Unpacking the definition of personal information in the Protection of Personal Information (POPI) Act is important. It is one of the cornerstones of the POPI legislation. One needs to ensure that it is fully understood. Here is the text straight out of the Act:
|‘personal information’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—|
a. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
b. information relating to the education or the medical, financial, criminal or employment history of the person;
c. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
d. the biometric information of the person;
e. the personal opinions, views or preferences of the person;
f. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
g. the views or opinions of another individual about the person; and
h. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
There is a lot of detail in the definition of ‘personal information’ so let’s break it up into its logical parts. We dealt with the first part of the definition that covers who the data subject is in the article What is a Data Subject? A better understanding of POPI.
Some of the details that constitute personal information covered in the definition should not come as a surprise. This is basically what we would normally think of if asked to explain what we understand by personal information.
- Para (a) covers information such as your gender, marital status, age and language. It includes details that the POPI Act calls Special Personal Information for which there are specific rules prohibiting the processing and certain conditions under which the processing may be allowed. We will look at this again later in more detail.
- Para (c) deals with information such as ID numbers, email addresses, your physical address and contact numbers.
- Para (d) is about biometric information for which there is a definition in the Act. It includes things like blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.
- Para (h) deals with the name of the person. For what it’s worth, the fact that a person’s name is personal information where it is linked to further information about the person is an interesting nuance. This implies that a person’s name without such links is not personal information.
The remaining paragraphs in this definition are slightly less obvious and some have serious impacts.
- Para (b) is a prime example if you consider just how much information is covered under the five types of information listed here.
- Para (e) deals with the preferences of the person. These preferences are quite important as we will see later when we look at issues relating to the consent of the data subject and the right of the data subject to opt out of further processing a company might be doing.
- Para (f) is all about the issue of correspondence and is a big headache for organisations. This definition means there are a lot of emails that contain personal information that have to be controlled. Most people know how easy it is to file emails and lose track of what is in them. There are certain rules that are a challenge to resolve:
Needing to delete personal information once the purpose for its collection has been achieved.
Reporting of breaches that have to be reported to the regulator, E.g. When your laptop gets stolen resulting in unauthorised access to the emails stored on the laptop.
- Para (g) deals with opinions of other people – an example of this would be where companies carry out 360-degree performance appraisals where other staff members provide input as part of the preparation. In a company of thousands of employees where each staff member has nominated a number of other people to provide this input, it basically means there is a lot of personal information sitting in emails and attachments, duplicated many times depending on who needed to receive copies of these inputs.