The eight conditions

Privacy notices under section 18: what you must tell people

A decent privacy notice, available where you collect — what section 18(1) actually requires, and the exceptions.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Section 18(1) requires reasonably practicable steps to make the data subject aware of what is collected, who you are, the purpose, whether supply is voluntary or mandatory, any law requiring it, cross-border transfer intentions, and their rights of access, correction, objection and complaint. In practice: a decent privacy notice, available where you collect information. CCTV compliance is mostly this condition — visible signage saying recording is happening and who is responsible.

On this page

The openness duty

Condition 6 (openness, ss 17–18) has two parts: keep the documentation required under PAIA, and tell people what you are doing with their information. The telling is section 18(1): when personal information is collected, the responsible party must take reasonably practicable steps to make the data subject aware of the matters listed below. “Reasonably practicable” matters — the duty scales to the context, which is why a sign suffices for a camera and a paragraph suffices on a paper form.

What must a privacy notice cover?

The section 18(1) items, in checklist form:

  • What information is being collected (and where collection is not direct, the source)
  • Who you are — the responsible party’s name and address
  • The purpose of the collection
  • Whether supplying the information is voluntary or mandatory
  • The consequences of not providing it
  • Any law requiring or authorising the collection
  • Whether you intend to transfer the information to another country, and the level of protection there
  • Any further relevant information — including the recipients or categories of recipients, and the rights of access, correction, objection and complaint to the Information Regulator

Note item seven: if you use offshore providers, your notice should say so — the cross-border page covers the underlying rules. And naming your categories of recipients (s 18(1)(h)(i)) is what keeps later sharing transparent rather than surprising.

When notification is not required

Section 18(4) lists the exceptions: among others, where the data subject already knows the information, where non-compliance is necessary to avoid prejudice to law enforcement or for the conduct of court proceedings, where compliance would prejudice a lawful purpose of the collection, or where it is not reasonably practicable. The exceptions are practical, not loopholes — “we didn’t feel like telling them” is not on the list.

Notices in practice: websites, forms and cameras

The pattern is the same everywhere: put the notice where the collection happens. A website’s privacy policy linked from every form; a short collection statement on the paper application with the full notice available on request; visible CCTV signage naming the responsible party. Keep it true — a notice promising “we never share your information” while your operators, attorneys and collectors all receive it is an openness failure dressed as one. A practical starting point is the firm’s free South African privacy policy template.

Frequently asked questions

Does my website need a privacy policy under POPIA?

If the site collects personal information — forms, accounts, analytics that identify people — section 18 requires you to make data subjects aware of the section 18(1) items, and a privacy notice on the site is the practical way to do it.

Can one notice cover staff and customers?

It can, but it rarely should: the purposes, grounds, recipients and retention differ. A short customer notice and a separate staff notice are easier to keep true — and a notice that is not true is worse than none.

Does POPIA require cookie banners?

POPIA has no cookie-specific provision. Where cookies or trackers collect personal information, the openness duty applies — disclose the collection and purposes in the notice. Consent enters only where no other lawful ground fits the tracking.

What does CCTV signage need to say?

Enough to make people aware recording is happening and who is responsible for it — the section 18 items scaled to the medium: that the area is under surveillance, by whom, for what purpose, and where to find the full notice.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · The eight conditions

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub