On the 13th July 2021 the Information Regulator of South Africa (the “Regulator”) released a media statement warning the public against the processing of personal information of data subjects without their consent. This came about as photographs of former President Jacob Zuma, taken at a facility of the Department of Correctional Services, was distributed through multiple social media platforms.
As a result of the distribution of these photographs the Regulator released the media statement to inform the public that photographs which clearly identify an individual are regarded as personal information in terms of the Protection of Personal Information Act No. 4 of 2013 (”POPI Act”). Additionally, the Regulator warns that the distribution of such material is regarded as the processing of personal information in terms of the POPI Act, which, without the consent of the individual that is being identified in the item being distributed, is prohibited by the POPI Act. With this in mind, this article considers what constitutes personal information in terms of the POPI Act and whether posting pictures of an individual without their consent will land you in trouble.
The current definition of personal information, as contained in the POPI Act, can also be found in various other pieces of legislation, which include –
- Electronic Communications and Transactions Act No. 25 of 2002; and
- Promotion of Access to Information Act No. 2 of 2000.
These acts, together with the POPI Act, define personal information as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, which includes, but is not limited to –
- “information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.”
In light of the above, it is clear that the aforementioned pieces of legislation were drafted with the intention to provide a very broad application to the definition of personal information. The question we now need to ask ourselves is how this provision regarding consent will be enforced and whether or not individuals need to consider every single picture they upload to social media in order to determine if it possibly contains details clearly identifying an individual?
Individuals and businesses who actively participate on social media platforms are therefore advised to take extra precaution when posting anything which might be regarded as the personal information of an individual or business and not engage in any actions that might violate another person’s rights as set out in the provisions of the POPI Act through the distribution of such personal information without first ensuring that:
- the consent of the data subject is obtained;
- doing so will protect the legitimate interest of the data subject; or
- in doing so such individual or business complies with an obligation imposed on it by law.
Should businesses or individuals fail to adhere to the provisions of the Act set out above when posting pictures online they may find themselves failing foul of the Act, which may in turn lead to the Regulator imposing a prescribed penalty on such business or individual.
VDMA’s team of experts are available to assist you and your business with drafting POPI manuals, privacy policies, conducting POPI training or any other POPI compliance needs you may have.