Building healthy communitiesJoin Us

Getting on top of POPI

The Protection of Personal Information Act (called POPI) was promulgated to enforce the Constitutional right to privacy, which includes the right to protection against the unlawful collection, retention, dissemination and use of personal information. It is naturally subject to justifiable limitations that are aimed at balancing the right to privacy with other rights, specifically the right to access to information and protecting important interests.

Organisations should take note of the definition of personal information, which means any information relating to an identifiable natural or juristic person, including but not limited to the following:

  • Information relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
  • Information relating to the education or the medical, financial, criminal or employment history of the person.
  • Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person.
  • The biometric information of the person
  • The personal opinions, views or preferences of the person
  • Correspondence sent by the person that is implicitly or explicitly or a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
  • The views or opinions of another individual about the person
  • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

The definition of processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information. It thus includes broad principles such as receipt, recording, storage, updating and modification.


It applies to the processing of information, in any form, by a responsible party (the person who is processing the information alone or in conjunction with others) who or which is domiciled in South Africa, unless the processing relates only to the forwarding of personal information.

Personal information which is processed by non-automated means, i.e. paper and text, photographs etc., fall under the Act only if they form part of a filing system or are intended to be part of a filing system.

The Act applies to the exclusion of any provision of any other legislation that regulates the processing of personal information and that is materially inconsistent with an object or specific provision of this Act.


This Act does not apply to the processing of personal information-

  • In the course of a purely personal or household activity
  • That has been de-identified (deleted information) to the extent that it cannot be re-identified again
  • By or on behalf of a public body, i.e. national security, investigating offences etc.
  • By the Cabinet and its committees or the Executive Council of a province
  • Relating to the judicial functions of a court.

This Act does not apply to the processing of personal information solely for the purpose of journalistic, literary or artistic expression, to the extent that public interest requires the right to freedom of expression to be exercised.


What is important to note is that anyone can lodge a complaint alleging the interference of personal information of a data subject. The penalties that can be imposed for a breach are fines up to the amount of R10 million, imprisonment of up to 10 years or both. It is thus important to ensure compliance with the Act.

Find out more at POPI Compliance >

Information provided by Alida Hendrikse, NACOSA Compliance Officer