Section 14(d) of the South African Constitution grants every person the right to privacy, including the right not to have the privacy of their communications infringed upon. The right to privacy is also recognized as an independent personality right under the common law. The right to privacy encompasses the right to confidentiality, which is owed between companies and organs of state organizations and data subjects. The common law requires the voluntary and informed consent of each data subject (in this case, the user) in order to process their personal information. POPIA provides that the processing of information is subject to a processing limitation (Condition 2), set out in sections 9 to 12. Specifically, section 11(1), provides that: Personal information may only be processed if—

1. the data subject (or a competent person where the data subject is a child) consents to the processing?
2. processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party?
3. processing complies with an obligation imposed by law on the responsible party?
4. processing protects a legitimate interest of the data subject?
5. processing is necessary for the proper performance of a public law duty by a public body? or
6. processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

As part of Condition 7 (Security Safeguards) to the lawful processing of personal information, section 22 requires the notification of security compromises, such as where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person. POPIA provides for minimum requirements by way of conditions that attach to the lawful processing of personal information, in general, which include:

1. accountability – the conditions for lawful processing of personal information must be complied with;
2. processing limitation – the processing of personal information in a lawful and reasonable manner that does not infringe the privacy of a data subject, that includes processing that is adequate, relevant and not excessive, that is in accordance with all relevant consents, justifications and objections, and that is collected directly from the data subject, subject to certain exceptions;
3. purpose specification – collection for a specific, explicitly defined and lawful purpose related to a function or activity of the Responsible Party, that is not retained longer than is necessary;
4. further processing limitation – any further processing of personal information must be in accordance with the purpose for which it was collected;
5. information quality – a Responsible Party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary;
6. openness – a Responsible Party must maintain the documentation of all processing operations under its responsibility and must take steps to ensure the data subject is aware of the details surrounding the collecting of the data subject's personal information;
7. security safeguards – a Responsible Party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures; ensure that the Operator is bound, by written contract, to establish and maintain similar security measures; notify the Information Regulator immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person; and
8. data subject participation – a data subject, having provided adequate proof of identity, has the right to request a Responsible Party to confirm, free of charge, whether or not the Responsible Party holds personal information about the data subject and to request the record or a description of the personal information about the data subject held by the Responsible Party and to request a Responsible Party correct, destroy or delete such personal information.

This system is owned and operated by IMM. You can contact us by email for more information (admin@imm-st.co.za).

The online material for the Diving Emergency Care Assistant course will be available soon. Stand by. (admin@imm-st.co.za).

The online material for the First Aid Training for Diving Supervisors course will be available soon. Stand by. (admin@imm-st.co.za).

The online material for the MOPQ course will be available soon. Stand by. (admin@imm-st.co.za).