With less than a week to go before the Protection of Personal Information Act comes into effect there is a hub-bub of activity as businesses enter the final push toward compliance.
There is, however, some confusion regarding Section 37 and 38 of the Act. These sections deal with exemptions and allow certain organisations and processes to be exempt from one or more of the eight conditions for lawful processing of data.
As a quick refresher these eight conditions and where they are referenced in the Act are:
- Accountability (Section 8)
- Processing Limitation (Sections 9 to 12)
- Purpose Specification (Sections 13 and 14)
- Further Processing Limitiation (Section 15)
- Information Quality (Section 16)
- Openness (Section 17 and 18)
- Security Safeguard (Section 19 to 22)
- Data Subject Participation (Section 23 to 25)
In some instances an organisation would need to apply for exemption and in some cases it would apply automatically. But where does either of these provisions apply?
That information was published this week by the Information Regulator, but it’s not especially clear.
Partners at Webber Wentzel Attorneys, Peter Grealy and Dario Milo have, however, explained this wonderfully.
The table below gives you a better idea of where you would need to apply for exemption and where it would automatically apply.
|Application for exemption from compliance with the processing conditions||Automatic exemption from certain provisions in POPIA|
|Who does this apply to?||Organisations that process personal information which is in the public interest, where such processing outweighs the data subject’s right to privacy. This will be assessed by the Information Regulator on a case-by-case basis.
“Public interest” is an action, process or outcome that generally benefits the public at large, not just one person or a few persons. POPIA provides that the public interest includes various scenarios, such as the interests of national security and the prevention, detection and prosecution of offences (amongst others).
|Organisations that process personal information which has a clear benefit to the data subject or a third party, where such processing outweighs the data subject or third party’s right to privacy.
Neither POPIA nor the Guidance Note contain a definition of “clear benefit”.
The applicant must explain (i) why its processing of personal information in breach of POPIA benefits a data subject or third party; (ii) the nature of the benefit; and (iii) how it outweighs the privacy rights of a data subject or third party.
|Organisations that process personal information to discharge a relevant function.
A relevant function means a function of a public body or a function which is given to a person by law to protect members of the public against (i) financial loss in providing financial services or managing bodies corporate; or (ii) improper conduct or incompetence of a person that carries on a profession or other activity.
|Example||A public body which is tasked with investigating fraud and corruption can apply for an exemption from some POPIA provisions, as the public interest in eradicating fraud and corruption outweighs any privacy rights of the individuals being investigated.||An organisation that processes university students’ personal information for the sole purpose of granting bursaries to selected students can apply for an exemption from some POPIA provisions, as the university students benefit financially from their personal information being processed.||A body established under law to regulate the affairs of accountants may be automatically exempt from certain POPIA provisions, when processing is performed to protect the public against dishonesty or malpractice of accountants.|
|How to obtain the exemption||You must submit an application form in the prescribed format to the Information Regulator.||You must submit an application form in the prescribed format to the Information Regulator.||No application form is required, but you must document your reasons for being automatically exempt.|
|When does the exemption come into effect?||On publication in the Gazette.||On publication in the Gazette.||Automatically.|
The application form is at the bottom of this PDF and you will need to declare which conditions you would need to be exempt from.
We highly recommend using this website from Michalson’s which makes the Act a lot easier to navigate, search and read through.
We should also point out, as Milo and Grealy did, that being exempt from one condition does not mean you don’t have to adhere to the others.
“An exemption does not mean that your organisation is entitled to use personal information freely and without complying with the remainder of POPIA. In either of the above instances, an organisation will only be exempt from complying with some POPIA provisions. An exemption application which has been approved by the Information Regulator may also have a number of conditions imposed by the Regulator,” wrote the partners.
At close of play today there will be just six days left to become POPIA compliant.
[Image – CC 0 Pixabay]