This guideline is version 4.0 of Protection of Personal Information Guidelines compiled for the Law Society of South Africa (LSSA) by Mark Heyink. It incorporates references to important developments that have occurred in the realm of 'Protection of Personal Information' or 'Data Protection' as this developing jurisprudence is known in some jurisdictions.
The most notable addition to the data protection landscape is the General Data Protection Regulation (GDPR), which will govern Data Protection in all of the European Union member countries. The GDPR will commence on the 25 May 2018 and is regarded as the gold standard in the protection of privacy of information. Democracies around the world are looking to the GDPR to update their own legislation and regulation in an attempt to keep pace with the explosion of processing of information as novel information and communication technologies disrupt and transform our 21st Century world. By way of example, the United Kingdom, having exited from the European Union, has deemed it necessary to promulgate a new Data Protection Act to ensure that it can work in harmony with other EU countries and that it stays at the forefront of data protection.
The revision of this guideline addresses the potential impact of GDPR on South African companies. It is also highly likely that where the Information Regulator ('Regulator') is required to interpret the Protection of Personal Information Act (PoPIA, as the Regulator prefers it to be referred to) it will seek guidance in interpretations contained in the GDPR, particularly where they relate to novel practices not necessarily addressed in PoPIA. This is in line with the constitutional imperative contained in Section 233 of the Constitution and Constitutional Court pronouncements to the effect that relevant international law is considered in interpreting areas of uncertainty in South African law.
The primary purpose of the guideline as is to assist attorneys in familiarising themselves with their obligations to process personal information in their practices lawfully. This guideline is not intended and must not be construed as establishing any legal obligation. Neither is the guideline intended, nor must it be construed, as providing legal advice. Each practice is different and will have to apply the principles which have been developed to protect personal information as may be appropriate and in accordance with the nature of the information and the purpose for which the personal information may be processed.
This guideline should be read in conjunction with the 'Information Security for South African Law Firms - LSSA Guideline'. This provides guidance to attorneys in managing and securing information which is fundamental to the lawful processing of personal information.