Reproduced by Sabinet Online in terms of Government Printer’s Copyright Authority No. 10505 dated 02 February 1998
32
No. 37067
GOVERNMENT GAZETTE, 26 November 2013
Act No. 4 of 2013
Protection of Personal Information Act, 2013
32
(b) in any other case, before the information is collected or as soon as reasonably
practicable after it has been collected.
(3) A responsible party that has previously taken the steps referred to in subsection (1)
complies with subsection (1) in relation to the subsequent collection from the data
subject of the same information or information of the same kind if the purpose of
collection of the information remains the same.
(4) It is not necessary for a responsible party to comply with subsection (1) if—
(a) the data subject or a competent person where the data subject is a child has
provided consent for the non-compliance;
(b) non-compliance would not prejudice the legitimate interests of the data
subject as set out in terms of this Act;
(c) non-compliance is necessary—
(i) to avoid prejudice to the maintenance of the law by any public body,
including the prevention, detection, investigation, prosecution and
punishment of offences;
(ii) to comply with an obligation imposed by law or to enforce legislation
concerning the collection of revenue as defined in section 1 of the South
African Revenue Service Act, 1997 (Act No. 34 of 1997);
(iii) for the conduct of proceedings in any court or tribunal that have been
commenced or are reasonably contemplated; or
(iv) in the interests of national security;
(d) compliance would prejudice a lawful purpose of the collection;
(e) compliance is not reasonably practicable in the circumstances of the particular
case; or
(f) the information will—
(i) not be used in a form in which the data subject may be identified; or
(ii) be used for historical, statistical or research purposes.
5
10
15
20
25
Condition 7
Security Safeguards
Security measures on integrity and confidentiality of personal information
30
19. (1) A responsible party must secure the integrity and confidentiality of personal
information in its possession or under its control by taking appropriate, reasonable
technical and organisational measures to prevent—
(a) loss of, damage to or unauthorised destruction of personal information; and
(b) unlawful access to or processing of personal information.
35
(2) In order to give effect to subsection (1), the responsible party must take reasonable
measures to—
(a) identify all reasonably foreseeable internal and external risks to personal
information in its possession or under its control;
(b) establish and maintain appropriate safeguards against the risks identified;
40
(c) regularly verify that the safeguards are effectively implemented; and
(d) ensure that the safeguards are continually updated in response to new risks or
deficiencies in previously implemented safeguards.
(3) The responsible party must have due regard to generally accepted information
security practices and procedures which may apply to it generally or be required in terms 45
of specific industry or professional rules and regulations.