In more detail

As a result of recent changes to electoral legislation that allow independent candidates to stand and campaign for elections, and due to the increase in data breaches and the increased risk to the electoral process due to misinformation and disinformation, the Information Regulator (South Africa) ("Regulator") in May 2024 released a new Guidance Note on the processing of voters' personal information by political parties and independent candidates ("Parties"). The Guidance Note also details the measures to be taken to counter misinformation and disinformation during the upcoming 2024 elections. The aim of the note is to ensure both compliance with the Protection of Personal Information Act, 2013 (POPIA) and the free flow of accurate and reliable information to achieve free and fair elections.

The guidance note reiterates that political parties and independent candidates are responsible parties for the purposes of POPIA and must comply with the eight conditions for the lawful processing of voters' personal information during election campaigns. The guidance note sets out the manner in which political parties and independent candidates are required to comply with the eight principles for lawful processing and, to this end, provides for the following:

1. Accountability: Political parties and independent candidates must take responsibility for the way they collect and use voters' personal data and must further guarantee their compliance with the eight principles for lawful processing and put measures in place to ensure compliance.
2. Process Limitation: Political parties and independent candidates must have a legal basis to process personal information and only collect adequate, relevant, and minimal information for campaigning purposes. A voter's consent must be obtained to collect and use their personal information for campaigning purposes. Voters can withdraw their consent at any time after being contacted by a political party or independent candidate, and they are also entitled, at any time, to object to the processing of their personal information. Where an automated calling machine is used to contact voters, the voter must be given an opt-out option. Political parties and independent candidates must collect personal information directly from voters and are prohibited from using data brokers, lead generators, and automated applications that generate voters' personal information.
3. Purpose Specification: Political parties and independent candidates must use a voter's personal information for specific, explicitly defined, and lawful purposes related only to their campaigning activities. They cannot retain voter records longer than is necessary unless required by law, reasonably required for lawful purposes in relation to campaigning activities, required by contract, or the voter has consented to the retention. However, they may retain records for historical, statistical, or research purposes, provided appropriate safeguards are established against records being used for any other purpose.
4. Further processing to be compatible with the purpose of collection: Political parties and independent candidates are prohibited from using a voter's personal information for purposes different from the original purpose unless it is compatible with the new purpose. They can use the personal information for a different purpose, if the voter has consented to such use, the personal information is available in public records or made public by the voter.
5. Information Quality: Political parties and independent candidates must take reasonable practical steps to verify, maintain and keep voters' personal information up-to-date.
6. Openness: Political parties and independent candidates must establish a privacy policy to ensure voters understand their personal information processing practices and document all processing operations. They must collect and use voter information for lawful purposes related to their functions and activities, and they must inform voters before collecting personal information from them about the purpose, source, and recipients of their personal information. Data subjects must also be made aware of their data subject rights. If not directly collected from the voter, steps must be taken to inform the voter as soon as practicable after collection. Non-compliance may be allowed if the data subject consents to the non-compliance or if the non-compliance does not prejudice their legitimate interests.
7. Security Safeguard: Political parties and independent candidates must secure the confidentiality and integrity of personal information in their possession or under their control by identifying and addressing potential risks, establishing, and maintaining appropriate, reasonable, technical and organizational safeguards, regularly verifying their effectiveness, and updating these safeguards as needed. They are also required to notify the Information Regulator (South Africa) and all affected voters of all security compromises to personal information.
8. Data Subject Participation: Political parties and independent candidates must, when requested by a voter, confirm if they hold personal information about that voter and provide the voter with a record of the personal information they hold, as well as the details of all third parties who have or have had access to the personal information. They are also required to correct or delete inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading, or unlawfully obtained information, and notify voters of the action taken, thereby ensuring transparency and accountability in voter data management. This includes removing records they are no longer authorized to retain.

POPIA prohibits the processing of special information concerning the political persuasion of voters; however, section 31 of POPIA creates an exception to the rule by allowing political parties to collect and use the personal information of a voter for the purpose of forming a political party, participating in its activities, recruiting members, or campaigning.

Landise Banzana, Trainee in Johannesburg, assisted in writing this article.