Protection of Personal Information Act (POPIA) 2013 - South Africa
The data protection law of South Africa Protection of Personal Information Act (POPIA) was issued on 26th November 2013. It aims to protect personal information processed by private and public bodies. Eduwonka adheres to Protection of Personal Information 2013 (POPIA).
‘‘child’’ means person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any concerning him/herself;
here ‘‘competent person’’ means any person who is legally competent to consent to any decision being taken concerning a child;
while ‘‘consent’’ means any voluntary, speciﬁc and informed expression of will in terms of which permission is given for the processing of personal information;
‘‘personal information’’ means information relating to an identiﬁable, living, natural person, and where it is applicable, an identiﬁable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, national, ethnic or social origin, colour, age, physical or mental health, well-being, disability, religion, culture, language and birth of the person;
(b) information relating to the education or the medical history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identiﬁer or other particular assignment to the person;
Ⅱ Rights of data subjects-
Eduwonka shall safeguard the right of data subject to have his/her or its personal information process information in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right—
(a) to be notiﬁed that—
(i) personal information about him, her or it is being collected as provided for in terms of section 18
(ii) his, her or its personal information has been accessed or acquired by an unauthorized person as provided for in terms of section 22;
(b) to establish whether Eduwonka holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;
(c) to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
(d) to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
Ⅲ Conditions for lawful processing of personal information
Eduwonka shall adhere to the conditions for processing the data as given in the Chapter 3 of POPIA, as discussed below- Eduwonka would ensure all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing.
Ⅳ Condition 2- Processing limitation
Lawfulness of procession – Eduwonka shall ensure that personal information is processed lawfully; and in a reasonable manner that does not infringe the privacy of the data subject.
Minimality- Eduwonka shall ensure that personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
Consent, justiﬁcation and objection-
(1) Eduwonka shall process personal information only if—
(a) the data subject or a competent person where the data subject is a child consents to the processing;
(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
(c) processing protects a legitimate interest of the data subject;
(2) If a data subject has objected to the processing of personal information, Eduwonka shall no longer process the personal information.
Collection directly from data subject
(1) Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2).
(2) It is not necessary to comply with subsection (1) if—
(a) the information is contained in or derived from a public record or has deliberately been made public by the data subject;
(b) the data subject or a competent person (where the data subject is a child) has consented to the collection of the information from another source
(c ) collection of the information from another source would not prejudice a legitimate interest of the data subject.
Ⅴ Condition 3 Purpose speciﬁcation
Collection for speciﬁc purpose
(1) Eduwonka shall collect personal information for a speciﬁc, explicitly deﬁned and lawful purpose related to its function/activity.
(2) Eduwonka shall take adequate steps in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.
Retention and restriction of records
(1) Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—
(a) retention of the record is required or authorized by law;
(b) the data subject or a competent person (where the data subject is a child) has consented to the retention of the record.
(2) Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
(3) If Eduwonka has used a record of personal information of a data subject to make a decision about the data subject, it would—
(a) retain the record for such period as may be required or prescribed by law or a code of conduct; or
(b) if there is no law or code of conduct prescribing a retention period, retain the record for a period which will allow the data subject a reasonable opportunity, while taking all considerations relating to the use of the personal information into account, to request access to the record.
(4) Eduwonka will certainly destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after Eduwonka is no longer authorized to retain the record in terms of subsection
(1) or (2).
(5) The destruction or deletion of a record of personal information in terms of subsection (4) must be done in a manner that prevents its reconstruction in an intelligible form.
(6) Eduwonka shall restrict processing of personal information if—
(a) its accuracy is contested by the data subject, for a period enabling Eduwonka to verify the accuracy of the information;
(b) Eduwonka no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof;
(c) the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead;
(d) the data subject requests to transmit the personal data into another automated processing system.
(7) Personal information referred to in subsection (6) may, with the exception of storage, only be processed for purposes of proof, or with the data subject’s consent, or with the consent of a competent person in respect of a child, or for the protection of the rights of another person or if such processing is in the public interest.
(8) Where processing of personal information is restricted pursuant to subsection (6), Eduwonka shall inform the data subject before lifting the restriction on processing.
Ⅵ Condition 4 Further processing limitation
Further processing to be compatible with purpose of collection
(1) Eduwonka shall ensure that the further processing of personal information would be in accordance or compatible with the purpose for which it was collected in terms of section 13.
(2) To assess whether further processing is compatible with the purpose of collection, Eduwonka will take account of—
(a) the relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
(b) the nature of the information concerned;
(c) the consequences of the intended further processing for the data subject;
(d) the manner in which the information has been collected
(3) The further processing of personal information is not incompatible with the purpose of collection if—
(a) the data subject or a competent person where the data subject is a child has consented to the further processing of the information;
(b) the information is available in or derived from a public record or has deliberately been made public by the data subject;
(c) the further processing of the information is necessary to prevent a serious and imminent threat to—
(1) when the information is used for statistical or research purposes and Eduwonka ensures that the further processing is carried out solely for such purposes and will not be published in an identiﬁable form; or
(2) the further processing of the information is in accordance with an exemption granted under section 37. Ⅶ Condition 5 Information quality
Quality of information
(1) Eduwonka shall take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
(2) In taking the steps referred to in subsection (1), Eduwonka shall hold regard to the purpose for which personal information is collected or further processed.
Ⅷ Condition 6 Openness
Documentation-Eduwonka shall maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act. Notiﬁcation to data subject when collecting personal information
(1) If personal information is collected, Eduwonka will take reasonably practicable steps to ensure that the data subject is aware of—
(a) the information being collected and where the information is not collected from the data subject, the source from which it is collected;
(b) Eduwonka’s name and address;
(c ) the purpose for which the information is being collected;
(d) whether or not the supply of the information by that data subject is voluntary or mandatory;
(e ) the consequences of failure to provide the information;
(f) the fact that, where applicable, Eduwonka intends to transfer the information to a third country or international organization and the level of protection afforded to the information by that third country or international organization;
(g) any further information such as the—
(i) recipient or category of recipients of the information;
(ii) nature or category of the information;
(iii) existence of the right of access to and the right to rectify the information collected;
(iv) existence of the right to object to the processing of personal information
as referred to in section 11(3); and
(v) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the speciﬁc circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
(2) The steps referred to in subsection (1) must be taken—
(a) if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; (b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
(3) If Eduwonka has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information in case the purpose of collection of information remains the same.
(4) It is not necessary for Eduwonka to comply with subsection (1) if—
(a) the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
(b) non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
(c) non-compliance is necessary—
(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as deﬁned in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997); (iii) for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
(d) compliance would prejudice a lawful purpose of the collection; compliance is not reasonably practicable in the circumstances of the particular case; or
(e) the information will—
(i) not be used in a form in which the data subject may be identiﬁed; or
(ii) be used for historical, statistical or research purposes.
Ⅸ Condition 7 Security Safeguards
Security measures on integrity and conﬁdentiality of personal information
(1) Eduwonka shall secure the integrity and conﬁdentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
(a) loss of, damage to or unauthorised destruction of personal information; and
(b) unlawful access to or processing of personal information.
(2) In order to give effect to subsection (1), Eduwonka shall take reasonable measures to—
(a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
(b) establish and maintain appropriate safeguards against the risks identiﬁed;
(c) regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks or deﬁciencies in previously implemented safeguards.
(3) Eduwonka to hold regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of speciﬁc industry or professional rules and regulations.
Information processed by operator or person acting under authority- An operator or anyone processing personal information on behalf of Eduwonka or an operator, must—
(a) process such information only with the knowledge or authorization of Eduwonka
(b) treat personal information which comes to their knowledge as conﬁdential and must not disclose it,
unless required by law or in the course of the proper performance of their duties.
Security measures regarding information processed by operator
(1) Eduwonka shall, in terms of a written contract between the
responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19.
(2) The operator shall notify Eduwonka immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
Ⅹ Condition 8- Data subject participation
Access to personal information
(1) A data subject, having provided adequate proof of identity, has the right to—
(a) request Eduwonka to conﬁrm, free of charge, whether or not Eduwonka holds personal information about the data subject;
(b) request from Eduwonka the record or a description of the personal information about the data subject held by Eduwonka, including information about the identity of all third parties/categories of third parties, who have, or have had, access to the information—
(i) within a reasonable time; at a prescribed fee, if any (ii) in a reasonable manner and format and in a form that is generally understandable.
(2) If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.
(3) (a) Eduwonka may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.
(b) The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.
(4) If a request for access to personal information is made to Eduwonka and part of that information may or must be refused in terms of subsection (4)(a), every other part must be disclosed.
Correction of personal information
(1) A data subject may, in the prescribed manner, request Eduwonka to—
(a) correct or delete personal information about the data subject in its possession that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully;
(b) destroy or delete a record of personal information about the data subject that Eduwonka is no longer authorised to retain in terms of section 14.
(2) On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable—
(a) correct the information;
(b) destroy or delete the information; provide the data subject, to his or her satisfaction, with credible evidence in support of the information
Part B- Processing of special personal information
Prohibition on processing of special personal information
A responsible party may, subject to section 27, not process personal information concerning— (a) the religious beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
(b) the criminal behaviour of a data subject to the extent that such information relates to— (i) the alleged commission by a data subject of any offence; or
(ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
Part C- Processing of personal information of children
Prohibition on processing personal information of children- With subject to section 35, Eduwonka shall not process personal information concerning a child.
General authorisation concerning personal information of children
(1) The prohibition on processing personal information of children, as referred to
in section 34, does not apply if the processing is-
(a) carried out with the prior consent of a competent person;
(b) necessary for the establishment, exercise or defence of a right or obligation in law;
(c) necessary to comply with an obligation of international public law;
(d) for historical, statistical or research purposes to the extent that—
(i) the purpose serves a public interest and the processing is necessary for the purpose concerned; or
(ii) it appears to be impossible or would involve a disproportionate effort to
ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
(e) of personal information which has deliberately been made public by the child with the consent of a competent person.
TRANSBORDER INFORMATION FLOWS
Transfers of personal information outside Republic
(1) A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless—
(a) the third party who is the recipient of the information is subject to a law, binding agreement which provide an adequate level of protection that—
(i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
(ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country; (b) the data subject consents to the transfer;
(c ) the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
(e ) the transfer is for the beneﬁt of the data subject, and—
(ⅰ) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
(ⅱ) if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.