popi_compliance_monitoring

Overview

  • You can rely on this lawful basis if you need to process personal information:
    • ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
    • to perform a specific duty in the public interest that is set out in law.
  • It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out duties in the public interest.
  • You do not need a specific statutory power to process personal information, but your underlying task, function or power must have a clear basis in law.
  • The processing must be necessary. If you could reasonably perform your duties or exercise your powers in a less intrusive way, this lawful basis does not apply.
  • Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant duty, function or power, and identify its statutory or common law basis.

Briefly

What's need under POPIA?

The public law duty basis in Section 11(1)(e) must have a clear basis in law.

POPIA is also clear that public authorities can not rely on legitimate interests for processing carried out in performance of their duties. If you are a public authority, this means you may now need to consider the public law duty basis for more of your processing.

POPIA restablished accountability requirements. You should document your lawful basis so that you can demonstrate that it applies. In particular, you should be able to identify a clear basis in either statute or common law for the relevant task, function or power for which you are using the personal data.

You must also update your privacy notice to include your lawful basis, and communicate this to individuals.

What is the ‘public task’ basis?

Section 11(1)(e) gives you a lawful basis for processing where:

“processing is necessary for the proper performance of a public law duty by a public body”

This can apply if you are either:

  • carrying out a specific task in the public interest which is laid down by law; or
  • exercising official authority (for example, a public body’s tasks, functions, duties or powers) which is laid down by law.

If you can show you are exercising official authority, including use of discretionary powers, there is no additional public interest test. However, you must be able to demonstrate that the processing is ‘necessary’ for that purpose.

‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You do not have a lawful basis for processing if there is another reasonable and less intrusive way to achieve the same result.

What does ‘laid down by law’ mean?

Section 11(1)(e) requires that the relevant public law duty or authority must be laid down in law. This will most often be a statutory function. 

You will need specific legal authority for the particular processing activity. The overall purpose must be to perform a public law duty or exercise official authority, and that overall task or authority has a sufficiently clear basis in law.

Who can rely on this basis?

Any organisation who is exercising official authority or carrying out a specific duty in the public interest. The focus is on the nature of the function, not the nature of the organisation.

Example

Private utility companies are likely to be able to rely on the public task basis even if they do not fall within the definition of a public authority. This is because they are considered to be carrying out functions of public administration and they exercise special legal powers to carry out utility services in the public interest.

However, if you are a private sector organisation you are likely to be able to consider the legitimate interests basis as an alternative.             

See the main lawful basis page of this guide for more on how to choose the most appropriate basis.

When can we rely on this basis?    

The public law duty basis will cover processing necessary for:

  • the administration of justice;
  • parliamentary functions;
  • statutory functions;
  • governmental functions; or
  • activities that support or promote democratic engagement.

However, this is not an exhaustive list. If you have other official non-statutory functions or public interest tasks you can still rely on the public law duty basis, as long as the underlying legal basis for that function or task is clear and foreseeable.        

For accountability purposes, you should be able to specify the relevant task, function or power, and identify its basis in common law or statute. You should also ensure that you can demonstrate there is no other reasonable and less intrusive means to achieve your purpose.

What else should we consider?

Data subjects’ right to erasure does not apply if you are processing on the basis of public law duty. However, data subjects do have a right to object.  

You should consider an alternative lawful basis if you are not confident that processing is necessary for a relevant task, function or power which is clearly set out in law.

If you are a public authority, your ability to rely on consent or legitimate interests as an alternative basis is more limited, but they may be available in some circumstances. In particular, legitimate interests is still available for processing which falls outside your duties as a public authority. Other lawful bases may also be relevant. 

Remember that POPIA specifically says that further processing for certain purposes should be considered to be compatible with your original purpose. This means that if you originally processed the personal information for a relevant task or function, you do not need a separate lawful basis for any further processing for:

  • archiving purposes in the public interest;
  • scientific research purposes; or
  • statistical purposes.

If you are processing special category information, you also need to identify an additional condition for processing this type of information. 

To help you meet your accountability and transparency obligations, remember to:

  • document your decision that the processing is necessary for you to perform a duty in the public interest or exercise your official authority;
  • identify the relevant duty or authority and its basis in common law or statute; and
  • include basic information about your purposes and lawful basis in your privacy notice.