South Africa’s Information Regulator has warned the country’s political parties to follow the provisions of the Protection of Personal Information Act (POPIA) and privacy regulations.
Key to the regulator’s statement is a warning that political parties may not get personal data – like phone numbers – through data brokers or applications, and then process or use that data to contact voters.
Political parties need permission from voters to contact them – with a few exceptions. Voters may at any stage object to their data being processed by political parties.
When processing the personal information of a voter, a political party must ensure that the processing complies with the conditions for lawful processing of personal data as prescribed in POPIA, the regulator said.
These conditions include:
- Accountability: This is where a political party must take overall responsibility to ensure that it processes personal information lawfully.
- Process limitation: This means that a political party may only process information that it reasonably needs and upon obtaining consent directly from a voter. Therefore, political parties may not get personal data from data brokers or through applications that automatically generate personal information – such as telephone numbers. A voter may at any stage object to the processing of their personal data. If a voter objects, then a political party may no longer process that voter’s personal information.
- Purpose specification: This means that a political party can only process the personal information of a voter for purposes directly related to the objective and purpose of that political party’s mandate.
- Openness: This means that a voter must be notified that a political party is processing their personal information.
“In light of the security compromises on personal information that have riddled the country, the Independent Electoral Commission (IEC) and the political parties have a responsibility to ensure that security safeguards are put in place and that there are adequate security measures and controls to safeguard voters’ personal information against loss, damage and misuse,” the regulator said.
Like many laws, there are some exceptions to the applicability of POPIA, the regulator said. “Section 26 prohibits the processing of certain personal information, which includes the political persuasion of voters.
“However, political parties may process information concerning the political persuasion of voters in accordance with section 31 of POPIA, if that information relates to members, employees or other persons belonging to the political party, and where such processing is necessary to achieve the aims and principles of the political party,” it said.
In terms of section 31, a political party may process information related to the political persuasion of a voter for the purpose of:
- Forming a political party;
- Participating in its activities;
- Engaging in the recruitment of members;
- Canvassing supporters or voters for an election or a referendum and campaigning for a political cause.
However, a political party must still comply with the conditions for the lawful processing of personal information when processing information related to the political persuasion of a voter, the regulator said.
The Information Regulator said it had conducted engagements with political parties, including participation in a Special Provincial Party Liaison Committee meeting to present the importance and need to comply with POPIA and protect voters’ personal information during the election period.
“To ensure that we protect the constitutional rights of the citizens of South Africa, all political parties and candidates must uphold the law and comply with the requirements in POPIA. The regulator continues to provide guidance and educate responsible parties in applying this law and protecting the rights of citizens,” said chairperson of the regulator, Pansy Tlakula.