‘‘Personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, and may include the following:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person
- information relating to the education or the medical, financial, criminal or employment history of the person
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person the biometric information of the person (Biometric information includes a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.)
- the personal opinions, views or preferences of the person
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence
- the views or opinions of another individual about the person
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
- Both individuals and companies are included in the ambit of “personal information”
The Act will not apply and excluded personal information that is of:
- Purely household activity.
- Information that has been de-identified, (cannot identify a person).
- It is not “personal information” if the information is already in the public domain or is not used, or intended to be used, in trade or commerce.
- Personal information processed by or on behalf of a public body for the purposes of:
- safeguarding national security
- the investigation and prosecution of criminal matters
- processed by the cabinet and its committees or the executive council of a province; or
- relating to the judicial functions of a court
The core purpose of the Act is to protect personal information through statutory legislation to ensure compliance in the lawful processing of personal information as it pertains to securing and accessing the data subject information in question (i.e. the persons information that is protected) mandating in law through the following eight pillars:
- Accountability (section 8 of the Act)
- Processing limitation (section 9 and 10 of the Act)
- Further processing limitation (section 15 of the Act)
- Purpose specification (section 13 and 14 of the Act)
- Information quality (section 16 of the Act)
- Openness (section 17 and 18 of the Act)
- Security safeguards (section 19 to 22 of the Act)
- Data subject participation (section 23 to 25 of the Act)