What is personal information?
March 2018
This resource aims to assist organistaions bound by the Protection of Personal Information Act (POPI) to understand and apply the definition of ‘personal information’ in section 1 of POPI.
POPI defines ‘personal information’ as:
The definition is consistent with international standards and precedents.
- The term ‘personal information’ encompasses a broad range of information.
- A number of different types of information are explicitly recognised as constituting personal information under POPI. For example, the following are all types of personal information:
- ‘special personal information’ (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information)
- ‘health information’ (which is also ‘special personal information’)
- ‘credit information’
- ‘employee record’ information
- Health information
- The term “but not limited to” means information does not have to be explicitly recognised as personal information to constitute personal information under POPI. The types of information that are personal information are unlimited and can vary widely.
- Further, the definition of personal information is not limited to information about an individual’s private or family life, but extends to any information or opinion that is about the individual, from which they are reasonably identifiable. This can include information about an individual’s business or work activities.
Common examples of personal information
- Information about a person’s private or family life
- A person’s name, signature, home address, email address, telephone number, date of birth, medical records, bank account details and employment details will generally constitute personal information.
- Information about a person’s working habits and practices.
- A person’s employment details, such as work address and contact details, salary, job title and work practices.
- Certain business information — for example, information about a loan taken out by a sole trader to purchase tools for their business, or information about communication usage — may be personal information about the organisation.
- Commentary or opinion about a person
- In certain circumstances, a practitioner’s comments about a patient’s health, attitudes and aptitude is ‘personal information’ as it is information about that person.
- An opinion about an individual’s attributes that is based on other information about them, such as an opinion formed about an individual’s gender and ethnicity, based on information such as their name or their appearance. This will be personal information about the individual even if it is not correct.
- Information or opinion inferred about an individual from their activities, such as their tastes and preferences from online purchases they have made using a credit card, or from their web browsing history.
- For information to be personal information, it must relate to:
- an identifiable, living, natural person, and where it is applicable,
- an identifiable, existing juristic person
- It is important to remember that decisions about whether information is personal information should be made on a case-by-case basis, with reference to the circumstances and specific context of the situation.
- Some information may not be personal information when considered on its own. However, when combined with other information held by (or accessible to) an entity, it may become ‘personal information’. Information holdings can therefore be dynamic, and the character of information can change over time.
Example: The blood type of an individual is an example of personal information (it is part of an individu’s medical history). But there are millions of people that have the same blood type thus, if there is a record which contains the name of a person and his blood type, it clearly constitutes personal information about that person. However, by removing the personal identifier which links the blood type to the individual, the blood type ceases to be personal information because it no longer relates to an identifiable individual. On the contrary, some types of personal information, by themselves, could be exemptible. Biometric information of an individual is unique and, through it alone, can lead to the identity of an individual.
- A name is the most common means of identifying someone. However, whether any potential identifier actually identifies an individual depends on the context. By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual. (Obviously, if two John Smiths, father and son, work at the same place then the name, John Smith, and company name alone will not uniquely identify one individual, more information will be required).
- Simply because you do not know the name of an individual does not mean you cannot identify that individual. Many of us do not know the names of all our neighbours, but we are still able to identify them.
We are busy changing, be back soon