Sharing personal information

Sharing personal information lawfully: the three checks

Sharing is just processing. Ground, compatibility, conditions — the three-question test every disclosure must pass.

Published Last reviewed 9 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
POPIA has no separate, stricter rule for sharing — disclosure is simply “processing”. Every disclosure question reduces to three checks: (1) does a section 11 ground cover this disclosure — often the legitimate interests of the recipient; (2) is it compatible with the purpose of collection under section 15, or deemed compatible; and (3) are the conditions met — share only what’s needed, mention recipient categories in your privacy notice, and protect the information in transit.

On this page

There is no stricter rule for sharing

The myth

You may not share personal information with anybody.

What the law actually allows

Sharing is just one form of “processing”, and it is lawful whenever a section 11 ground applies and the other conditions are met. POPIA regulates sharing; it does not ban it.

What the Act actually says

“(b) dissemination by means of transmission, distribution or making available in any other form;”

Protection of Personal Information Act 4 of 2013, s 1, definition of “processing”, para (b)Read it on Dept of JusticePDF

The three checks every disclosure must pass

  1. 1.Ground

    Does a section 11 ground cover this disclosure? Often it is s 11(1)(f): the legitimate interests of the recipient — the subsection expressly contemplates “a third party to whom the information is supplied”.

  2. 2.Compatibility

    Is the disclosure compatible with the purpose of collection (s 15), or deemed compatible by s 15(3)? See the next section.

  3. 3.Conditions

    Minimality (share only what’s needed), openness (your privacy notice should mention categories of recipients — s 18(1)(h)(i)), and safeguards in transit.

Further processing and deemed compatibility

Section 15 requires new uses of existing information to be “in accordance or compatible with the purpose for which it was collected”, assessed on the relationship between the purposes, the nature of the information, the consequences for the data subject, how it was collected, and contractual rights (s 15(2)). Section 15(3) then deems certain further processing compatible:

Source — the actual words

...where the information comes from a public record; where it is “necessary... for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated”; to avoid prejudice to law enforcement; to comply with a legal obligation; or to “prevent or mitigate a serious and imminent threat to public health or public safety; or the life or health of the data subject or another individual.”

Note — Handing a defaulting debtor’s file to your attorney is textbook deemed-compatible further processing under s 15(3)(c)(iii).

Protection of Personal Information Act 4 of 2013, s 15(3) (extracts)Read it on Dept of JusticePDF

The worked examples

Each everyday sharing scenario has its own guide applying the three checks:

Where Parliament did write consent-only sharing rules

One wrinkle proves the structure. For a few categories of special personal information, the Act imposes specific third-party limits: religious organisations (s 28(3)), trade unions (s 30(2)) and political institutions (s 31(2)) “may not” supply members’ relevant information “to third parties without the consent of the data subject”. Those are targeted rules for sensitive contexts — proof that when Parliament wanted a consent-only sharing rule, it said so expressly. It did not say so for ordinary personal information.

Frequently asked questions

Is sharing personal information stricter than collecting it?

No. Sharing is one form of "processing" — the definition expressly includes dissemination. The same six lawful grounds and eight conditions govern it; there is no separate consent requirement for disclosure.

Do I need the data subject’s consent to share their information with my attorney or auditor?

No. Disclosure to professional advisers pursues your legitimate interests (s 11(1)(f)), and disclosure for court or tribunal proceedings is expressly accommodated (ss 12(2)(d)(iii), 15(3)(c)(iii)).

What must my privacy notice say about sharing?

Section 18(1)(h)(i) expects the notice to mention recipients or categories of recipients — "operators and service providers, professional advisers, collection agents, regulators where required by law" is the usual shape.

When is sharing genuinely unlawful?

When no ground covers it and no compatibility exists — the textbook case is disclosing your customer database to an unrelated marketer. Targeted consent-only rules also exist for religious organisations, trade unions and political parties sharing member information.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Sharing personal information

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub