Guidance note on processing of special personal information, 2021

Jurisdiction: South Africa
Date: 30 June 2021
Language: English
Type: Guidance Note
Download: Download PDF (262.7 KB)

Taxonomies

Guidance note on processing of special personal information, 2021

1.Definition1.1.“Consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;1.2.“De-identify”, in relation to personal information of a data subject, means to delete any information that—1.2.1.identifies the data subject;1.2.2.can be used or manipulated by a reasonably foreseeable method to identify the data subject; or1.2.3.can be linked by a reasonably foreseeable method to other information that identifies the data subject,1.3“special personal information”, as referred to in section 26 of POPIA, refers to the personal information concerning the following—1.3.1the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or1.3.2the criminal behaviour of a data subject to the extent that such information relates to—a)the alleged commission by a data subject of any offence; orb)any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.1.4“Processing” as defined in POPIA, means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—1.4.1the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;1.4.2dissemination by means of transmission, distribution or making available in any other form; or1.4.3merging, linking, as well as restriction, degradation, erasure or destruction of information;1.5“Responsible party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;

2.Introduction

2.1Section 26 of POPIA prohibits the processing of special personal information, subject to exceptions provided for in section 27(1).

2.2In terms of section 26, a responsible party may, subject to paragraph 2.3 below, not process any of the following special personal information of a data subject—

2.2.1religious beliefs;

2.2.2philosophical beliefs;

2.2.3race;

2.2.4ethnic origin;

2.2.5trade union membership;

2.2.6political persuasion;

2.2.7health;

2.2.8sex life;

2.2.9biometric information; or

2.2.10the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

2.3The prohibition on processing personal information, as referred to in paragraph 2.1 above, does not apply if the—

2.3.1processing is carried out with the consent of a data subject;

2.3.2processing is necessary for the establishment, exercise or defense of a right or obligation in law;

2.3.3processing is necessary to comply with an obligation of international public law;

2.3.4processing is for historical, statistical or research purposes to the extent that—

2.3.4.1the purpose serves a public interest and the processing is necessary for the purpose concerned; or

2.3.4.2it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;

2.3.5information has deliberately been made public by the data subject; or

2.3.6provisions relating to sections 28 to 33 of POPIA are, as the case may be, complied with.

2.4This document provides guidance only and the responsible parties are therefore required to ensure compliance with the relevant provision of POPIA.

3.PurposeThe purpose of this Guidance Note is to guide responsible parties who are required to obtain authorisation from the Regulator to process special personal information, as provided for in section 27(2) of POPIA.

4.Authorisation for processing of special personal information

4.1In terms of Section 27(2) of POPIA, the Regulator may by notice in the Gazette authorise a responsible party to process special personal information if the Regulator is satisfied that the such processing is—

4.1.1in the public interest; and

4.1.2appropriate safeguards have been put in place to protect the special personal information of the data subject.

4.2Public interest

4.2.1POPIA does not define public interest.

4.2.2Public interest is a wide and diverse concept that cannot, and should not, be limited in its scope and application. The definition of what constitutes public interest varies across jurisdictions and should be assessed on a case-bycase basis. In its very basic formulation public interest is the notion that an action or process or outcome widely and generally benefits the public at large (as opposed to a few or a single entity or person) and should be accepted or pursued in the spirit of equality and justice.

4.3Appropriate safeguards

4.3.1The responsible party is required, in terms of section 19(1) of POPIA, to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—

4.3.1.1loss of, damage to or unauthorised destruction of personal information; and

4.3.1.2unlawful access to or processing of personal information.

4.3.2In order to appropriately secure the integrity and confidentiality of special personal information in its possession or under its control, the responsible party must, in terms of section 19(2) of POPIA, take reasonable measures to—

4.3.2.1identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

4.3.2.2establish and maintain appropriate safeguards against the risks identified;

4.3.2.3regularly verify that the safeguards are effectively implemented; and

4.3.2.4ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

4.3.3The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

4.3.4If the Regulator is satisfied that the application for authorisation to process special personal information meets the requirements listed in paragraph 4.1 above, it may impose reasonable conditions in respect of any authorisation granted, which conditions will be decided on a case-by-case basis.

5.Manner of submission of an application for authorisation

5.1.Applications for authorisation to process special personal information must be submitted to the Regulator through the following channels—

Email	authorisation.SPI@justice.gov.za.
Postal	P.O Box 31533BraamfonteinJohannesburg2017
Hand delivery	JD House27 Stiemens StreetBraamfonteinJohannesburg2001

5.2.Due to the current pandemic (Covid-19), the Regulator recommends that applications for authorisation to process special personal information be submitted by email to limit the transmission of the virus. However, the Regulator will accept applications in accordance with paragraph 5.1 above.

6.Acknowledgement of receipt of the application

6.1Once the application is received and recorded on the system of the Regulator, the responsible party will receive an acknowledgement email or letter with a reference number for the application.

6.2If you are providing additional information to your application, please include the application reference number to enable the Regulator to link the additional information to the existing application.

7.Contact details

7.1If after reading this Guide, the responsible party still requires help in completing the authorisation application form, it may contact the Regulator’s Customer Service Centre by email at: authorisation.SPI@justice.gov.za.

7.2Please note that the Regulator’s operating hours are from 08h30 to 17h00 Monday to Friday only.

Application form for authorisation to process special personal information

Note:The personal information submitted herein shall be solely used for specific purposes of authorisation applications submitted to the Information Regulator (“Regulator’) in terms of section 27(2) of the Protection of Personal Information Act 04 of 2013 (POPIA).All the information submitted herein shall be used for the purpose stated above, as mandated by POPIA. This Information may be disclosed to the public. The Regulator undertakes to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information.

Part A – Responsible Party

Type of Body	Public Body	Private Body
Full Name of the Body (Registered Name)Trading Name (if any)

Registration No, if any
Full Name of Information Officer
Information Officer’s Registration Number, if registered
Postal Address (Official)
Postal Address (Official)
Physical Address (Official)


Official Landline Number
Official Cell Number
Official Fax Number
Official Email Address
Website, if any

Part B – Category of special personal information

Please select a category of special personal information you intend to process which is subject to an authorisation
1.	Religious Beliefs
2.	Philosophical Beliefs
3.	Race
4.	Ethnic Origin
5.	Trade Union Membership
6.	Political Persuasion
7.	Health Life
8.	Sex Life
9.	Biometric Information of a data subject;
10.	The criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings
Please explain how the processing of the selected special personal information is in the public interest, as selected or specified above.
Is the processing of selected special personal information in compliance with the eight conditions for lawful processing of personal information?If no, please confirm if an exemption, in terms of section 37 of POPIA, has been granted by the Regulator.
Please indicate if the responsible party in the Republic intends to transfer the special personal information to a third party who is in a foreign country?If so, please specify the name of the foreign country.
Please specify the appropriate security measures to be implemented by the responsible party to ensure the protection of the special personal information of the data subject.

Part C – Declaration

I declare that the information contained herein is true, correct and accurate.SIGNED and DATED at _______ on this the _ day of _______ 2021________________________INFORMATION OFFICER

Part D

The following information is required for statistical purposes. Please choose a sector(s) that apply to your body.

GOVERNMENT			PUBLIC ENTITIES			PRIVATE BODY			PROFESSION
Item	Classification of Government	X	Item	Classification of a Public Entity	X	Item	Name of Industry or Sector	X	Item	Type of profession	X
	National Government		1.	Constitutional Entities		1	Education		1	Legal
	Provincial Government		2.	Schedule 2 Public Entity		2	Insurance		2	Built Environment
	Local Government		3.	Schedule 3A Public Entity		3	Health Facilities		3	Financial
LEGISLATURE			4.	Schedule 3B Public Entity		4	Telecommunications		4	Medical and Allied Health Services
Parliament of the Republic of South Africa			5.	Schedule 3C Public Entity		5	Pharmaceutical		OTHERS, Specify
Parliament of the Republic of South Africa			OTHERS, specify			6	Media And Social Media
Gauteng Provincial Legislature			6.			7	Retail/Direct Marketing
Western Cape Provincial Legislature						8	Tourism		5.
Northern Cape Provincial Legislature						9	Transportation, Storage and Logistics
Limpopo Provincial Legislature						10	Manufacturing/Production
Northwest Provincial Legislature						11	Banks
Free State Provincial Legislature						12	International Organizations
Mpumalanga Provincial Legislature						13	Real Estate
Mpumalanga Provincial Legislature						14	Credit Bureaus
Eastern Cape Provincial Legislature						OTHERS, specify
Kwazulu-Natal Provincial Legislature

▲ To the top