Sharing personal information

Disclosing to SAPS, SARS and regulators

Where a law obliges you, section 11(1)(c) applies and the disclosure is deemed compatible — ask for the legal basis and record it.

Published Last reviewed 6 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Where a law obliges you to disclose — a SARS request under the Tax Administration Act, a subpoena, a statutory regulator exercising its powers — section 11(1)(c) makes the disclosure lawful and section 15(3)(c)(i)–(ii) deems it compatible with your original purpose. The discipline is procedural: ask for the legal basis of the request, check its scope, disclose what it covers, and record what you gave to whom and why.

On this page

The statutory framework

Two provisions do the work. The ground: section 11(1)(c) — processing that “complies with an obligation imposed by law on the responsible party”. And compatibility — section 15(3)(c) deems further processing compatible where it is necessary:

Source — the actual words

“to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences ... to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997”

Protection of Personal Information Act 4 of 2013, s 15(3)(c)(i)–(ii)Read it on Dept of JusticePDF

Together they mean a lawful demand from SAPS, SARS, the FIC, a professional regulator or a court does not put you in breach of POPIA — refusing it is what creates legal jeopardy.

How to vet a request before disclosing

Four steps, every time. Basis — ask which statutory power or court process underlies the request; a genuine official request always has one (a warrant, a s 46 TAA notice, a subpoena). Scope — read what it actually covers; disclose that, not your whole file (minimality survives even legal obligation). Verify — confirm the requester is who they claim to be, through official channels, before sending anything. Record — log the request, the basis, what you disclosed and when. The record is what proves accountability (s 8) if the disclosure is ever challenged from either direction.

Informal requests and tip-offs

An investigator’s phone call asking you to “just send the customer’s details” carries no section 11(1)(c) obligation — there is no obligation without a legal power exercised in proper form. That does not always make disclosure unlawful: volunteering information to prevent or investigate crime can rest on legitimate interests and the law-enforcement compatibility ground, judged on the seriousness and urgency. But it is a choice you must be able to justify, not a demand you must obey — and the SAPS Krugersdorp matter shows the Regulator polices over-sharing in the name of policing (see when POPIA applies).

Litigation and discovery

Court process is expressly accommodated at both ends of the information lifecycle: collection from other sources is excepted where necessary for “the conduct of proceedings in any court or tribunal” (s 12(2)(d)(iii)), and further processing for commenced or reasonably contemplated proceedings is deemed compatible (s 15(3)(c)(iii)). Discovery, subpoenas duces tecum, and briefing counsel all proceed without data-subject consent — POPIA was never intended to be a litigation shield. See also debt collection, the everyday version of the same rules.

Frequently asked questions

Must I hand client information to SAPS when asked?

When the request rests on a legal power — a warrant, a subpoena, a statutory demand — yes, within its scope. An informal "please send us everything" carries no obligation; ask for the legal basis first.

Does answering a SARS request breach my client’s privacy?

No. Disclosure under the Tax Administration Act’s information-gathering powers is processing that complies with an obligation imposed by law (s 11(1)(c)) and is deemed-compatible further processing (s 15(3)(c)).

Should I tell the data subject about the disclosure?

Often you may; sometimes you must not. Section 18(4) excepts notification where it would prejudice law enforcement. Where no such prejudice exists, transparency is the default posture.

What should the disclosure record contain?

Who asked, under what legal power, what was disclosed, when, and who approved it. The record is your accountability evidence (s 8) if the disclosure is ever questioned.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Sharing personal information

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub