i)managementoftheaffairsandoperationsoftheRegulator;(ii)formationanddevelopmentofanefficientadministration;(iii)organisationandmanagementof,andadministrativecontrol

over,allthemembersofstaffappointedintermsofsection47(1)(b)andallthe45personssecondedintermsofsection47(6);

(iv)maintenanceofdisciplineinrespectofthemembersofstaff;and

(v)executionofthedecisionsoftheRegulator,andisforthosepurposes accountable to the Regulator and must reportthereontotheRegulatorasoftenasmayberequiredbytheRegulator;and

(d)mustexercisethepowersandperformthedutiesandfunctionswhich the

Regulatormayfromtimetotimeconferuponorassigntohimorherin order

to achieve the objects of the Regulator, and is for those purposesaccountabletotheRegulator.

Committees of Regulator

49. (1) The Regulator may, if it considers it necessary for the properperformanceof its functionsestablishoneormorecommittees,whichmust consist of— (a)suchmembersoftheRegulatorastheRegulatormaydesignate;or(b) suchmembersoftheRegulatorastheRegulatormaydesignate

andotherpersonsappointedbytheRegulator,as referredto insection47(7),fortheperioddeterminedbytheRegulator.


Act No. 4 of 2013

(2) The Regulator may at any time extend the period of an appointmentreferred to in subsection (1)(b) or, if in its opinion good reasons existtherefor, revoke any such appointment.

(3)TheRegulatormustdesignatethechairpersonand,iftheRegulatordeemsit necessary, the vice-chairperson of a committee established undersubsection(1).

(4)(a)Acommitteereferredtoinsubsection(1)must,subjecttothedirectionsoftheRegulator,performthosefunctionsoftheRegulatorassignedtoitbytheRegulator.(b) Any function so performed by a committee referred to in

subsection (1) will be deemed to have been performed by theRegulator.

(5)TheRegulatormayatanytimedissolveanycommitteeestablishedbytheRegulator.

(6) The provisions of sections 40(4) and 51 will apply, with the necessarychanges,toacommitteeoftheRegulator.

Establishment of Enforcement Committee

50. (1)TheRegulatormustestablishanEnforcementCommitteewhichmustconsist of— (a)atleastonememberoftheRegulator;and(b)suchotherpersonsappointedbytheRegulator,asreferredtoin

section47(7),fortheperioddeterminedbytheRegulator.

(2)TheRegulatormust—(a)inconsultationwiththeChiefJusticeandMinister,appointa—

(i)judgeoftheHighCourtofSouthAfrica,whetherinactiveserviceornot;or

(ii) magistrate with at least 10 years’ appropriate experience,whetherinactiveserviceornot;or

(b)appointanadvocateorattorneywithatleast10years’appropriateexperience,asChairpersonoftheEnforcementCommittee.

(3) TheChairpersonoftheEnforcementCommitteemustmanagetheworkofandpresideathearingsoftheEnforcementCommittee.


Act No. 4 of 2013

68

(4) (a) A member referred toinsubsection (1)(a) maynotparticipatein any proceedings of the Regulator in terms of which a decision istakenwith regard to arecommendationbytheEnforcementCommitteeasreferredtoinsection93.

(b)Apersonreferredtoinsubsection(1)(b)mustbeafitandproperpersonandmustcomplywiththecriteria,referredto insection41(1)(g),forappointmentasamemberoftheRegulator.

Meetings of Regulator

51. (1) Meetings of the Regulator must be held at the times and placesdeterminedbytheChairpersonoftheRegulator.

(2)ThreemembersoftheRegulatorconstituteaquorumforameeting.

(3)(a)TheChairpersonmayregulatetheproceedingsatmeetingsasheorshemaythinkfitandmustkeepminutesoftheproceedings.(b)IftheChairpersonisabsentfromameetingthememberspresent

shallelectoneoftheirnumbertopresideatthatmeeting.

(4) (a) Subject to subsection (2), a decision of the Regulator is taken byresolutionagreedtobythemajorityofmembersatanymeetingoftheRegulator.(b) In the event of an equality of votes regarding any matter the

Chairpersonhasacastingvoteinadditiontohisorherdeliberativevote.

Funds

52.(1)FundsoftheRegulatorconsistof—(a) such sums of money that Parliament appropriates annually, for the

useoftheRegulatorasmaybenecessaryfortheproperexercise,performanceanddischarge,bytheRegulator,ofitspowers,dutiesand functions under this Actand the Promotion of Access toInformationAct;and

(b)feesasmaybeprescribedintermsofsection111(1).

(2)ThefinancialyearoftheRegulatoristheperiodfrom1Aprilinanyyearto31Marchinthefollowingyear,exceptthatthefirstfinancialyearofthe


Act No. 4 of 2013

RegulatorbeginsonthedatethatthisChaptercomesintooperation,andendson31Marchnextfollowingthatdate.

(3)ThechiefexecutiveofficeroftheRegulator isforpurposesofthePublicFinanceManagementAct,1999(ActNo.1of1999),theaccountingofficerandmustexecutehisorherdutiesinaccordancewiththatAct.

(4) Withinsixmonthsaftertheendofeachfinancialyear,theRegulatormustpreparefinancialstatementsinaccordancewithestablishedaccountingpractice,principlesand20procedures,comprising—(a)astatementreflecting,withsuitableandsufficientparticulars,the

income and expenditure of the Regulator during the precedingfinancialyear;and

(b) a balance sheet showing the state of its assets, liabilities andfinancialpositionasattheendofthatfinancialyear.

(5)TheAuditor-GeneralmustaudittheRegulator’sfinancialrecordseachyear.

Protection of Regulator

53.AnypersonactingonbehalforunderthedirectionoftheRegulator,isnotcivillyorcriminallyliableforanythingdoneingoodfaithintheexerciseorperformance or purported exercise or performance of any power, duty or functionoftheRegulatorintermsofthisActorthePromotionofAccesstoInformationAct.

Duty of confidentiality

54.ApersonactingonbehalforunderthedirectionoftheRegulator,must,both during or after his or her term of office or employment, treatas confidential the personal information which comes to his or herknowledge in the courseof theperformanceofhis 35orherofficialduties,exceptifthecommunicationofsuchinformationisrequiredbylaworintheproperperformanceofhisorherduties.


Act No. 4 of 2013

70

Part B Information Officer

Duties and responsibilities of Information Officer

55. (1)Aninformationofficer’sresponsibilitiesinclude—(a)theencouragementofcompliance,bythebody,withtheconditions

forthelawfulprocessingofpersonalinformation;(b)dealingwithrequestsmadetothebodypursuanttothisAct;(c)workingwiththeRegulatorinrelationtoinvestigationsconducted

pursuanttoChapter6inrelationtothebody;(d) otherwiseensuringcompliancebythebodywiththeprovisions

ofthisAct;and(e) as may be prescribed.

(2) Officers must take up their duties in terms of this Act only after theresponsiblepartyhasregisteredthemwiththeRegulator. 5

Designation and delegation of deputy information officers

56. Each public and private body must make provision, in the manner prescribedinsection17ofthePromotionofAccesstoInformationAct,withthenecessarychanges,forthedesignationof—(a)suchanumberofpersons,ifany,asdeputyinformationofficersas

isnecessary10toperformthedutiesandresponsibilitiesassetoutinsection55(1)ofthisAct;and

(b)anypowerordutyconferredorimposedonaninformationofficerbythisActtoadeputyinformationofficerofthatpublicorprivatebody.


Act No. 4 of 2013



Act No. 4 of 2013

72


Prior authorisation

Processing subject to prior authorisation

57. (1) The responsible party must obtain prior authorisation from theRegulator,intermsofsection58,priortoanyprocessingifthatresponsibleparty plans to—(a)processanyuniqueidentifiersofdatasubjects—

(i)forapurposeotherthantheoneforwhichtheidentifierwasspecificallyintendedatcollection;and

(ii) with the aim of linking the informationtogether withinformationprocessedbyotherresponsibleparties;

(b) process information on criminal behaviour or on unlawful orobjectionableconductonbehalfofthirdparties;

(c)processinformationforthepurposesofcreditreporting;or(d)transferspecialpersonalinformation,asreferredtoinsection26,

orthepersonal informationofchildrenasreferredto insection34, to a thirdparty in a foreign country that doesnot providean adequate level of protection for the processing of personalinformationasreferredtoinsection72.

(2) The provisions of subsection (1) may be applied by the Regulator toother types of information processing by law or regulation if suchprocessingcarriesaparticularriskforthelegitimateinterestsofthedatasubject.

(3)Thissectionandsection58arenotapplicableifacodeofconducthasbeenissuedandhascomeintoforceintermsofChapter7inaspecificsectororsectors of society.

(4) A responsible party must obtain prior authorisation as referred to insubsection (1) only once and not eachtime that personal informationis received or processed, except where the processing departs fromthat which has been authorised in accordance with the provisions of subsection(1).


Act No. 4 of 2013

Responsible party to notify Regulator if processing is subject to prior authorisation

58. (1) Information processing as contemplated in section 57(1) must benotifiedassuchbytheresponsiblepartytotheRegulator.

(2) Responsible parties may not carry out information processing thathasbeennotifiedtotheRegulator intermsofsubsection(1)untiltheRegulator has completed its investigation or until they have receivednoticethatamoredetailedinvestigationwillnotbeconducted.

(3) Inthecaseofthenotificationofinformationprocessingtowhichsection57(1) is applicable, theRegulatormust inform the responsibleparty inwritingwithinfourweeksofthenotificationastowhetherornotitwillconductamoredetailedinvestigation.

(4) In the event that the Regulator decides to conduct a more detailedinvestigation,itmustindicatetheperiodwithinwhichitplanstoconductthisinvestigation,whichperiodmustnotexceed13weeks.

(5) Onconclusionofthemoredetailedinvestigationreferredtoinsubsection(4)theRegulatormustissueastatementconcerningthelawfulnessoftheinformationprocessing.

(6) AstatementbytheRegulatorintermsofsubsection(5),totheextentthattheinformationprocessingisnotlawful,isdeemedtobeanenforcementnoticeservedintermsofsection95ofthisAct.

(7) A responsible party that has suspended its processing as required bysubsection (2), and which has not received the Regulator’s decisionwithinthetimelimitsspecifiedinsubsections(3)and(4),maypresumeadecisioninitsfavourandcontinuewithitsprocessing.

Failure to notify processing subject to prior authorisation

59. Ifsection58(1)or(2)iscontravened,theresponsiblepartyisguiltyofanoffenceandliabletoapenaltyassetoutinsection107.


Act No. 4 of 2013

74



Act No. 4 of 2013


Issuing of codes of conduct

60. (1)TheRegulatormayfromtimetotimeissuecodesofconduct.(2)Acodeof conduct must—(a)incorporatealltheconditionsforthelawfulprocessingofpersonal

information or set out obligations that provide a functionalequivalentofalltheobligationssetoutinthoseconditions;and

(b)prescribehowtheconditionsforthelawfulprocessingofpersonalinforma-tionaretobeapplied,oraretobecompliedwith,giventheparticularfeatures

of the sector or sectors of society in which the relevant responsible partiesareoperating.

(3)Acodeofconductmayapplyinrelationtoanyoneormoreofthefollowing:(a)Anyspecifiedinformationorclassofinformation;(b)anyspecifiedbodyorclassofbodies;(c)anyspecifiedactivityorclassofactivities;or(d) any specified industry, profession, or vocation or class of

industries,professions,orvocations.

(4) A code of conduct must also—(a) specify appropriate measures—

(i)for informationmatching programmes if such programmesareusedwithinaspecificsector;or

(ii)for protecting the legitimate interests of data subjectsinsofar as automated decision making, as referred to insection71,isconcerned;

(b)provideforthereviewofthecodebytheRegulator;and(c) provide for the expiry of the code.

Process for issuing codes of conduct

61. (1)TheRegulatormayissueacodeofconductundersection60—(a) on the Regulator’s own initiative, but after consultationwithaffectedstakeholdersorabodyrepresentingsuchstakeholders;or


Act No. 4 of 2013

76

(b) on theapplication, in theprescribed form,byabodywhich is,in the opinion of the Regulator, sufficiently representative ofanyclassofbodies,orofanyindustry,profession,orvocationasdefined in thecode in respectof suchclassofbodiesorofanysuchindustry,professionorvocation.

(2)TheRegulatormustgivenoticeintheGazettethattheissuingofacodeofconduct isbeingconsidered,whichnoticemustcontainastatementthat—(a)thedetailsofthecodeofconductbeingconsidered,includinga

draftoftheproposedcode,maybeobtainedfromtheRegulator;and

(b)submissionsontheproposedcodemaybemadeinwritingtotheRegulatorwithinsuchperiodasisspecifiedinthenotice.

(3)TheRegulatormaynotissueacodeofconductunlessithasconsideredthesubmissionsmadetotheRegulatorintermsofsubsection(2)(b),ifany,andissatisfiedthatallpersonsaffectedbytheproposedcodehavehadareasonable opportunity to be heard.

(4)Thedecisionas towhetheranapplication for the issuingofa codehasbeen successful must be made within a reasonable period which must not exceed 13 weeks.

Notification, availability and commencement of code of conduct

62. (1) If a codeof conduct is issuedunder section60 theRegulatormustensure that—(a)thereispublishedintheGazette,assoonasreasonablypracticable

afterthecodeisissued,anoticeindicating—(i)thatthecodehasbeenissued;and(ii)wherecopiesofthecodeareavailableforinspectionfreeof

chargeandforpurchase;and(b) as long as the code remains in force, copies of it are

available— (i)ontheRegulator’swebsite;

(ii)forinspectionbymembersofthepublicfreeofchargeattheRegulator’soffices;and


Act No. 4 of 2013

(iii) for purchase or copying by members of the public at areasonablepriceattheRegulator’soffices.

(2) Acodeofconductissuedundersection60comesintoforceonthe28thdayafterthedateofitsnotificationintheGazetteoronsuchlaterdateasmaybespecifiedinthecodeandisbindingoneveryclassorclassesofbody,industry,professionorvocationreferredtotherein.

Procedure for dealing with complaints

63.(1)Acodeofconductmayprescribeproceduresformakinganddealingwithcomplaintsallegingabreachofthecode,butnosuchprovisionmaylimitorrestrictanyprovisionofChapter10.

(2) Ifthecodesetsoutproceduresformakinganddealingwithcomplaints,theRegulatormustbesatisfiedthat—(a) the procedures meet the—

(i)prescribedstandards;and(ii)guidelines issued by the Regulator in terms of section 65,

relatingtothemakingofanddealingwithcomplaints;(b) the code provides for the appointment of an independent

adjudicatortowhomcomplaintsmaybemade;(c)the code provides that, in exercising his or her powers and

performinghisorher functions,under thecode,anadjudicatorforthecodemusthavedueregardtothematterslistedinsection44;

(d)thecoderequirestheadjudicatortoprepareandsubmitareport,inaform satisfactorytotheRegulator,totheRegulatorwithinfivemonthsoftheendofafinancialyearoftheRegulatorontheoperationofthecodeduringthatfinancialyear;and

(e) the code requires the report prepared for each year to specify the numberandnatureofcomplaintsmadetoanadjudicatorunderthecodeduringtherelevantfinancialyear.

(3)Aresponsiblepartyordatasubjectwhoisaggrievedbyadetermination,including any declaration, order or direction that is included in thedetermination, made by an adjudicator after having investigated acomplaint relating to the protection of personal information under an


Act No. 4 of 2013

78

approvedcodeofconduct,maysubmitacomplaint intermsofsection74(2)withtheRegulatoragainstthedeterminationuponpaymentofaprescribed fee.

(4)Theadjudicator’sdeterminationcontinuestohaveeffectunlessanduntiltheRegulatormakesadeterminationunderChapter10 relating to thecomplaintorunlesstheRegulatordeterminesotherwise.

Amendment and revocation of codes of conduct

64.(1)TheRegulatormayamendorrevokeacodeofconductissuedundersection60.

(2)Theprovisionsofsections60to63applyinrespectofanyamendmentorrevocationofacodeofconduct.

Guidelines about codes of conduct

65.(1)TheRegulatormayprovidewrittenguidelines—(a) to assist bodies to develop codes of conduct or to apply approved

codesofconduct;(b) relatingtomakinganddealingwithcomplaintsunderapproved

codesofconduct;and(c) aboutmatters theRegulatormayconsider indecidingwhether

toapproveacodeofconductoravariationor revocationofanapproved code of conduct.

(2)TheRegulatormusthaveregardtotheguidelinesassetoutinsection7(3)(a) to (d)when considering the approval of a codeof conduct for theprocessingof personal information for exclusively journalistic purposeswheretheresponsiblepartyisnotsubjecttoacodeofethicsasreferredtoinsection7(1).

(3) Before providing guidelines for the purposes of subsection (1)(b), theRegulator must give everyone the Regulator considers has a real andsubstantial legitimate interest in thematters covered by the proposedguidelinesanopportunitytocommentonthem.

(4)TheRegulatormustpublishguidelinesprovidedundersubsection (1) inthe Gazette.


Act No. 4 of 2013

Register of approved codes of conduct

66. (1)TheRegulatormustkeeparegisterofapprovedcodesofconduct.

(2) TheRegulatormaydecidetheformoftheregisterandhowitistobekept.

(3) TheRegulatormustmaketheregisteravailabletothepublicinthewaythattheRegulatordetermines.

(4) TheRegulatormaychargereasonablefeesfor—(a)makingtheregisteravailabletothepublic;or(b)providingcopiesof,orextractsfrom,theregister.

Review of operation of approved code of conduct

67. (1)TheRegulatormay,on itsowninitiative,reviewtheoperationofanapproved code of conduct.

(2) TheRegulatormaydooneormoreofthefollowingforthepurposesofthereview:(a)Considertheprocessunderthecodeformakinganddealingwith

complaints;(b)inspecttherecordsofanadjudicatorforthecode;(c)considertheoutcomeofcomplaintsdealtwithunderthecode;(d)interviewanadjudicatorforthecode;and(e) appoint experts to review those provisions of the code that the

Regulatorbelievesrequireexpertevaluation.

(3) ThereviewmayinformadecisionbytheRegulatorundersection64torevoketheapprovedcodeofconductwithimmediateeffectoratafuturedatetobedeterminedbytheRegulator.

Effect of failure to comply with code of conduct

68. Ifacodeissuedundersection60is inforce,failuretocomplywiththecodeisdeemedto bea breachof theconditionsfor the lawfulprocessingofpersonalinformationreferredtoinChapter3andisdealtwithintermsofChapter10.


Act No. 4 of 2013

80

CHAPTER 8RIGHTS OF DATA SUBJECTS

REGARDING DIRECT MARKETINGBY MEANS OF UNSOLICITED

ELECTRONIC COMMUNICATIONS,DIRECTORIES AND AUTOMATED

DECISION MAKING


Act No. 4 of 2013

CHAPTER 8RIGHTS OF DATA SUBJECTS REGARDING DIRECT MARKETING

BY MEANS OF UNSOLICITED ELECTRONIC COMMUNICATIONS,DIRECTORIES AND AUTOMATED DECISION MAKING

Direct marketing by means of unsolicited electronic communications

69. (1)Theprocessingofpersonalinformationofadatasubjectforthepurposeofdirectmarketingbymeansofanyformofelectroniccommunication,includingautomaticcallingmachines,facsimilemachines,SMSsore-mailisprohibitedunlessthedatasubject—(a)hasgivenhis,heroritsconsenttotheprocessing;or(b)is,subjecttosubsection(3),acustomeroftheresponsibleparty.

(2)(a)Aresponsiblepartymayapproachadatasubject—(i)whoseconsentisrequiredintermsofsubsection(1)(a);and(ii) who has not previously withheld such consent,onlyonceinordertorequesttheconsentofthatdatasubject.

(b) Thedata subject’s consentmust be requested in the prescribedmanner and form.

(3) A responsible party may only process the personal information of adatasubject who is a customer of the responsible party in terms of subsection(1)(b)—(a) if the responsible party has obtained the contact details of the

datasubjectinthecontextofthesaleofaproductorservice;(b)forthepurposeofdirectmarketingoftheresponsibleparty’sown

similarproductsorservices;and(c) if the data subject has been given a reasonable opportunity

to object, freeof charge and in amanner freeof unnecessaryformality, to such use of his, her or its electronic details—(i)atthetimewhentheinformationwascollected;and(ii)ontheoccasionofeachcommunicationwiththedatasubject

for the purpose of marketing if the data subject has notinitiallyrefusedsuchuse.

(4)Anycommunicationforthepurposeofdirectmarketingmustcontain—(a)detailsoftheidentityofthesenderorthepersononwhosebehalf

thecommunicationhasbeensent;and


Act No. 4 of 2013

82

(b) an address or other contact details to which the recipient may sendarequestthatsuchcommunicationscease.

(5) ‘‘Automatic calling machine’’,forpurposesofsubsection(1),meansa machine that is able to do automated calls without human intervention.

Directories

70. (1)Adatasubjectwhoisasubscribertoaprintedorelectronicdirectoryofsubscribersavailabletothepublicorobtainablethroughdirectoryenquiryservices,inwhichhis,heroritspersonalinformationisincluded,mustbeinformed,freeofchargeandbeforetheinformationisincludedinthedirectory—(a)aboutthepurposeofthedirectory;and(b) about any further uses to which the directory may possibly be put,

basedonsearchfunctionsembeddedinelectronicversionsofthedirectory.

(2) Adatasubjectmustbegivenareasonableopportunitytoobject,freeofchargeandinamannerfreeofunnecessaryformality,tosuchuseofhis,heroritspersonalinformationortorequestverification,confirmationorwithdrawalofsuchinformationif 5 the data subject has notinitiallyrefusedsuchuse.

(3) Subsections(1)and(2)donotapplytoeditionsofdirectoriesthatwereproducedinprintedoroff-lineelectronicformpriortothecommencementofthissection.

(4) If the personal information of data subjects who are subscribers tofixed ormobile public voice telephony services have been included ina public subscriber directory in conformitywith the conditions for thelawfulprocessingofpersonal informationprior to the commencementofthissection,thepersonalinformationofsuchsubscribersmayremainincludedinthispublicdirectoryinitsprintedorelectronicversions,afterhavingreceivedtheinformationrequiredbysubsection(1).

(5) ‘‘Subscriber’’, for purposes of this section, means any person who isparty to a contract with the provider of publicly available electronic communicationsservicesforthesupplyofsuchservices.


Act No. 4 of 2013

Automated decision making

71. (1)Subjecttosubsection(2),adatasubjectmaynotbesubjecttoadecisionwhichresultsinlegalconsequencesforhim,herorit,orwhichaffectshim,herorittoa20substantialdegree,whichisbasedsolelyonthebasisoftheautomatedprocessingofpersonalinformationintendedtoprovideaprofileofsuchpersonincludinghisorherperformanceatwork,orhis,heroritscreditworthiness,reliability,location,health,personalpreferencesor conduct.

(2)Theprovisionsofsubsection(1)donotapplyifthedecision—(a)hasbeentakeninconnectionwiththeconclusionorexecutionof

a contract, and—(i) therequestofthedatasubject intermsofthecontracthas

beenmet;or(ii) appropriate measures have been taken to protect the data

subject’slegitimateinterests;or(b) is governedby a lawor codeof conduct inwhich appropriate

measuresarespecified forprotectingthe legitimate interestsofdatasubjects.

(3)Theappropriatemeasures,referredtoinsubsection(2)(a)(ii), must—(a)provideanopportunityforadatasubjecttomakerepresentations

aboutadecisionreferredtoinsubsection(1);and(b)requirearesponsiblepartytoprovideadatasubjectwith

sufficientinformationabouttheunderlyinglogicoftheautomatedprocessingoftheinformationrelatingtohimorhertoenablehimorhertomakerepresentationsintermsofparagraph(a).


Act No. 4 of 2013

84

CHAPTER 9TRANSBORDER

INFORMATION FLOWS


Act No. 4 of 2013

CHAPTER 9TRANSBORDER INFORMATION FLOWS

Transfers of personal information outside Republic

72. (1) A responsible party in the Republic may not transfer personalinformation about a data subject to a third party who is in a foreigncountry unless—(a)thethirdpartywhoistherecipientoftheinformationissubjectto

alaw,bindingcorporaterulesorbindingagreementwhichprovideanadequatelevelofprotectionthat—(i) effectively upholds principles for reasonable processing of

the informa-tion that are substantially similar to theconditionsforthelawfulprocessingofpersonalinformationrelating toadatasubjectwho isa 50naturalpersonand,whereapplicable,ajuristicperson;and

(ii)includesprovisions,thataresubstantiallysimilartothissection,relatingtothefurthertransferofpersonalinformationfromtherecipienttothirdpartieswhoareinaforeigncountry;

(b)thedatasubjectconsentstothetransfer;(c) the transfer is necessary for the performance of a contract

between the data subject and the responsible party, or for theimplementationofpre-contractualmeasurestakeninresponsetothedatasubject’srequest;

(d) the transfer is necessary for the conclusion or performance of a contractconcludedintheinterestofthedatasubjectbetweentheresponsiblepartyandathirdparty;or

(e)thetransferisforthebenefitofthedatasubject,and—(i) it isnotreasonablypracticabletoobtaintheconsentofthe

datasubjecttothattransfer;and(ii)ifitwerereasonablypracticabletoobtainsuchconsent,the

datasubjectwouldbelikelytogiveit.

(2)Forthepurposeofthissection—(a) ‘‘binding corporate rules’’ meanspersonalinformationprocessing

policies,withinagroupofundertakings,whichareadheredtobya


Act No. 4 of 2013

86

responsiblepartyoroperatorwithinthatgroupofundertakingswhen transferringpersonalinformation to a responsible partyor operator within that same group of 20undertakingsinaforeigncountry;and

(b) ‘‘group of undertakings’’ meansacontrollingundertakinganditscontrolledundertakings.


Act No. 4 of 2013

CHAPTER 10ENFORCEMENT


Act No. 4 of 2013

88

CHAPTER 10ENFORCEMENT

Interference with protection of personal information of data subject

73. ForthepurposesofthisChapter,interferencewiththeprotectionofthepersonal informationofadatasubjectconsists, inrelationtothatdatasubject,of—(a)anybreachoftheconditionsforthelawfulprocessingofpersonal

informationasreferredtoinChapter3;(b)non-compliancewithsection22,54,69,70,71or72;or(c) a breach of the provisions of a code of conduct issued in terms of

section60.

Complaints

74.(1)AnypersonmaysubmitacomplainttotheRegulatorintheprescribedmannerandformalleginginterferencewiththeprotectionofthepersonalinformationofadatasubject.

(2) Aresponsiblepartyordatasubjectmay,intermsofsection63(3),submitacomplainttotheRegulatorintheprescribedmannerandformifhe,sheoritisaggrievedbythedeterminationofanadjudicator.

Mode of complaints to Regulator

75.(1)AcomplainttotheRegulatormustbemadeinwriting.

(2) TheRegulatormustgivesuchreasonableassistanceasisnecessaryinthecircumstances to enable a person, who wishes to make a complaint to the Regulator,toputthecomplaintinwriting.

Action on receipt of complaint

76.(1)Onreceivingacomplaintintermsofsection74,theRegulatormay—(a)conductapre-investigationasreferredtoinsection79;(b)act,atanytimeduringtheinvestigationandwhereappropriate,

asconciliator inrelationtoany interferencewiththeprotectionof the personal information of a data subject in the prescribedmanner;


Act No. 4 of 2013

(c)decide, inaccordancewith section77, to takenoactionon thecomplaint or, as the casemay be, require no further action inrespectofthecomplaint;

(d)conductafullinvestigationofthecomplaint;(e) referthecomplaint, intermsofsection92,totheEnforcement

Committee;or(f) takesuchfurtheractionasiscontemplatedbythisChapter.

(2) The Regulator must, as soon as is reasonably practicable, advise thecomplainant and the responsible party to whom the complaint relates of the course of action that the Regulator proposes to adopt undersubsection(1).

(3)TheRegulatormay,onitsowninitiative,commenceaninvestigationintotheinterferencewiththeprotectionofthepersonalinformationofadatasubjectasreferredtoinsection73.

Regulator may decide to take no action on complaint

77. (1) The Regulator, after investigating a complaint received in terms ofsection73,maydecidetotakenoactionor,asthecasemaybe,requirenofurtheractioninrespectofthecomplaintif,intheRegulator’sopinion—(a)thelengthoftimethathaselapsedbetweenthedatewhenthe

subject matter of the complaint arose and the date when thecomplaintwasmadeissuchthataninvestigationofthecomplaintisnolongerpracticableordesirable;

(b)thesubjectmatterofthecomplaintistrivial;(c)thecomplaintisfrivolousorvexatiousorisnotmadeingoodfaith;(d) thecomplainantdoesnotdesirethatactionbetakenor,asthe

casemaybe,continued;(e)thecomplainantdoesnothaveasufficientpersonalinterestinthe

subjectmatterofthecomplaint;or(f) in cases where the complaint relates to amatter in respect of

which a code of conduct is in force and the code of conduct makes provision for a complaints procedure, the complainant has failed to pursue, or to pursue fully, an avenue of redress available under that complaints procedure that it would be reasonable for the complainant to pursue.


Act No. 4 of 2013

90

(2) Notwithstanding anything in subsection (1), the Regulator may in itsdiscretiondecidenottotakeanyfurtheractiononacomplaintif,inthecourseoftheinvestigationofthecomplaint,itappearstotheRegulatorthat,havingregardtoallthecircumstancesofthecase,anyfurtheractionis unnecessary or inappropriate.

(3) InanycasewheretheRegulatordecidestotakenoaction,ornofurtheraction,onacomplaint,theRegulatormustinformthecomplainantofthatdecision and the reasons for it.

Referral of complaint to regulatory body

78. (1) If, on receiving a complaint in terms of section 74, the Regulatorconsiders that the complaint relates, in whole or in part, to amatterthatismoreproperlywithinthejurisdictionofanotherregulatorybodyestablishedintermsofanylaw,theRegulatormustforthwithdeterminewhether the complaint should be dealt with, in whole or in part, under thisActafterconsultationwiththebodyconcerned.

(2) If theRegulatordetermines that the complaint shouldbedealtwithbyanotherbody,theRegulatormustforthwithreferthecomplainttothatbodytobedealtwithaccordinglyandmustnotifythecomplainantofthereferral.

Pre-investigation proceedings of Regulator

79. BeforeproceedingtoinvestigateanymatterintermsofthisChapter,theRegulatormust,intheprescribedmanner,inform—(a)the complainant, the data subject to whom the investigation

relates (if not the complainant) and any person alleged to beaggrieved(ifnotthecomplainant),oftheRegulator’sintentiontoconducttheinvestigation;and

(b)theresponsiblepartytowhomtheinvestigationrelatesofthe—(i) detailsof thecomplaintor,asthecasemaybe, thesubject

matteroftheinvestigation;and(ii) right of that responsible party to submit to the Regulator,

withinareasonableperiod,awrittenresponseinrelationtothecomplaintor,as thecasemaybe, thesubject-matteroftheinvestigation.


Act No. 4 of 2013

Settlement of complaints 10

80. Ifitappearsfromacomplaint,oranywrittenresponsemadeinrelationtoacomplaintundersection79(b)(ii),thatitmaybepossibletosecure—(a)asettlementbetweenanyofthepartiesconcerned;and(b) ifappropriate,asatisfactoryassuranceagainsttherepetitionof

anyactionthatisthesubjectmatterofthecomplaintorthedoingoffurtheractionsofasimilarkindbythepersonconcerned,theRegulatormay,withoutinvestigatingthecomplaintor,asthecasemay be, investigating the complaint further, in the prescribedmanner,useitsbestendeavourstosecuresuchasettlementandassurance.

Investigation proceedings of Regulator

81. ForthepurposesoftheinvestigationofacomplainttheRegulatormay—(a) summon and enforce the appearance of persons before the

Regulatorandcompel them togiveoralorwrittenevidenceonoath and to produce any records and things that theRegulatorconsiders necessary to investigate the complaint, in the samemannerandtothesameextentastheHighCourt;

(b)administeroaths;(c)receiveandacceptanyevidenceandotherinformation,whether

on oath, by affidavit or otherwise, that the Regulator sees fit,whetherornotitisorwouldbeadmissibleinacourtoflaw;

(d)atanyreasonabletime,subjecttosection81,enterandsearchanypremisesoccupiedbyaresponsibleparty;

(e) conduct a private interview with any person in any premises enteredundersection84subjecttosection82;and

(f) otherwise carry out in those premises any inquiries that the Regulatorseesfitintermsofsection82.

Issue of warrants

82. (1) A judgeof theHighCourt, a regionalmagistrate or amagistrate, ifsatisfiedbyinformationonoathsuppliedbytheRegulatorthattherearereasonablegroundsforsuspectingthat—


Act No. 4 of 2013

92

(a)aresponsiblepartyisinterferingwiththeprotectionofthepersonalinformationofadatasubject;or

(b)anoffenceunderthisActhasbeenorisbeingcommitted,andthatevidenceof thecontraventionorof thecommissionof the

offenceistobefoundonanypremisesspecifiedintheinformation,thatarewithinthejurisdictionofthatjudgeormagistrate,may,subjecttosubsection(2),grantawarranttoenterandsearchsuchpremises.

(2)Awarrant issuedundersubsection (1)authorisesanyof theRegulator’smembers or staffmembers, subject to section 84, at any timewithinsevendaysofthedateofthewarranttoenterthepremisesasidentifiedin the warrant, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processingofpersonalinformationandtoinspectandseizeanyrecord,other material or equipment found there which may be such evidence as ismentionedinthatsubsection.

Requirements for issuing of warrant

83. (1)Ajudgeormagistratemustnotissueawarrantundersection82unlesssatisfiedthat—(a) the Regulator has given seven days’ notice in writing to the

occupier of the premises in question demanding access to thepremises;

(b) either—(i) access was demanded at a reasonable hour and was

unreasonablyrefused;or(ii) although entry to the premises was granted, the occupier

unreasonably refused to comply with a request by any of the Regulator’smembersorstafftopermitthemembersorthemembersofstafftodoanyofthethingsreferredtoinsection82(2);and

(c) that the occupier, has, after the refusal, been notified by theRegulator of the application for the warrant and has had anopportunityofbeingheardonthequestionwhetherthewarrantshould be issued.


Act No. 4 of 2013

(2) Subsection(1)doesnotapplyifthejudgeormagistrateissatisfiedthatthecaseisoneofurgencyorthatcompliancewiththatsubsectionwoulddefeattheobjectoftheentry.

(3) Ajudgeormagistratewhoissuesawarrantundersection82mustalsoissuetwocopiesofitandcertifythemclearlyascopies.

Execution of warrants

84. (1)Apoliceofficerwhoisassistingapersonauthorisedtoconductanentryandsearchintermsofawarrantissuedundersection82mayovercomeresistanceto theentryandsearchbyusingsuch forceas is reasonablynecessary.

(2) Awarrant issuedunder this sectionmustbeexecutedat a reasonablehourunlessitappearstothepersonexecutingitthattherearereasonablegroundsforsuspectingthattheevidenceinquestionwouldnotbefoundif it were so executed.

(3) If the person who occupies the premises in respect of which a warrant is issuedundersection82ispresentwhenthewarrantisexecuted,heorshe must be shown the warrant and supplied with a copy of it, and if that personisnotpresentacopyofthewarrantmustbeleftinaprominentplace on the premises.

(4) Apersonseizinganythinginpursuanceofawarrantundersection82mustgivea35receipttotheoccupierorleavethereceiptonthepremises.

(5) Anything so seized may be retained for as long as is necessary in allcircumstancesbutthepersoninoccupationofthepremisesinquestionmustbegivenacopyofanydocumentationthatisseizedifheorshesorequestsandthepersonexecutingthewarrantconsidersthat itcanbedone without undue delay.

(6) Apersonauthorisedtoconductanentryandsearchintermsofsection82mustbeaccompaniedandassistedbyapoliceofficer.

(7) Apersonwhoentersandsearchesanypremisesunderthissectionmustconduct theentryandsearchwithstrict regard fordecencyandorder,andwithregardtoeachperson’srighttodignity,freedom,securityandprivacy.


Act No. 4 of 2013

94

(8)Apersonwhoentersandsearchespremisesunderthissectionmustbeforequestioninganyperson—(a) advisethatpersonoftherighttobeassistedatthetimebyan

advocateorattorney;and(b)allowthatpersontoexercisethatright.

(9)Noself-incriminatinganswergivenor statementmade toapersonwhoconducts a search in terms of a warrant issued under section 82 isadmissibleasevidenceagainstthepersonwhogavetheanswerormadethestatementincriminalproceedings,exceptincriminalproceedingsforperjuryor inwhichthatperson is tried foranoffencecontemplated insection102andthenonlytotheextentthattheanswerorstatementisrelevanttoprovetheoffencecharged.

Matters exempt from search and seizure

85. If the Regulator has granted an exemption in terms of section 37, theinformationthat isprocessedintermsofthatexemptionisnotsubjecttosearchandseizureempoweredbyawarrantissuedundersection82.

Communication between legal adviser and client exempt

86. (1) Subject to the provisions of this section, the powers of search andseizure conferred by a warrant issued under section 82 must not beexercised in respect of—(a)anycommunicationbetweenaprofessionallegaladviserandhis

orherclientinconnectionwiththegivingoflegaladvicetotheclientwithrespecttohisorherobligations,liabilitiesorrights;or

(b)anycommunicationbetweenaprofessionallegaladviserandhisor her client, or between such an adviser or his or her client and anyotherperson,madeinconnectionwithorincontemplationofproceedingsunderorarisingoutofthisAct,includingproceedingsbeforeacourt,andforthepurposesofsuchproceedings.

(2)Subsection(1)appliesalsoto—(a) any copy or other record of any such communication as is

mentionedtherein;and(b)any document or article enclosed with or referred to in any


Act No. 4 of 2013

such communication if made in connection with the givingof any advice or, as the casemay be, in connectionwith or incontemplationofandforthepurposesofsuchproceedingsasarementionedtherein.

Objection to search and seizure

87.Ifthepersoninoccupationofanypremisesinrespectofwhichawarrantis issuedunder thisActobjects to the inspectionor seizureunder thewarrantofanymaterialonthegroundthatit—(a) contains privileged information and refuses the inspection or

removal of such article or document, the person executing thewarrant or search must, if he or she is of the opinion that the articleordocument contains information thathas abearingonthe investigationand that such information isnecessary for theinvestigation, request theRegistrarof theHighCourtwhichhasjurisdiction or his or her delegate, to attach and remove thatarticleordocumentforsafecustodyuntilacourtoflawhasmadea rulingon thequestionwhether the informationconcerned isprivilegedornot;or

(b) consistspartlyofmatters in respectofwhich thosepowersarenotexercised,heorshemust,ifthepersonexecutingthewarrantso requests, furnish that person with a copy of so much of the material as is not exempt from those powers.

Return of warrants

88. Awarrant issuedundersection82mustbereturnedtothecourtfromwhich it was issued—(a)afterbeingexecuted;or(b)ifnotexecutedwithinthetimeauthorisedforitsexecution,

and the person who has executed the warrant must make an endorsementon it statingwhatpowershavebeenexercisedbyhim or her under the warrant.


Act No. 4 of 2013

96

Assessment

89. (1)TheRegulator,onitsowninitiative,orattherequestbyoronbehalfof the responsible party, data subject or any other personmustmakean assessment in the prescribed manner of whether an instance of processingofpersonalinformationcomplieswiththeprovisionsofthisAct.

(2)TheRegulatormustmaketheassessmentifitappearstobeappropriate,unless,wheretheassessmentismadeonrequest,theRegulatorhasnotbeensuppliedwithsuchinformationasitmayreasonablyrequireinorderto—(a)satisfyitselfastotheidentityofthepersonmakingtherequest;

and(b)enableittoidentifytheactioninquestion.

10 (3) Thematters to which the Regulatormay have regard indetermining whether it is appropriate to make an assessmentinclude—

(a)theextenttowhichtherequestappearstoittoraiseamatterofsubstance;

(b)anyunduedelayinmakingtherequest;and(c)whetherornotthepersonmakingtherequestisentitledtomake

an application in terms of section 23 or 24 in respect of thepersonalinformationinquestion.

(4) IftheRegulatorhasreceivedarequestunderthissectionitmustnotifytherequester—(a)whetherithasmadeanassessmentasaresultoftherequest;and(b) to the extent that it considers appropriate, having regard in

particular to any exemption which has been granted by theRegulatorintermsofsection37fromsection23or24applyinginrelationtothepersonalinformationconcerned,ofanyviewformedoractiontakenasaresultoftherequest.

Information notice

90.(1)IftheRegulator—(a) has received a request under section 89 in respect of any

processingofpersonalinformation;or


Act No. 4 of 2013

(b) reasonably requires any information for the purpose ofdeterminingwhethertheresponsiblepartyhas interferedoris interferingwiththepersonal informationofadatasubject,theRegulatormayservetheresponsiblepartywithaninformationnotice requiring the responsible party to furnish the Regulator,withinaspecifiedperiod,inaformspecifiedinthenotice,withareportindicatingthattheprocessingistakingplaceincompliancewiththeprovisionsoftheAct,orwithsuchinformationrelatingtotherequestortocompliancewiththeActasissospecified.

(2) An information notice must contain particulars of the right of appealconferredbysection97,and—(a) in a case fallingwithin subsection (1)(a), a statement that the

Regulatorhasreceivedarequestundersection89 inrelationtothespecifiedprocessing;or

(b) in a case fallingwithin subsection (1)(b), a statement that theRegulator regards the specified information as relevant for thepurpose of determining whether the responsible party hascomplied, or is complying,with theconditions for the lawfulprocessingofpersonalinformationandthereasonsforregardingit as relevant for that purpose.

(3) Subjecttosubsection(5), theperiodspecified inan informationnoticemust not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought,the information need not be furnished pending the determination orwithdrawal of the appeal.

(4) If theRegulator considers that the information is requiredas amatterofurgency,itmayincludeinthenoticeastatementtothateffectandastatementof itsreasonsforreachingthatconclusion,andinthateventsubsection(3)doesnotapply.

(5) Anoticeintermsofsubsection(4)maynotrequiretheinformationtobefurnishedbeforetheendofaperiodofthreedaysbeginningwiththedayonwhichthenoticeisserved.

(6)AninformationnoticemaynotrequirearesponsiblepartytofurnishtheRegulatorwithanycommunicationbetweena—


Act No. 4 of 2013

98

(a)professionallegaladviserandhisorherclientinconnectionwiththegivingof legaladviceontheclient’sobligations, liabilitiesorrightsunderthisAct;or

(b) professional legaladviserandhisorherclient,orbetweensuchan adviser or his or her client and any other person, made inconnectionwithorincontemplationofproceedingsunderorarisingoutofthisAct(includingproceedingsbeforeacourt)andforthepurposesofsuchproceedings.

(7) Insubsection(6) referencestotheclientofaprofessional legaladviserincludeanypersonrepresentingsuchaclient.

(8) An information noticemay not require a responsible party to furnishthe Regulator with information that would, by revealing evidence ofthecommissionofanyoffenceotherthananoffenceunderthisAct,exposetheresponsiblepartytocriminalproceedings.

(9)TheRegulatormaycancelaninformationnoticebywrittennoticetothe responsible party on whom it was served.

Parties to be informed of result of assessment

91. (1) After completing the assessment referred to in section 89 theRegulator—(a) must report to the responsible party the results of the assessment

and any recommendations that the Regulator considersappropriate;and

(b) may, in appropriate cases, require the responsible party, within a specified time, to inform the Regulator of any action takenor proposed to be taken to implement the recommendationscontainedinthereportorreasonswhynosuchactionhasbeenoris proposed to be taken.

(2)TheRegulatormaymakepublicany informationrelatingto thepersonalinformationmanagementpracticesofaresponsiblepartythathasbeenthesubjectofanassessmentunderthissectioniftheRegulatorconsiders it in the public interest to do so.

(3)AreportmadebytheRegulatorundersubsection(1)isdeemedtobetheequivalentofanenforcementnoticeintermsofsection95.


Act No. 4 of 2013

Matters referred to Enforcement Committee

92. (1)Aftercompletingtheinvestigationofacomplaintorothermatter intermsofthisAct,theRegulatormayrefersuchcomplaintorothermattertotheEnforcementCommitteeforconsideration,afindinginrespectofthecomplaintorothermatterandarecommendationinrespectoftheproposedactiontobetakenbytheRegulatorasreferredtoinsection93.

(2)TheRegulatormayprescribetheproceduretobefollowedbythe

EnforcementCommittee,including—(a)themannerinwhichtheresponsiblepartyanddatasubjectmay

makesubmissionstotheEnforcementCommittee;(b)theopportunityaffordedtothepartieswhomakesubmissions

to the Enforcement Committee tomake use of legal or otherrepresentation;

(c)theperiodwithinwhichtheEnforcementCommitteemustmakea finding and submit its recommendation to the Regulator inrespectofthecomplaintorothermatter;and

(d) themanner in which the Enforcement Committeemay finaliseurgentmatters.

Functions of Enforcement Committee

93. TheEnforcementCommittee—(a)mustconsiderallmattersreferredtoitbytheRegulatorinterms

ofsection92orthePromotionofAccesstoInformationActandmakeafindinginrespectthereof;and

(b) maymake any recommendation to the Regulator necessary orincidentaltoanyactionthatshouldbetakenagainst—(i)aresponsiblepartyintermsofthisAct;or(ii)aninformationofficerorheadofaprivatebody,asthecase

maybe,intermsofthePromotionofAccesstoInformationAct.

Parties to be informed of developments during and result of investigation

94.Ifaninvestigationismadefollowingacomplaint,and—(a) theRegulatorbelieves thatno interferencewith theprotection


Act No. 4 of 2013

100

ofthepersonalinformationofadatasubjecthastakenplaceandthereforedoesnotserveanenforcementnotice;

(b) the Regulator has referred the complaint to the EnforcementCommitteeforconsiderationintermsofsection92;

(c)anenforcementnoticeisservedintermsofsection95;(d)aservedenforcementnoticeiscancelledintermsofsection96;(e) an appeal is lodged against the enforcement notice for

cancellationorvariationofthenoticeintermsofsection97;or(f) anappealagainstanenforcementnoticeisallowed,thenoticeis

substitutedortheappealisdismissedintermsofsection98,theRegulatormustinformthecomplainantandtheresponsibleparty,assoonasreasonablypracticable,inthemannerprescribedofanydevelopmentmentionedinparagraphs(a)to(f)andtheresultoftheinvestigation.

Enforcement notice

95. (1)IftheRegulator,afterhavingconsideredtherecommendationoftheEnforcementCommitteeintermsofsection93,issatisfiedthataresponsiblepartyhasinterferedorisinterferingwiththeprotectionofthepersonalinformationofadatasubjectasreferredtoinsection73,theRegulatormayservetheresponsiblepartywithanenforcementnoticerequiringtheresponsiblepartytodoeitherorbothofthefollowing:(a)Totakespecifiedstepswithinaperiodspecifiedinthenotice,orto

refrainfromtakingsuchsteps;or(b) to stopprocessingpersonal information specified in thenotice,

ortostopprocessingpersonal informationforapurposeor inamanner specified in the noticewithin a period specified in thenotice.

(2)Anenforcementnoticemustcontain—(a) a statement indicating the nature of the interferencewith the

protectionofthepersonalinformationofthedatasubjectandthereasonsforreachingthatconclusion;and

(b)particularsoftherightsofappealconferredbysection97.


Act No. 4 of 2013

(3)Subjecttosubsection(4),anenforcementnoticemaynotrequireanyoftheprovisionsofthenoticetobecompliedwithbeforetheendoftheperiodwithinwhichanappealmaybebroughtagainstthenoticeand,ifsuchanappealisbrought,thenoticeneednotbecompliedwithpendingthedeterminationorwithdrawaloftheappeal.

(4)IftheRegulatorconsidersthatanenforcementnoticeshouldbecompliedwithasamatterofurgencyitmayincludeinthenoticeastatementtothateffectandastatementofitsreasonsforreachingthatconclusion,andinthateventsubsection(3)doesnotapply.

(5)Anoticeintermsofsubsection(4)maynotrequireanyoftheprovisionsofthenoticetobecompliedwithbeforetheendofaperiodofthreedaysbeginningwiththedayonwhichthenoticeisserved.

Cancellation of enforcement notice

96. (1)Aresponsiblepartyonwhomanenforcementnoticehasbeenservedmay,atanytimeaftertheexpiryoftheperiodduringwhichanappealmaybebroughtagainstthatnotice,applyinwritingtotheRegulatorforthecancellationorvariationofthatnoticeonthegroundthat,byreasonofachangeofcircumstances,alloranyoftheprovisionsofthatnoticeneednotbecompliedwithinordertoensurecompliancewiththeconditionsforthelawfulprocessingofpersonalinformation.

(2)IftheRegulatorconsidersthatalloranyoftheprovisionsofanenforcementnoticeneednotbecompliedwithinordertoensurecompliancewithaconditionforthelawfulprocessingofpersonalinformationorconditionstowhichitrelates,itmaycancelorvarythenoticebywrittennoticetotheresponsible party on whom it was served.

Right of appeal

97. (1)Aresponsiblepartyonwhomaninformationorenforcementnoticehasbeenservedmay,within30daysofreceivingthenotice,appealtotheHighCourthavingjurisdictionforthesettingasideorvariationofthenotice.


Act No. 4 of 2013

102

(2)Acomplainant,whohasbeeninformedoftheresultoftheinvestigationintermsofsection77(3)or96,may,within180daysofreceivingtheresult,appealtotheHighCourthavingjurisdictionagainsttheresult.

Consideration of appeal

98. (1)Ifinanappealundersection97thecourtconsiders—(a)thatthenoticeordecisionagainstwhichtheappealisbroughtis

notinaccordancewiththelaw;or(b)thatthenoticeordecisioninvolvedanexerciseofdiscretionbythe

Regulatorthatoughttohavebeenexerciseddifferently,thecourtmustallowtheappealandmaysetasidethenoticeorsubstitutesuchothernoticeordecisionasshouldhavebeenservedormadebytheRegulator.

(2)Insuchanappeal,thecourtmayreviewanydeterminationoffactonwhichthenoticeinquestionwasbased.

Civil remedies

99. (1)Adatasubjector,attherequestofthedatasubject,theRegulator,mayinstituteacivilactionfordamagesinacourthavingjurisdictionagainstaresponsible party for breach of any provision of this Act as referred to in section73,whetherornotthereisintentornegligenceonthepartoftheresponsible party.

(2) In the event of a breach the responsible party may raise any of the followingdefencesagainstanactionfordamages:(a)Vismajor;(b)consentoftheplaintiff;(c)faultonthepartoftheplaintiff;(d)compliancewasnotreasonablypracticableinthecircumstances

oftheparticularcase;or(e)theRegulatorhasgrantedanexemptionintermsofsection37.

(3) A court hearing proceedings in terms of subsection (1) may award anamountthatisjustandequitable,including—(a)paymentofdamagesascompensation forpatrimonialandnon-

patrimoniallosssufferedbyadatasubjectasaresultofbreachof


Act No. 4 of 2013

theprovisionsofthisAct;(b)aggravateddamages,inasumdeterminedinthediscretionofthe

Court;(c)interest;and(d)costsofsuitonsuchscaleasmaybedeterminedbytheCourt.

(4)AnyamountawardedtotheRegulatorintermsofsubsection(3)mustbedealtwithinthefollowingmanner:(a)Thefullamountmustbedepositedintoaspecificallydesignated

trust account established by the Regulatorwith an appropriatefinancialinstitution;

(b)asafirstchargeagainsttheamount,theRegulatormayrecoverall reasonable expenses incurred in bringing proceedings atthe request of a data subject in terms of subsection (1) and inadministeringthedistributionsmadetothedatasubjectintermsofsubsection(5);and

(c)thebalance,ifany(inthissectionreferredtoasthe‘‘distributablebalance’’), must be distributed by the Regulator to the datasubjectatwhoserequesttheproceedingswerebrought.

(5) Any amount not distributed within three years from the date of the firstdistributionofpayments in termsof subsection (4), accrue to theRegulatorintheRegulator’sofficialcapacity.

(6) Thedistributablebalancemustbedistributedonaproratabasistothedatasubjectreferredtoinsubsection(1).

(7) ACourtissuinganyorderunderthissectionmustorderittobepublishedintheGazetteandbysuchotherappropriatepublicmediaannouncementastheCourtconsidersappropriate.

(8) Any civil action instituted under this section may be withdrawn,abandonedorcompromised,butanyagreementorcompromisemustbemadeanorderofCourt.

(9) Ifacivilactionhasnotbeen instituted,anyagreementorsettlement, ifany,may,onapplicationtotheCourtbytheRegulatorafterduenoticetotheotherparty,bemadeanorderofCourtandmustbepublishedintheGazetteandbysuchotherpublicmediaannouncementastheCourtconsiders appropriate.


Act No. 4 of 2013

104

CHAPTER 11OFFENCES, PENALTIES AND

ADMINISTRATIVE FINES


Act No. 4 of 2013

CHAPTER 11OFFENCES, PENALTIES AND ADMINISTRATIVE FINES

Obstruction of Regulator

100. Anypersonwhohinders,obstructsorunlawfullyinfluencestheRegulatororanypersonactingonbehalfoforunderthedirectionoftheRegulatorintheperformanceoftheRegulator’sdutiesandfunctionsunderthisAct,isguiltyofanoffence.

Breach of confidentiality

101. Anypersonwhocontravenestheprovisionsofsection54,isguiltyofanoffence.

Obstruction of execution of warrant

102. Any person who—(a) intentionally obstructs a person in the execution of a warrant

issuedundersection82;or(b)failswithoutreasonableexcusetogiveanypersonexecutingsuch

a warrant such assistance as he or she may reasonably require for theexecutionofthewarrant,isguiltyofanoffence.

Failure to comply with enforcement or information notices

103. (1)Aresponsiblepartywhichfailstocomplywithanenforcementnoticeservedintermsofsection95,isguiltyofanoffence.

(2)Aresponsiblepartywhich,inpurportedcompliancewithaninformationnoticeservedintermsofsection90—(a)makesastatementknowingittobefalse;or(b) recklessly makes a statement which is false, in a material respect,

isguiltyofanoffence.

Offences by witnesses

104. (1) Any person summoned in terms of section 81 to attend and giveevidence or to produce any book, document or object before theRegulatorwho,withoutsufficientcausefails—


Act No. 4 of 2013

106

(a)toattendatthetimeandplacespecifiedinthesummons;(b) to remain inattendanceuntil conclusionof theproceedingsor

untilheorsheisexcusedbytheChairpersonoftheRegulatorfromfurtherattendance;

(c)havingattended,refusestobeswornortomakeanaffirmationaswitnessafterheorshehasbeenrequiredbytheChairpersonoftheRegulatortodoso;

(d)havingbeenswornorhavingmadeanaffirmation,toanswerfullyandsatisfactorilyanyquestionlawfullyputtohimorher;or

(e)toproduceanybook,documentorobjectinhisorherpossessionor custody or under his or her control, which he or she has been summonedtoproduce,isguiltyofanoffence.

(2)Anypersonwhoafterhavingbeenswornorhavingmadeanaffirmation,gives falseevidencebefore theRegulatoronanymatter,knowingsuchevidencetobefalseornotknowingorbelievingittobetrue,isguiltyofanoffence.

Unlawful acts by responsible party in connection with account number

105. (1) A responsible party who contravenes the provisions of section 8insofarasthoseprovisionsrelatetotheprocessingofanaccountnumberofadatasubjectis,subjecttosubsections(2)and(3),guiltyofanoffence.

(2)Thecontraventionreferredtoinsubsection(1)must—(a)beofaseriousorpersistentnature;and(b)likelycausesubstantialdamageordistresstothedatasubject.

(3) The responsible party must—(a)haveknownoroughttohaveknownthat—

(i)therewasariskthatthecontraventionwouldoccur;or(ii)suchcontraventionwouldlikelycausesubstantialdamageor

distresstothedatasubject;and(b)havefailedtotakereasonablestepstopreventthecontravention.

(4)Wheneveraresponsiblepartyischargedwithanoffenceundersubsection(1), it isavaliddefencetosuchachargetocontendthatheorshehastaken all reasonable steps


Act No. 4 of 2013

tocomplywiththeprovisionsofsection8. (5) ‘‘Account number’’, for purposes of this section and section 106, means any uniqueidentifierthathasbeenassigned—(a)toonedatasubjectonly;or(b)jointlytomorethanonedatasubject,by a financial or other institution which enables the data subject,

referredtoinparagraph(a), to access his, her or its own funds or to access credit facilities

orwhichenablesadatasubject,referredtoinparagraph(b),toaccessjointfundsortoaccessjointcreditfacilities.

Unlawful acts by third parties in connection with account number

106. (1)Apersonwho knowinglyor recklessly,without the consentof theresponsible party—(a)obtainsordisclosesanaccountnumberofadatasubject;or(b)procuresthedisclosureofanaccountnumberofadatasubjectto

anotherperson,is,subjecttosubsection(2),guiltyofanoffence.

(2)Wheneverapersonischargedwithanoffenceundersubsection(1),itisavaliddefencetosuchachargetocontendthat—(a) the obtaining, disclosure or procuring of the account number

was—(i) necessary for the purpose of the prevention, detection,

investigationorproofofanoffence;or(ii) required or authorised in terms of the law or in terms of a

courtorder;(b)heorsheactedinthereasonablebeliefthatheorshewaslegally

entitledtoobtainordisclosetheaccountnumberor,asthecasemay be, to procure the disclosure of the account number to the otherperson;

(c) he or she acted in the reasonable belief that he or she would have had the consent of the responsible party if the responsible partyhadknownoftheobtaining,disclosingorprocuringandthecircumstancesofit;or

(d) in the particular circumstances the obtaining, disclosing orprocuringwasinthepublicinterest.


Act No. 4 of 2013

108

(3) A person who sells an account number which he or she has obtained incontraventionofsubsection(1),isguiltyofanoffence.

(4)Apersonwhoofferstoselltheaccountnumberofadatasubjectwhichthat person—(a)hasobtained;or(b)subsequentlyobtained,incontraventionofsubsection(1),isguilty

ofanoffence.

(5)For thepurposesof subsection (4),anadvertisement indicating thatanaccountnumberofadatasubjectisormaybeforsaleisanoffertoselltheinformation.

Penalties

107.AnypersonconvictedofanoffenceintermsofthisAct,isliable,inthecaseofacontraventionof—(a)section100,103(1),104(2),105(1),106(1),(3)or(4)toafineor

toimprisonmentforaperiodnotexceeding10years,ortobothafineandsuchimprisonment;or

(b)section59,101,102,103(2)or104(1),toafineortoimprisonmentforaperiodnotexceeding12months,ortobothafineandsuchimprisonment.

Magistrate’s Court jurisdiction to impose penalties

108. Despiteanythingtothecontrarycontainedinanyotherlaw,aMagistrate’sCourthasjurisdictiontoimposeanypenaltyprovidedforinsection107.

Administrative fines 109. (1) If a responsible party is alleged to havecommittedanoffenceintermsofthisAct,theRegulatormaycausetobedeliveredbyhandtothatperson(hereinafterreferredtoastheinfringer)aninfringementnoticewhichmustcontaintheparticularscontemplatedinsubsection(2).

(2)Anoticereferredtoinsubsection(1)must—(a)specifythenameandaddressoftheinfringer;(b)specifytheparticularsoftheallegedoffence;


Act No. 4 of 2013

(c)specify the amount of the administrative fine payable, whichamountmay,subjecttosubsection(10),notexceedR10million;

(d)informtheinfringerthat,notlaterthan30daysafterthedateofserviceoftheinfringementnotice,theinfringermay—(i)paytheadministrativefine;(ii) make arrangements with the Regulator to pay the

administrativefineininstalments;or(iii)electtobetriedincourtonachargeofhavingcommittedthe

allegedoffencereferredtointermsofthisAct;and(e)statethatafailuretocomplywiththerequirementsofthenotice

within the time permitted,will result in the administrative finebecomingrecoverableascontemplatedinsubsection(5).

(3)Whendetermininganappropriatefine,theRegulatormustconsiderthefollowingfactors:(a)Thenatureofthepersonalinformationinvolved;(b)thedurationandextentofthecontravention;(c)thenumberofdatasubjectsaffectedorpotentiallyaffectedbythe

contraven-tion;(d) whether or not the contravention raises an issue of public

importance;(e)thelikelihoodofsubstantialdamageordistress,includinginjuryto

feelingsoranxietysufferedbydatasubjects;(f) whether the responsible party or a third party could have

preventedthecontraventionfromoccurring;(g)anyfailuretocarryoutariskassessmentorafailuretooperate

good policies, procedures and practices to protect personalinformation;and

(h) whether the responsible party has previously committed anoffenceintermsofthisAct.

(4)Ifaninfringerelectstobetriedincourtonachargeofhavingcommittedthe alleged offence in terms of this Act, the Regulatormust hand thematterovertotheSouthAfricanPoliceServiceandinformtheinfringeraccordingly.

(5) If an infringer fails to comply with the requirements of a notice, the


Act No. 4 of 2013

110

Regulatormayfilewiththeclerkorregistrarofanycompetentcourtastatement certified by it as correct, setting forth the amount of theadministrativefinepayablebytheinfringer,andsuchstatementthereuponhasalltheeffectsofaciviljudgmentlawfullygiveninthatcourtinfavouroftheRegulatorforaliquiddebtintheamountspecifiedinthestatement.

(6) TheRegulatormaynot impose an administrativefine contemplated inthissectioniftheresponsiblepartyconcernedhasbeenchargedwithanoffenceintermsofthisActinrespectofthesamesetoffacts.

(7) No prosecution may be instituted against a responsible party if theresponsiblepartyconcernedhaspaidanadministrativefineintermsofthissectioninrespectofthesamesetoffacts.

(8) Anadministrativefineimposedintermsofthissectiondoesnotconstitutea previous conviction as contemplated in Chapter 27 of the CriminalProcedureAct,1977(ActNo.51of1977).

(9) Afinepayable in termsof this sectionmustbepaid into theNationalRevenueFundreferredtoinsection213oftheConstitution.

(10) TheMinistermay, from time to time and after consultation with theRegulator, by notice in the Gazette, adjust the amount referred to insubsection(2)(c) inaccordancewiththeaverageoftheconsumerpriceindex,aspublishedfromtimetotimeintheGazette,fortheimmediatelyprecedingperiodof12monthsmultipliedbythenumberofyearsthattheamountreferredtoinsubsection(2)(c)hasremainedthesame.


Act No. 4 of 2013

CHAPTER 12GENERAL PROVISIONS


Act No. 4 of 2013

112

CHAPTER 12GENERAL PROVISIONS

Amendment of laws

110.ThelawsmentionedintheScheduleareamendedtotheextentindicatedinthethirdcolumnoftheSchedule.

Fees

111. (1)TheMinistermay,subjecttosection113andafterconsultationwiththeRegulator,prescribefeestobepaidbydatasubjects—(a)toresponsiblepartiesasreferredtoinsection23(1)(b)(ii);and(b)totheRegulatorasreferredtoinsection63(3).

(2)Different feesmaybe prescribed in respectof differentcategoriesofresponsiblepartiesanddatasubjectsreferredto insubsection(1)(a) and (b),respectively.

Regulations

112. (1)TheMinistermay,subjecttosection113,makeregulationsrelatingto—(a)theestablishmentoftheRegulator;and(b)feesreferredtoinsection111(1).

(2) The Regulatormay, subject to section113,make regulationsrelatingto—

(a) themanner intermsofwhichadatasubjectmayobjecttotheprocessingofpersonalinformationasreferredtoinsection11(3);

(b) themanner inwhichadatasubjectmaysubmita request toaresponsiblepartyasreferredtoinsection24(1);

(c)theprocessingofhealthinformationbycertainresponsiblepartiesasreferredtoinsection32(6);

(d)theresponsibilitiesofinformationofficersasreferredtoinsection55(1)(e);

(e)theformintermsofwhichanapplicationforacodeofconductmustbesubmittedtotheRegulatorasreferredtoinsection61(1)(b);


Act No. 4 of 2013

(f) themannerandformwithinwhichthedatasubject’sconsentmustberequestedasreferredtoinsection69(2)

(g)the manner and form in terms of which a complaint must besubmittedintermsofsection74;

(h)theRegulatoractingasconciliatorinrelationtoanyinterferencewith the protection of personal information as referred to insection76(1)(b);

(i) thenotificationofthepartiesconcernedofaninvestigationtobeconductedasreferredtoinsection79;

(j) thesettlementofcomplaintsasreferredtoinsection80;(k)themannerinwhichanassessmentoftheprocessingofpersonal

informationwillbemadeasreferredtoinsection89(1);(l) the manner in terms of which the parties concerned must be

informedofthedevelopmentsduringandresultofaninvestigationasreferredtoinsection94;and

(m) matters incidental to the imposition of administrative fines asreferredtoinsection109.

Procedure for making regulations

113. (1)TheMinister,beforemakingoramendinganyregulationsreferredtoinsection112(1),mustpublishanoticeintheGazette—(a)settingoutthatdraftregulationshavebeendeveloped;(b)specifyingwhereacopyofthedraftregulationsmaybeobtained;

and(c) inviting written comments to be submitted on the proposed

regulationswithinaspecifiedperiod.

(2) After complying with subsection (1) and after consultation with theRegulatorinrespectofthedraftregulationsreferredtoinsection112,the Minister may—(a)amendthedraftregulations;and(b)subjecttosubsection(5),publishtheregulationsinfinalformin

theGazette.


Act No. 4 of 2013

114

(3)TheRegulator,beforemakingoramendinganyregulationsreferredtoinsection112(2),mustpublishanoticeintheGazette—(a)settingoutthatdraftregulationshavebeendeveloped;(b)specifyingwhereacopyofthedraftregulationsmaybeobtained;

and(c) inviting written comments to be submitted on the proposed

regulationswithinaspecifiedperiod.

(4)Aftercomplyingwithsubsection(3),theRegulatormay—(a)amendthedraftregulations;and(b)subjecttosubsection(5),publishtheregulationsinfinalformin

theGazette.(5)(a)TheMinisterortheRegulator,asthecasemaybe,must,withindaysbeforepublicationoftheregulationsintheGazette,asreferredtoinsubsection(2)(b)or(4)(b),tabletheminParliament.

(b)Subsection(1)or(3)doesnotapplyinrespectofanyamendmentof the regulations as a result of the process referred to inparagraph(a).

Transitional arrangements

114. (1)AllprocessingofpersonalinformationmustwithinoneyearafterthecommencementofthissectionbemadetoconformtothisAct.

(2) Theperiodofoneyearreferredtoinsubsection(1)maybeextendedbytheMinister,onrequestorofhisorherownaccordandafterconsultationwiththeRegulator,bynoticeintheGazetteinrespectofdifferentclassorclassesof informationandbodiesbyanadditionalperiodwhichperiodmay not exceed three years.

(3) Section 58(2) does not apply to processing referred to in section 57,whichistakingplaceonthedateofcommencementofthisAct,untiltheRegulatordeterminesotherwisebynoticeinGazette.

(4) TheSouthAfricanHumanRightsCommissionmust,inconsultationwiththeInformationRegulator,finaliseorconcludeitsfunctionsreferredtoinsections83and84ofthePromotionofAccesstoInformationAct,assoonasreasonablypossibleaftertheamendmentofthosesectionsintermsofthis Act.


Act No. 4 of 2013

Short title and commencement

115. (1)ThisAct iscalledtheProtectionofPersonal InformationAct,2013,andcommencesonadatedeterminedbythePresidentbyproclamationin the Gazette.

(2) Different dates of commencement may be determined in respect ofdifferentprovisionsofthisActorinrespectofdifferentclassorclassesofinformationandbodies.


Act No. 4 of 2013

116

SCHEDULELAWS AMENDED BY

SECTION 110


Act No. 4 of 2013

No. and year of law Short title Extent of repeal or amendment

Act23of1994 Public Protector Act,1994

1.Theamendmentofsection6by the—(a)substitutionforparagraph

(b)ofsubsection(4)ofthefollowingparagraph:

‘‘(b) to endeavour, in his or hersolediscretion,toresolveany

disputeorrectifyanyactoromission by—(i)mediation,conciliationor

negotiation;(ii)advising,wherenecessary,

any complainant regardingappropriateremedies;or

(iii) any other means that may be expedient in the circumstances;and’’;

(b)substitutionforparagraph(c)ofsubsection(4)ofthefollowingparagraph:

‘‘(c)atatimepriorto,duringorafteraninvestigation—

(i) if he or she is of the opinion that the facts disclose the commission ofanoffencebyanyperson,tobringthemattertothenoticeoftherelevantauthority;andchargedwithprosecutions;or


Act No. 4 of 2013

118


Act23of1994 Public Protector Act,1994

(ii) if he or she deems it advisable, to refer anymatterwhichhasabearingonaninvestigation,totheappropriate public bodyorauthority;andaffectedbyitortomake an appropriate recommendationregardingtheredressoftheprejudiceresultingtherefrom or make any other appropriate recommendationheorshe deems expedient to theaffectedpublicbodyorauthority[;and].’’;and

(c)deletionofparagraph(d)ofsubsection(4).


Act No. 4 of 2013


Act 2 of 2000 Promotionof Access to InformationAct, 2000

1. Theamendmentofsection1bythe—

(a)insertion,afterthedefinitionof‘‘application’’ofthefollowing

definition: ‘‘ ‘biometrics’ means a

technique of personal identificationthatisbasedonphysical,physiologicalorbehaviouralcharacterisationincludingbloodtyping,fingerprinting,DNAanalysis,retinalscanningandvoicerecogni-tion;’’;

(b)omissionofthedefinitionof‘‘HumanRightsCommission’’;

(c)substitutionforthedefinitionof ‘‘personal information’’ of thefollowingdefinition:

‘‘‘personalinformation’meansinformationrelatingtoanidentifiablenaturalperson,including,butnotlimitedto—

(a)informationrelatingtotherace,gender,sex,pregnancy,maritalstatus,national,ethnicorsocialorigin,colour,sexualorientation,age,physicalormentalhealth,well-being,disability,religion,conscience,belief,culture,languageandbirthoftheperson;

(c)anyidentifyingnumber,symbol, email address, physical address, telephone number,locationinformation,online


Act No. 4 of 2013

120


identifierorotherparticularassignedtotheperson;


(e) the personal opinions, views or preferencesoftheperson;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidentialnatureorfurthercorrespondence that would reveal the contents of the originalcorrespondence;

(g)theviewsoropinionsofanother individual about the person;and

(h) the name of the person if it appears with other personal informationrelatingtotheperson or if the disclosure of the name itself would reveal informationabouttheperson,

butexcludesinformationaboutan individual who has been deadformorethan20years;’’;

d)omissionofthedefinitionof‘‘personalrequester’’;and

(e)insertionafterthedefinitionof‘‘record’’ofthefollowingdefinition:

‘‘‘InformationRegulator’meanstheInformationRegulatorestablishedintermsofsection39oftheProtectionofPersonalInformationAct,2013;’’.


Act No. 4 of 2013


2.Theamendmentofsection10bythesubstitutionofthefollowingsection:

‘‘10.(1)The[HumanRightsCommission]InformationRegulatormust[,withinthreeyearsafterthecommencement of this section,compileineachofficiallanguagea]updateandmakeavailabletheexistingguidethathasbeencompiledbytheSouthAfricanHumanRightsCommissioncontainingsuchinformation,inaneasilycomprehensible form and manner, as may reasonably be required by a person who wishestoexerciseanyrightcontemplated in this Act and theProtectionofPersonalInformationAct,2013.

(2)Theguidemust,withoutlimitingthegeneralityofsubsection(1),includeadescriptionof—

(a)theobjectsofthisActandtheProtectionofPersonalInformationAct,2013;

[(b) the postal and street address, phone and fax number and, if available, electronic mail address of—

(i)theinformationofficerofeverypublicbody;and


Act No. 4 of 2013

122


(ii)everydeputyinformationofficerofeverypublicbodydesignatedintermsofsection17(1);

(c)suchparticularsofeveryprivatebodyasarepracticable;

(d)](b) the manner and form of a request for—

(i) access to a record of a public bodycontemplatedinsection11;and

(ii) access to a record of a private bodycontemplatedinsection50;

[(e)](c) the assistance available fromtheinformationofficerof a public body in terms of thisActandtheProtectionofPersonalInformationAct,2013;

(f)](d) the assistance available fromthe[HumanRightsCommission]InformationRegulatorintermsofthisActandtheProtectionofPersonalInformationAct,2013;

[(g)](e)allremediesinlawavailableregardinganactor failure to act in respect ofarightordutyconferredor imposed by this Act and theProtectionofPersonalInformationAct,2013,includingthemanneroflodging—

(i)aninternalappeal;[and]


Act No. 4 of 2013


(ii) a complaint to theInformationRegulator;and(iii)anapplicationwithacourt

againstadecisionbytheinformationofficerofapublicbody, a decision on

internal appeal, a decision by theInformationRegulatorora decision of the head of a privatebody;

[(h)](f)theprovisionsofsections14and51requiringapublicbodyandprivatebody,respectively,to compile a manual, and how toobtainaccesstoamanual;

[(i)](g)theprovisionsofsections15and52providingforthe voluntary disclosure of categoriesofrecordsbyapublic body and private

body,respectively;[(j)](h)thenoticesissuedinterms

ofsections22and54regardingfeestobepaidinrelationtorequestsforaccess;and

[(k)](i)theregulationsmadeintermsofsection92.

(3)The[HumanRightsCommission]InformationRegulatormust,ifnecessary, update and publish theguideatintervalsofnotmore than two years.

(4)Theguidemustbemadeavailableasprescribed.’’.


Act No. 4 of 2013

124


3. Theamendmentofsection11bythesubstitutionforsubsection(2)ofthefollowingsubsection:‘‘(2)Arequestcontemplatedinsubsection(1) [includes] excludes a request for access to a record containingpersonalinformationabouttherequester.’’.

4.Theamendmentofsection14 by the—(a)substitutionforsubsection(1)

forthefollowingsubsection:‘‘(1)[Withinsixmonthsafterthe

commencementofthissectionorthecomingintoexistenceof a public body, the] The informationofficerof[the]a public body [concerned] must [compile] in at least threeofficiallanguagesmakeavailable, as referred to in subsection(3),amanualcontaining—

(a)ingeneral(i)adescriptionofitsstructure

andfunctions;[(b)](ii) the postal and street

address, phone and fax number and, if available, electronic mail address of theinformationofficerofthebody and of every deputy informationofficerofthebodydesignatedintermsofsection17(1);


Act No. 4 of 2013


(iii)adescriptionofallremediesavailable in respect of an act orafailuretoactbythebody;and

(iv)suchotherinformationasmaybeprescribed;

(b) insofar as this Act is concerned—(i)adescriptionoftheguidereferredtoinsection10,ifavailable,andhowtoobtainaccesstoit;

[(d)](ii)sufficientdetailtofacilitatea request for access to a record ofthebody,adescriptionofthesubjectsonwhichthebody holds records and the categoriesofrecordsheldoneachsubject;

[(e)](iii)thelatestnotice,intermsofsection15(2),ifany,regardingthecategoriesofrecords of the body which are available without a person havingtorequestaccessintermsofthisAct;

[(f)](iv)adescriptionoftheservicesavailable to members of the public from the body and howtogainaccesstothoseservices;and

[(g)](v)adescriptionofanyarrangementorprovisionfora person (other than a public bodyreferredtoinparagraph(a)or(b)(i)ofthedefinitionof

representationsorotherwise,


Act No. 4 of 2013

126


toparticipateinorinfluence—[(i)](aa)theformulationof

policy;or[(ii)](bb) the exercise of powers or

perfor-manceofduties,bythebody;(c)insofarastheProtectionof

PersonalInformationAct,2013, is concerned—

(i)thepurposeoftheprocessing;(ii)adescriptionofthecategoriesofdatasubjectsandoftheinformationorcategoriesofinformationrelatingthereto;

(iii)therecipientsorcategoriesof recipients to whom the personalinformationmaybesupplied;

(iv)plannedtransborderflowsofpersonalinformation;and

(v)ageneraldescriptionallowinga preliminary assessment of the suitability of the informationsecuritymeasuresto be implemented by the responsible party to ensure theconfidential-ity,integrityand availability of the informationwhichistobeprocessed.

[(h)adescriptionofallremediesavailable in respect of an act orafailuretoactbythebody;and


Act No. 4 of 2013


(i)suchotherinformationasmaybeprescribed.]’’;and

(b)bythesubstitutionforsubsection(3)ofthefollowingsubsection:

‘‘(3) [Each manual must be made available as prescribed] The manual referred to in subsection(1),ortheupdatedversion thereof as referred toinsubsection(2)mustbemade available—

(a) on the web site, if any, of the publicbody;

(b)attheheadofficeofthepublicbodyforpublicinspectionduringnormalbusinesshours;

(c) to any person upon request and upon the payment of a reasonableamount;and

(d)totheInformationRegulatoruponrequest.’’.

5.Theamendmentofsection15by the—

(a)substitutionforthewordsprecedingparagraph(a)ofsubsection(1)ofthefollowingwords:

‘‘(1)Theinformationofficerofapublic body, referred to in paragraph(a)or(b)(i)ofthedefinitionof


Act No. 4 of 2013

128


‘publicbody’insection1,must[, on a periodic basis not less frequently than once a year, submit to the Minister] make available in the prescribed manner a descriptionof—’’;

(b)deletionofsubsection(2);and(c)substitutionofsubsection(3)of

thefollowingsubsection:‘‘(3) The only fee payable (if any)

for access to a record [included inanoticeintermsofsubsection(2)]referredtoinsubsection(1)isaprescribedfeeforreproduction.’’

6.Theamendmentofsection21bythesubstitutionofparagraphs(a)and(b)ofthefollowingparagraphs:

‘‘(a)theperiodsforlodginganinternal appeal, a complaint totheInformationRegulator,anapplicationwithacourtoranappealagainstadecisionofthatcourthaveexpired;or

(b) that internal appeal, complaint totheInformationRegulator,applicationorappealagainsta decision of that court or otherlegalproceedingsinconnectionwiththerequesthasbeenfinallydetermined,’’.

7. Theamendmentofsection22bythesubstitutionfor—

(a)subsection(1)ofthefollowingsubsection:


Act No. 4 of 2013


‘‘(1)Theinformationofficerofa public body to whom a request for access is made, mustbynoticerequiretherequester[, other than a personal requester,] to pay the prescribed request fee (if any), beforefurtherprocessingtherequest.’’;

(b)subsection(2)ofthefollowingsubsection:

‘‘(2) If—(a) the search for a record of a

public body in respect of which a request for access by a requester[, other than a personal requester,] has been made;and

(b)thepreparationoftherecordfordisclosure(includinganyarrange-mentscontemplatedinsection29(2)(a)and(b)(i) and (ii)(aa)), would, in the opinionoftheinformationofficerofthebody,requiremore than the hours prescribed for this purpose for requesters,theinformationofficermustbynoticerequirethe personal requester,]

, other than a personal requester,] to pay as a deposit theprescribedportion(beingnot more than one third) of granted.’’;andtheaccessfeewhich would be payable if the request is


Act No. 4 of 2013

130


(c)forsubsection(3)ofthefollowingsubsection:

‘‘(3)Thenoticereferredtoinsubsection(1)or(2)muststate—

(a) the amount of thedeposit payableintermsofsubsection(2),ifapplicable;

(b)thattherequestermaylodgean internal appeal, a complaint totheInformationRegulatororanapplicationwithacourt,asthecasemaybe,againstthe tender or payment of the request fee in terms of subsection(1),orthetenderor payment of a deposit in termsofsubsection(2),asthecasemaybe;and

(c)theprocedure(includingtheperiod)forlodgingtheinternal appeal, complaint to theInformationRegulatororapplication,asthecasemay.’’.


(a)substitutionforparagraph(c)ofsubsection(2)ofthefollowingparagraph:

‘‘(c)thattherequestermaylodgean internal appeal, a complaint totheInformationRegulatororanapplicationwithacourt,asthecasemaybe,against

the access fee to be paid or theformofaccessgranted,and

the procedure


Act No. 4 of 2013


(includingtheperiod)forlodgingtheinternalappeal,complainttotheInformationRegulatororapplication,asthecasemaybe.’’;and


‘‘(c) state that the requester may lodgeaninternalappeal,complainttotheInformationRegulatororanapplicationwith a court, as the case may be,againsttherefusaloftherequest, and the procedure (includingtheperiod)forlodgingtheinternalappeal,complainttotheInformationRegulatororapplication,asthecasemaybe.’’.

9. Theamendmentofsection26bythesubstitutionforparagraph(c)ofsubsection(3)ofthefollowingparagraph:

‘‘(c)thattherequestermaylodgean internal appeal, complaint totheInformationRegulatororanapplicationwithacourt,as the case may be,

againsttheextension,andtheprocedure(includingtheperiod)forlodgingtheinternal appeal, complaint to theInformationRegulatororapplication,asthecasemaybe.’’.


Act No. 4 of 2013

132


10.Theamendmentofsection29bythesubstitutionofsubsection(9)forthefollowingsubsection:

‘‘(9)Ifaninternalappeal,complainttotheInformationRegulatororanapplicationtoacourt,asthecasemaybe,islodgedagainstthegrantingofarequest for access to a record, access to the record may be givenonlywhenthedecisiontogranttherequestisfinallyconfirmed.’’


(a)substitutionofparagraphs(b)and(c)ofsubsection(3)forthefollowingparagraphs:

‘‘(b)thatthethirdpartymaylodgean internal appeal, complaint totheInformationRegulatororanapplication,asthecasemaybe,againstthedecisionwithin30daysafternoticeisgiven,andtheprocedureforlodgingtheinternalappeal,complainttotheInformationRegulatororapplication,asthecasemaybe;and

(c)thattherequesterwillbegivenaccesstotherecordaftertheexpiry of the applicable period contemplatedinparagraph(b),unless such internal appeal, complainttotheInformationRegulatororapplicationwitha


Act No. 4 of 2013


courtislodgedwithinthatperiod.’’;and

.‘‘(4)Iftheinformationofficerofapublic body decides in terms ofsubsection(1)togranttherequest for access concerned, heorshemustgivetherequester access to the record concernedaftertheexpiryof30daysafternoticeisgivenintermsofsubsection(1)(b), unless an internal appeal, complainttotheInformationRegulatororanapplicationwith a court, as the case maybe,islodgedagainstthedecisionwithinthatperiod.’’.

12. Theamendmentofsection51by—

(a)bythesubstitutionofsubsection(1)forthefollowingsubsection:

‘(1)[Withinsixmonthsafterthecommencementofthissectionorthecomingintoexistenceof the private body concerned, the] The head of a private body must [compile] make a manual available in terms of subsection(3)containing—(a)ingeneral—

(i) the postal and street address, phone and fax number and, if available, electronic mail address of the head of the body;and


Act No. 4 of 2013

134


(ii)suchotherinformationasmaybeprescribed;

(b) insofar as this Act is concerned—

[(b)](i)adescriptionoftheguidereferredtoinsection10,ifavailable, and how to obtain accesstoit;

[(c)](ii)thelatestnoticeintermsofsection52(2),ifany,regardingthecategoriesofrecordofthe body which are available withoutapersonhavingtorequest access in terms of thisAct;

[(d)](iii)adescriptionoftherecordsof the body which are available in accordance with any other legislation;and

[(e)](iv)sufficientdetailtofacilitatea request for access to a record ofthebody,adescriptionofthesubjectsonwhichthebody holds records and the categoriesofrecordsheldoneachsubject;[and]

(c)insofarastheProtectionofPersonalInformationAct,2013, is concerned—

(i)thepurposeoftheprocessing;(ii)adescriptionofthecategories

ofdatasubjectsandoftheinformationorcategoriesofinformationrelatingthereto;

(iii)therecipientsorcategoriesof recipients to whom the personalinformationmaybesupplied;


Act No. 4 of 2013


(iv)plannedtransborderflowsofpersonalinformation;and

(v)ageneraldescriptionallowinga preliminary assessment of the suitability of the informationsecuritymeasuresto be implemented by the responsible party to ensure theconfidential-ity,integrityand availability of the informationwhichistobeprocessed.’’.

[(f)ingeneralsuchotherinformationasmaybeprescribed.]’’;and

(b)bythesubstitutionforsubsection(3)ofthefollowingsubsection:

‘(3) [Each manual must be made available as prescribed] The manual referred to in subsection(1),ortheupdatedversion thereof as referred toinsubsection(2)mustbemade available—

(a) on the web site, if any, of the privatebody;

(b) at the principal place of business of the private body forpublicinspectionduringnormalbusinesshours;

(c) to any person upon request and upon the payment of a reasonableamount;and

(d)totheInformationRegulatoruponrequest.’’.


Act No. 4 of 2013

136


13. Theamendmentofsection52by the—

(a)substitutionforthewordsprecedingparagraph(a)ofsubsection(1)ofthefollowingwords:

‘‘(1) The head of a private body may, on a voluntary [and periodic] basis, [submit to the Minister] make available in the prescribed manner a descriptionof—’’;

(b)deletionofsubsection(2);and(c)substitutionofsubsection(3)of

thefollowingsubsection:‘‘(3) The only fee (if any) for access

to a record [included in a noticeintermsofsubsection(2)]referredtoinsubsection(1) is a prescribed fee for reproduction.’’.

14.Theamendmentofsection54bythesubstitutionfor—

(a)subsection(1)ofthefollowingsubsection:

‘‘(1) The head of a private body to whom a request for access is mademustbynoticerequirethe requester[, other than a personal requester,] to pay the prescribed request fee (if any), beforefurtherprocessingtherequest.’’;

(b)subsection(2)ofthefollowingsubsection:‘‘(2)If—


Act No. 4 of 2013


(a) the search for a record of aprivate body in respect of which

a request for access by a requester [, other than a personal requester,] has been made;and

(b)thepreparationoftherecordfordisclosure(includinganyarrangementscontemplatedinsection29(2)(a)and(b)(i)and(ii)(aa)), would, in the opinion of the head of the private body concerned, require more than the hours prescribed for this purpose for requesters, the headmustbynoticerequirethe requester[, other than a personal requester,] to pay as a deposit the prescribed portion(beingnotmorethanone third) of the access fee which would be payable if the requestisgranted.’’;and

(c)paragraphs(b)and(c)ofsubsection(3)

ofthefollowingparagraphs:‘‘(b)thattherequestermaylodge

acomplainttotheInformationRegulatororanapplicationwithacourtagainstthetenderor payment of the request fee intermsofsubsection(1),orthe tender or payment of a depositintermsofsubsection(2),asthecasemaybe;and


Act No. 4 of 2013

138


(c)theprocedure(includingtheperiod)forlodgingthecomplainttotheInformationRegulatorortheapplication.’’.


(a)substitutionforparagraph(c)ofsubsection(2)ofthefollowingparagraphbetween:

‘‘(c)thattherequestermaylodgeacomplainttotheInformationRegulatororanapplicationwithacourtagainsttheaccess fee to be paid or the formofaccessgranted,andtheprocedure,includingtheperiodallowed,forlodgingacomplainttotheInformationRegulatorortheapplication.’’;and


‘‘(c) state that the requester maylodgeacomplainttotheInformationRegulatoranapplicationwithacourtagainsttherefusaloftherequest, and the procedure (includingtheperiod)forlodgingacomplainttotheInformationRegulatorortheapplication.’’.

16.Theamendmentofsection57bythesubstitutionforparagraph(c)ofsubsection(3)ofthefollowingparagraph:


Act No. 4 of 2013


‘‘(c) that the requester may lodgeacomplainttotheInformationRegulatororanapplicationwithacourtagainsttheextension,andtheprocedure(includingtheperiod)forlodgingtheapplication.’’.


(a)substitutionforparagraphs(b)and(c)ofsubsection(3)ofthefollowingparagraphs:

‘‘(b)thatthethirdpartymaylodgeacomplainttotheInformationRegulatororanapplicationwithacourtagainstthedecision of the head within 30 daysafternoticeisgiven,andtheprocedureforlodgingthecomplainttotheInformationRegulatorortheapplication;and

(c)thattherequesterwillbegivenaccesstotherecordaftertheexpiry of the applicable period contemplatedinparagraph(b), unless a complaint to the InformationRegulatororanapplicationwithacourtislodgedwithinthatperiod.’’;and

(b)substitutionofsubsection(4)ofthefollowingsubsection:


Act No. 4 of 2013

140


‘‘(4) If the head of the private body decides in terms of subsection(1)togranttherequest for access

concerned, he or she must givetherequesteraccesstotherecordconcernedaftertheexpiryof30daysafternoticeisgivenintermsofsubsection(1)(b), unless a complaint to theInformationRegulatororanapplicationwithacourtislodgedagainstthedecisionwithinthatperiod.’’.

18.TheamendmentofChapter1ofPart4bytheinsertionaftersection77ofthefollowingsections:

‘‘CHAPTER1ACOMPLAINTSTOREGULATORComplaints

77A. (1) A requester or third party referredtoinsection74mayonly submit a complaint to theInformationRegulatorintermsofthissectionafterthatrequester or third party has exhausted the internal appeal procedureagainstadecisionoftheinformationofficerofa public body provided for in section74.(2)Arequester—

(a) that has been unsuccessful in an internal appeal to the relevant authorityofapublicbody;


Act No. 4 of 2013


(b)aggrievedbyadecisionoftherelevant authority of a public body to disallow the late lodgingofaninternalappealintermsofsection75(2);

(c)aggrievedbyadecisionoftheinformationofficerofapublicbodyreferredtoinparagraph(b)ofthedefinitionof’publicbody’insection1—

(3) A third party—(a) that has been unsuccessful in an

internal appeal to the relevant authorityofapublicbody;

(b)aggrievedbyadecisionoftheinformationofficerofapublicbodyreferredtoinparagraph(b)ofthedefinitionof‘publicbody’insection1tograntarequestforaccess;or

(c)aggrievedbyadecisionofthehead of a private body in relationtoarequestforaccessto a record of that body,

may within 180 days of the decision, submit a complaint, allegingthatthedecisionwas not in compliance with thisAct,totheInformationRegulatorintheprescribedmanner and form for appropriate relief.


Act No. 4 of 2013

142


ModesofcomplaintstoRegulator

77B. (1) A complaint to the Information

Regulatormustbemadeinwriting.(2)TheInformationRegulator

mustgivesuchreasonableassistance as is necessary in the circumstances to enable a person, who wishes to make a complainttotheInformationRegulator,toputthecomplaintinwriting.

Actiononreceiptofcomplaint

77C.(1)TheInformationRegulator,afterreceiptofacomplaintmadeintermsofsection77A,must—

(a)investigatethecomplaintintheprescribedmanner;

(b) refer the complaint to the EnforcementCommitteeestablished in terms of section50oftheProtectionofPersonalInformationAct,2013;or

(c) decide, in accordance with section77D,totakenoactionon the complaint or, as the case may be, require no furtheractioninrespectofthecomplaint.

(2)DuringtheinvestigationtheInformationRegulatormay—


Act No. 4 of 2013


(a) act, where appropriate, as conciliatorinrelationtosuchcomplaint in the prescribed manner;or

(b)takesuchfurtheractionasis contemplated by this Chapter.

(3)TheInformationRegulatormust, as soon as is reasonably practicable,afterreceiptof a complaint, advise the complainant and the informationofficerorheadofa private body, as the case may be, to whom the complaint relatesofthecourseofactionthattheInformationRegulatorproposes to adopt under subsection(1).

77D.(1)TheInformationRegulator,afterinvestigatingacomplaintreceivedintermsofsection77A, may decide to take no

actionor,asthecasemaybe,requirenofurtheractioninrespect of the complaint if, in theInformationRegulator’sopinion—

(a) the complaint has not been submittedwithintheperiodreferredtoinsection

77A(2) and there are no reasonable groundstocondonethelatesubmission;


Act No. 4 of 2013

144


(b) the complaint is frivolous or vexatiousorisnotmadeingoodfaith;or

(c)itappearstotheInformationRegulatorthat,havingregardto all the circumstances of thecase,anyfurtheractionisunnecessary or inappropriate.

(2) In any case where the InformationRegulatordecidestotakenoaction,ornofurtheraction,onacomplaint,theInformationRegulatormustinform the complainant of that decision and the reasons for it.

Pre-investigation proceedings of Regulator

77E.BeforeproceedingtoinvestigateanymatterintermsofthisChapter,theInformationRegulatormust,in the

prescribed manner, inform—(a) the complainant of the

InformationRegulator’sintentiontoconducttheinvestigation;and

(b)theinformationofficerofthepublic body or the head of the private body, as the case may be, to whom the complaint relates of the—

(i)detailsofthecomplaint;and(ii)rightoftheinformationofficer

or the head to submit to the Informa-tionRegulator,within


Act No. 4 of 2013


areasonableperiod,awrittenresponseinrelationtothecomplaint.

Settlement of complaints77F. If it appears from a complaint,

oranywrittenresponsemadeinrelationtoacomplaintundersection77E(b)(ii),that it may be possible to secureasettlementbetweenthepartiesconcerned,theInformationRegulatormay,withoutinvestigatingthecomplaint or, as the case maybe,investigatingthecomplaint further, in the prescribed manner, use its best endeavours to secure such a settlement.

Investigation proceedings of Regulator

77G. (1) For the purposes of the investigationofacomplainttheInformationRegulatorhaspowers similar to those of the HighCourtintermsofsection80relatingtothedisclosureof records to it and non-disclosure of records by it.

(2)Section81oftheProtectionofPersonalInformationAct, 2013, applies to the investigationofcomplaintsintermsofthisChapter.


Act No. 4 of 2013

146


Assessment77H.(1)TheInformationRegulator,

onitsowninitiative,oratthe request by or on behalf ofaninformationofficerorhead of a private body or any other person may make an assessment in the manner prescribed of whether a public orprivatebodygenerallycomplies with the provisions of this Act insofar as its policiesandimplementationprocedures are concerned.

(2)TheInformationRegulatormust make the assessment if it appears to be appropriate, unless, where the assessment is made on request, the InformationRegulatorhasnot been supplied with suchinformationasitmayreasonably require in order to—

(a)satisfyitselfastotheidentityofthepersonmakingtherequest;and

(b)enableittoidentifytheprivateor public body concerned.

(3)ThematterstowhichtheInformationRegulatormayhaveregardindeterminingwhether it is appropriate to make an assessment include—

(a) the extent to which the request appearstoittoraiseamatterofsubstance;


Act No. 4 of 2013


(b)determiningthattherequestisnotfrivolousorvexatious;and

(c) whether or not the person makingtherequestisentitledtomakeanapplicationinterms of this Act in respect of theinformationinquestion.

(4)IftheInformationRegulatorhas received a request under thissectionitmustnotifythe person referred to in subsection(1)—

(a) whether it has made an assessment as a result of the request;and

(b)ofanyviewformedoractiontaken as a result of the request.

Information Notice77I. (1) For the purposes of the

investigationofacomplainttheInformationRegulatormayservetheinformationofficeror head of a private body withaninformationnoticerequiringsaidpartytofurnishtheInformationRegulator,withinaspecifiedperiod,inaformspecifiedinthenotice,withtheinformationspecifiedinthenotice.

(2)Aninformationnoticeintermsofsub-section(1)mustbeaccompanied by—


Act No. 4 of 2013

148


(a)reasonsfortheissuingofthenotice;and(b)particularsoftherighttoappealconferredbysection78(4).

(3)Section90(3)to(9)oftheProtectionofPersonalInformationAct,2013,appliestotheservingofaninformationnoticeintermsofthisChapter.

(4)Acopyofthenoticereferredtoinsubsection(1)thathasbeencertifiedbytheInformationRegulatoris,forpurposesoftheapplicationreferredtoinsection78,conclusiveproof of the contents of the enforcementnoticethathasbeenservedbytheRegulator.

Non-compliance with Enforcement Notice

77K.Aninformationofficerofa public body or head of a private body who refuses to comply with an enforcement noticereferredtoinsection77J,isguiltyofanoffenceandliableuponconvictiontofineortoimprisonmentforaperiodnotexceedingthreeyearsortobothsuchafine

andsuchimprisonment.’’.19.Theamendmentofsection78

bythesubstitutionforthefollowingsection:


Act No. 4 of 2013


‘‘Applications regarding decisions of information officers or relevant authori- ties of public bodies or heads of private bodies or Regulator

78. (1) A requester or third party [referred to in section 74] may only apply to a court for appropriate relief in terms ofsection82[after that requester or third party has exhausted the internal appeal procedure against a decision of the information officer of a public body provided for in section 74]inthefollowingcircumstances:

(a)Afterthatrequesterorthirdparty has exhausted the internal appeal procedure referredtoinsection74;or

(b)afterthatrequesterorthirdparty has exhausted the complaints procedure referred toinsection77A.

(2) A requester—(a) that has been unsuccessful in an


(b)aggrievedbyadecisionoftherelevant authority of a public body to disallow the late lodgingofaninternalappealintermsofsection75(2);


Act No. 4 of 2013

150


(c)aggrievedbyadecisionoftheinformationofficerofapublicbodyreferredtoinparagraph(b)ofthedefinitionof‘publicbody’insection1—(i)torefusearequestforaccess;or

(ii)takenintermsofsection22,26(1)or29(3);[or]

(e)thatisaggrievedbyanydecisionoftheInformationRegulator,may,bywayofanapplication,within [30] 180 days apply to a court for appropriate relief in termsofsection82.

(3) A third party—(a) that has been unsuccessful in an


(b)aggrievedbyadecisionoftheinformationofficerofapublicbodyreferredtoinparagraph(b)ofthedefinitionof‘publicbody’insection1tograntarequestforaccess;[or]

(c)aggrievedbyadecisionofthehead of a private body in relationtoarequestforaccesstoarecordofthatbody[,];or

(d)thatisaggrievedbyanydecisionoftheInformationRegulator,may,bywayofanapplication,within [30] 180 days apply to a court for appropriate relief in termsofsection82.

(4)Aninformationofficerorrelevant authority of a public body or the head of a private


Act No. 4 of 2013


body, as the case may be, aggrievedbyadecisionoftheInformationRegulatorintermsofsection77E(2)(b)or(c)may,bywayofanapplication,within 180 days apply to a court for appropriate relief in termsofsection82.’’.

20.TheamendmentoftheheadingofPart5bysubstitutingthewords‘‘HumanRightsCommission’’withthewords‘‘InformationRegulator’’.

21.Theamendmentofsections32,83,84and85bysubstitutingthewords‘‘HumanRightsCommission’’whereverthey occur, with the words ‘‘InformationRegulator’’.

22.Therepealofsection88.23.Theamendmentofthelong

titleforthefollowinglongtitle:‘‘To give effect to the constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights; to provide that the Information Regulator, established in terms of the Protection of Personal Information Act, 2013, must exercise certain powers and perform certain duties and functions in terms of this Act; and to provide for matters connected therewith.’’


Act No. 4 of 2013

152


Act 25 of 2002 Electronic Communi-cationsandTransactionsAct, 2002

1.Theamendmentofsection1bythesubstitutionforthedefinitionof‘‘personalinformation’’ofthefollowingdefinition:

‘‘ ‘personal information’ means informationrelatingtoanidentifiablenaturalperson,including,butnotlimitedto—

(a)informationrelatingtotherace,gender,sex,pregnancy,maritalstatus,national,ethnicorsocialorigin,colour,sexualorientation,age,physicalormentalhealth,well-being,disability,religion,conscience,belief,culture,languageandbirthoftheperson;

(b)informationrelatingtotheeducationorthemedical,financial,criminaloremployment history of the person;

(c)anyidentifyingnumber,symbol,email address, physical address, telephone number, locationinformation,onlineidentifierorotherparticularassignedtotheperson;


(e) the personal opinions, views or preferencesoftheperson;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidentialnatureor


Act No. 4 of 2013


Act 34 of 2005 NationalCreditAct,2005

further correspondence that would reveal the contents of theoriginalcorrespon-dence;

(g)theviewsoropinionsofanother individual about the person;and

(h) the name of the person if it appears with other personal informationrelatingtotheperson or if the disclosure of the name itself would reveal informationabouttheperson,

butexcludesinformationaboutan individual who has been deadformorethan20years;’’.

2.Therepealofsections45,50and 51.

1.Theamendmentofsection1bythesubstitutionofthedefinitionof‘‘prohibitedconduct’’withthefollowingdefinition:

‘‘ ‘prohibited conduct’ means any act or omission incontraventionoftheAct,other than an act or omission ascontemplatedinsection55(2)(b)orthatconstitutesanoffenceunderthisAct,

by—(a)anunregisteredpersonwhois

requiredtoberegisteredtoengageinsuchanact;or

(b) a credit provider, credit bureau ordebtcounselor;’’.


Act No. 4 of 2013

154


2.Theamendmentofsection55bythesubstitutionforsubsection(2)ofthefollowingsubsection:

‘‘(2)(a)Beforeissuinganoticeintermsofsubsection(1)(a)toaregulatedfinancialinstitution,theNationalCreditRegulatormustconsultwiththeregulatoryauthoritythat issued a licence to that regulatedfinancialinstitution.

(b)Sections68,70(1),(2)(b)to(g)and(i),(3)and(4)and 72(1), (3) and (5) will be subjecttothecomplianceproceduressetoutinChapters10and11oftheProtectionofPersonalInformationAct,

2013.’’.3.Theamendmentofsection68

bythedeletionofsubsection(2).

4.Theamendmentofsection136bythesubstitutionforsubsection(1)ofthefollowingsubsection:

‘‘(1)Anypersonmay,subjecttosection55(2)(b),submitacomplaintconcerninganallegedcontraventionofthisActtotheNationalCreditRegulatorintheprescribedmannerandform.’’

5.Theamendmentofsection137bythedeletionofsubparagraph(a)ofsubsection(1).


Act No. 4 of 2013

156

protection of personal information act, 2013 - hibiscus hospitals · 2020. 4. 9. · 80. issue of...

Documents