South Africa’s Protection of Personal Information Act (POPIA) is one of the most important pieces of legislation guiding how organisations handle personal data. At its core, POPIA ensures that people’s privacy and dignity are respected in the digital age. But what exactly counts as “personal information”? In this article, we will explore more about POPIA and how it affects individuals and companies too.

Defining Personal Information

POPIA takes a broad view of personal information. It is defined as any information that can identify a living person, or in some cases, a company or other juristic person. This means that personal information is not limited to obvious details like a name or ID number, it extends to a wide range of data points that, alone or combined, could identify someone. To make this definition more practical, here are some of the most common examples of what qualifies as personal information under POPIA:

  • Identity details: names, ID numbers, birthdates, marital status, gender
  • Contact information: phone numbers, email addresses, physical and postal addresses
  • Biometric data: fingerprints, DNA, voice recordings, facial recognition images
  • Employment details: job titles, work history, salary information
  • Education records: qualifications, student numbers, academic performance
  • Financial details: bank accounts, credit history, insurance records
  • Online identifiers: IP addresses, geolocation, cookies, and social media handles
  • Personal opinions or beliefs: political views, religious affiliation, lifestyle choices

Special Personal Information

POPIA sets aside an additional category called “special personal information”. Because this type of data is highly sensitive, it receives stricter protection. Special personal information includes:

  • Race or ethnic origin
  • Religious or philosophical beliefs
  • Political opinions
  • Health and medical records
  • Biometric information (such as DNA or fingerprints)
  • Criminal behaviour or records
  • Trade union membership

The law only allows organisations to process this type of information under very limited circumstances, such as when the data subject gives explicit consent, or when processing is required by law.

Does POPIA Apply to Companies Too?

Uniquely, South Africa’s POPIA extends its protection to juristic persons, such as companies, trusts, or close corporations. This means that details like a company’s registration number, financial data, or trade secrets also fall under the Act.

Why Does POPIA Matter?

Understanding what qualifies as personal information is essential for any business or professional who collects or processes client data. POPIA places clear obligations on how this information must be handled. First, it must be collected for a lawful and specific purpose i.e businesses cannot gather personal details without a legitimate reason. Once collected, the data must be processed fairly and securely, with appropriate safeguards in place to prevent loss, unauthorised access, or misuse. Personal information also cannot be retained indefinitely; it should only be kept for as long as necessary to fulfil the purpose for which it was obtained. Finally, the information may generally not be repurposed or used in ways that go beyond the original reason for collection.

Failure to comply with these requirements does more than risk regulatory penalties or legal action. It also erodes trust, damaging the confidence that clients, customers, and the public place in a business. In today’s digital environment, where reputational integrity is as valuable as compliance, protecting personal information is not just a legal obligation, it is a cornerstone of responsible business practice.

Final Thoughts on POPIA

POPIA recognises that privacy is a constitutional right in South Africa. By clearly defining what qualifies as personal information and setting standards for how it must be handled, the Act empowers individuals and holds organisations accountable.

Whether you’re collecting email addresses, storing customer details, or handling employee records, the message is clear: treat personal information with care, security, and respect. If you are unclear or need any assistance regarding POPIA, get in touch with our legal team.