(2) This section-
(a) applies-
(i) to the Commissioner, an officer, or any person acting under a delegation from or under control or direction of the Commissioner; and
(ii) subject to section 4(3), (3A), (3B), (3C), (3D) and (3E), to any personal information in possession of or under the control of the Commissioner;
[Paragraph (a) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(b) prohibits the unauthorised recording and further processing of personal information;
(c) regulates the manner in which personal information must be processed and protected by the Commissioner.
[Paragraph (c) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(3)
(a) The Commissioner or an officer may, subject to subsection (6), obtain and use personal information, if-
(i) Advance Passenger Information, for the purpose specified in section 7A(2);
(ii) any other personal information obtained from any other source as contemplated in section 4(3), for the administration of any other provision of this Act, including any international agreement contemplated in section 50; or
(iii) provided by a party to an international agreement, in accordance with the provisions of that agreement and section 50.
[Paragraph (a) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(b) A person acting under a delegation from or under the control or direction of the Commissioner may only process personal information with the knowledge and consent of the Commissioner and subject to the provisions of this section.
(4) A person to whom this section applies, shall not-
(a) record or deal with personal information other than in the manner prescribed in this section; or
(b) further process any personal information except as authorised by this section.
(5)
(a) No records containing personal information which allows a person to be identified shall be retained for longer than necessary for achieving the purpose of personal information processing, unless-
[Words preceding subparagraph (i) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(i) the person authorises such retention;
[Subparagraph (i) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(ii) the Commissioner, on good cause, for the purposes of this Act, requires the retention of the record for a longer period;
(iii) another law requires or authorises the retention of the record for a longer period;
(iv) the retention is for historical or statistical reasons, if the Commissioner has established appropriate safeguards against the use of such records for other purposes; or
(v) the personal information has been used to make a decision about a person and the record must be retained for such a period as may be reasonably required for the person to request access to the record.
[Subparagraph (v) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(b) Personal information that is not retained for any of the longer periods contemplated in paragraph (a) shall, as soon as practicable after its retention is no longer authorised under that paragraph, be promptly-
(i) de-identified; or
(ii) deleted or destroyed,
by the Commissioner.
(6) Personal information may not be further processed in a manner that is not compatible with the purpose for which that information is obtained and used as contemplated in subsection (3)(a) by the Commissioner, unless-
[Words preceding paragraph (a) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(a) the person authorises such further processing;
[Paragraph (a) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(b) non-compliance is necessary-
(i) for the prevention, detection, investigation, prosecution and punishment of an offence under this Act or any other law;
(ii) for the protection of the public revenue; or
(iii) to prevent an imminent and serious threat to public safety or the life or health of the person; or
[Subparagraph (iii) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(c) the use of the data is only for historical or statistical reasons and the Commissioner has established appropriate safeguards to ensure that any further processing is only carried out for such reasons.
(7) The Commissioner must-
(a) whether at the request of a person or on own initiative, ensure that all records relating to personal information are complete, not misleading, up to date and accurate;
[Paragraph (a) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(b) implement appropriate technical and other measures to-
(i) secure the integrity of personal information by safeguarding against the risk of loss of, or damage to, or destruction of personal information; and
(ii) prevent the unauthorised or unlawful access to, or processing of, personal information;
(c) take measures to identify all readily foreseeable internal and external threats to personal information in the possession of, or under the control of, the Commissioner; and
(d)
(i) establish and maintain appropriate safeguards against the risks identified;
(ii) regularly verify that the safeguards are effectively implemented; and
(iii) ensure that the safeguards are continuously updated in response to new risks or deficiencies in previously implemented safeguards.
(8)
(a) The Commissioner must-
(i) where an information security compromise or suspected compromise of personal information has taken place; and
(ii) if the identity of a person affected by the compromise can be established,
notify that person of such compromise or suspected compromise and provide him or her with such information as may be relevant to allow the person to protect himself or herself against the potential consequences of the compromise.
(b) The Commissioner may delay any notification contemplated in paragraph (a), where the Commissioner determines that such notification will impede or otherwise adversely affect any criminal investigation.
(9)
(a) Any person is entitled to-
[Words preceding subparagraph (i) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(i) obtain from the Commissioner free of charge confirmation of whether the Commissioner holds personal information about him or her;
(ii) request the Commissioner, after having produced adequate proof of identity, to provide the particulars of the personal information held, and information as to the identity of all persons who have had access to his or her personal record-
(aa) within a reasonable time;
(bb) at a charge as may be prescribed by the Commissioner by rule;
(cc) in a reasonable manner;
(dd) in a form that is generally understandable.
(b) Where a person makes a request contemplated in paragraph (a), the Commissioner must inform the person that he or she may request the correction of any such information.
[Paragraph (b) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(c) Where the Commissioner receives a request for the correction of personal information from a person, the Commissioner must-
[Words preceding subparagraph (i) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(i) correct the information concerned;
(ii) in instances where the Commissioner decides on good cause not to correct the information, attach at the request of the person a statement to the information concerning the correction sought but not made in such a manner that it will always be read together with the information;
[Subparagraph (ii) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(iii)
(aa) where the information was further processed as contemplated in subsection(6)(b), advise, if reasonable practicable, each person to whom the information was disclosed as a result of the further processing of the steps taken in terms of subparagraphs (i) and (ii); and
(bb) inform the person of the actions taken as a result of the request for correction.
[Item (bb) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(10) The Commissioner may not-
(a) process personal information concerning a person’s religion or philosophy of life, race, political persuasion or health or sexual life, except where the person has given his or her explicit consent to the processing of the information;
[Paragraph (a) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(b) transfer any personal information about a person to a foreign government other than in the manner contemplated in section 50: Provided that the Commissioner is satisfied that the recipient of that information is subject to a law which effectively upholds principles for fair handling of personal information that are substantially similar to the information protection principles set out in this section.
[Paragraph (b) substituted by section 17 of Act 44 of 2014 effective on 20 January 2015]
(11) If any person of whom personal information is held in terms of this section is dissatisfied with any decision by the Commissioner or an officer in respect thereof that person may, before instituting any judicial proceedings, make use of any of the procedures contemplated in Chapter XA.
(12) Any person who-
(a) causes any personal information to be compromised as contemplated in subsection (8); or
(b) without authority gains access to personal information or interferes with the protection of personal information,
shall be guilty of an offence and liable on conviction to a fine or to imprisonment for a period not exceeding five years or to both such fine and imprisonment.
[Section 101B inserted by section 38 of Act 61 of 2008]