In the next article in his series on the Protection of Personal
Information Act, Advocate Louis Nel writes about Openness
THIS section makes it quite explicit that personal information (PI) may only be processed by a
responsible person (RP) who has notied the Information Protection Regulator (IPR) in terms of
sections 50 to 54 (Chapter 6). It means that, before processing PI, the party intending to do so
must submit notication to the IPR which must contain the following information (this is a ‘once-off’
requirement and it is recorded in a register with the IPR):
Name and address of RP
Purpose of the processing
Description of categories of date subject (DS) and PI/categories of PI
Recipients/categories of recipients to whom PI will be supplied
Any intended trans-border ow of PI
Security measures to be implemented by RP (see ‘accountability’)
There are limited exemptions to the above notication requirement e.g. by notice by IPR; to detect
offences; public registers.
The RP must also convey the following to the DS prior to collecting PI and it would be good
practice to retain a record that this has been communicated to the DS in the form of some kind of
acknowledgement, which can be e.g. in the T&C of the business:
PI being collected
Name and address of RP
Whether or not the supply of PI by DS is voluntary or mandatory
Consequences of failure to provide the PI
Any law authorising or requiring the collection of PI
Further information such as recipients/categories of recipients to whom PI will be supplied; nature
or category of the PI; the DS’s right to rectify PI
The RP is exempt from this requirement if:
It has compiled and lodged a manual as required by PAIA (The Promotion of Access to Information
Act) and the above information is contained in the manual
DS has consented to non-compliance.
