Sep 8,2021 / News / E-Bulletin

1. Processing of Special Personal Information

On 28 June 2021, the Information Regulator published its “Guidance Note on Processing of Special Personal Information”‘ (“Guidance Note”). Self-evidently from its title, the salient purpose of the Guidance Note is to provide guidance to responsible parties who may be required in terms of section 27(2) of the Protection of Personal Information Act No. 4 of 2013 (“POPIA”) to obtain authorisation from the Information Regulator to process special personal information.

2. What is special personal information?

2.1 As a point of departure, it is necessary to consider the definition of special personal information. In this regard, special personal information is defined in section 26 of POPIA as personal information of a data subject relating to:

2.1.1 religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information; or

2.1.2 the criminal behaviour of a data subject to the extent that such information relates to:

2.1.2.1 the alleged commission of any offence by a data subject; or

2.1.2.2 any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

2.2 Special personal information is afforded a higher degree of protection given its highly sensitive nature and the potential negative impact disclosure of it could have on a data subject.

3. Applying for authorisation

3.1 POPIA provides that the Information Regulator may authorise a responsible party to process special personal information. However, authorisation will only be granted, upon application, if the Information Regulator is satisfied that the processing of such special personal information:

3.1.1 is in the public interest; and

3.1.2 there are appropriate safeguards in place to protect the special personal information of the data subject.

3.2 The Guidance Note clarifies and provides direction regarding the interpretation of “public interest” and “appropriate safeguards“. Furthermore, the Guidance Note is particularly important given that these terms are not defined in POPIA and have not yet been the subject of any judicial scrutiny since the advent of POPIA.

3.3 The Guidance Note states that the definition of “public interest” varies across jurisdictions and should be assessed on a “case-by-case” basis. However, the underlying foundation of the principle of public interest is expressed in the Guidance Note as being:

“the notion that an action or process or outcome widely and generally benefits the public at large (as opposed to a few or a single entity or person) and should be accepted or pursued in the spirit of equality and justice”. [Emphasis added]

3.4 Consequently, it appears that the Information Regulator will be applying the requirement of public interest in a broad sense and the method of scrutiny in consideration of the public interest requirement will depend on the particular circumstances of the application put forward by a responsible party.

3.5 In respect of the requirement of “appropriate safeguards” the Guidance Note provides further details on the obligation placed on responsible parties pursuant to section 19(1) of POPIA. Section 19(1) of POPIA obliges a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent the loss of, damage to or unauthorised destruction of personal information and the unlawful access to or processing of personal information.

3.6 The Guidance Note requires responsible parties to have due regard to generally accepted security practices and procedures which may apply to it generally or be required in terms of the specific industry or professional rules and regulations that apply to the responsible party. The Guidance Note further requires responsible parties to ensure that section 19(2) of POPIA is complied with, thus requiring responsible parties to, amongst others, take steps to identify any foreseeable internal and external risks to personal information and to establish the appropriate safeguards to protect against the identified risks. This highlights the importance of a gap analysis when undertaking a POPIA compliance initiative.

3.7 Regarding the procedure to obtain authorisation, the Guidance Note contains an application form requiring responsible parties to provide information relating to, amongst others,:

3.7.1 what special personal information they process;

3.7.2 how the processing of the special personal information is in the public interest;

3.7.3 whether the processing of the special personal information complies with the conditions for lawful processing; and

3.7.4 what appropriate security measures are implemented by the responsible party to protect the special personal information.

3.8 If the Information Regulator is satisfied that a responsible party meets the public interest and appropriate safeguard requirements, it will grant the responsible party authorisation to process special personal information. Such authorisation, however, may be subject to reasonable conditions, which will be decided by the Information Regulator on a case-by-case basis.

4. Conclusion

4.1 The specific approach of the Information Regulator towards applications for authorisations remains to be seen. However, the Guidance Note does provide useful insight into the Information Regulator’s interpretation of the public interest and appropriate safeguards requirements for authorisation.

4.2 Responsible parties must be mindful that section 27(2) of POPIA does provide grounds upon which the prohibition for the processing of special personal information does not apply, as detailed below when:

4.2.1 processing is carried out with the consent of the data subject;

4.2.2 processing is necessary for the establishment, exercise or defence of a right or obligation in law;

4.2.3 processing is necessary to comply with an obligation of international public law;

4.2.4 processing is for historical, statistical or research purposes;

4.2.5 information has deliberately been made public by the data subject; or

4.2.6 provisions relating to sections 28 to 33 of POPIA, which contain legislative authorisations for the processing of certain types of special personal information, are complied with.

4.3 Should these grounds not be applicable to a responsible party, the responsible party may apply for authorisation.

4.4 Considering overall compliance with POPIA and the establishment of a POPIA governance structure, the importance of performing a gap analysis to ensure that special personal information is being processed by the responsible party in line with the legislation, cannot be overstated. Responsible parties must be able to clearly articulate the public interest aspects as well as the safeguards in place to protect the special personal information of the data subject, when lodging an application for authorisation of special personal information.

Read more about POPIA: A Guide to the Protection of Personal Information Act of South Africa.

by Ahmore Burger-Smidt, Director and Head of Data Privacy and Cybercrime Practice and member of Competition Law Practice; Dale Adams, Associate; Rebecca Hill, Candidate Attorney; and Nyiko Mathebula, Candidate Attorney