Special categories & people

Special personal information: prohibited — then permitted

Sections 26–27 start from prohibition but open six gateways; consent is only one of them.

Published Last reviewed 8 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
For special personal information — religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, and criminal behaviour — POPIA inverts its usual structure: section 26 prohibits processing, subject to section 27’s gateways. Even here consent is only one gateway among six; the rights-and-obligations gateway (s 27(1)(b)) carries sick notes, insurance claims and disciplinary records, and sections 28–33 add sector authorisations.

On this page

What counts as special personal information?

Source — the actual words

“A responsible party may, subject to section 27, not process personal information concerning— (a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or (b) the criminal behaviour of a data subject to the extent that such information relates to— (i) the alleged commission by a data subject of any offence; or (ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.”

Protection of Personal Information Act 4 of 2013, s 26(a)–(b)Read it on Dept of JusticePDF

Here — unlike ordinary personal information — the Act does start from prohibition. But it immediately opens gateways, and the structure mirrors section 11: consent is one route among several, not the master key.

The section 27 gateways

Source — the actual words

“(a) processing is carried out with the consent of a data subject...; (b) processing is necessary for the establishment, exercise or defence of a right or obligation in law; (c) processing is necessary to comply with an obligation of international public law; (d) processing is for historical, statistical or research purposes...; (e) information has deliberately been made public by the data subject; or (f) provisions of sections 28 to 33 are, as the case may be, complied with.”

Protection of Personal Information Act 4 of 2013, s 27(1)(a)–(f)Read it on Dept of JusticePDF

Six gateways; any one suffices. The deliberately-made-public gateway (e) matters more than people expect — the activist’s published political affiliation, the influencer’s public health journey. And gateway (f) opens the sector authorisations below.

The workhorse gateway: rights and obligations in law

Section 27(1)(b) — “necessary for the establishment, exercise or defence of a right or obligation in law” — is what allows employers to process the medical certificate for sick leave, insurers to assess a disability claim, and attorneys to handle the criminal record in a dismissal dispute. The pattern: where the special information is the evidence a legal right or duty turns on, processing it is permitted — proportionately, securely, and only as far as the right requires. It is the special-information cousin of the court-proceedings accommodations in the general sharing rules.

The sector authorisations: sections 28–33

Parliament then handled the predictable contexts expressly: churches and their members’ beliefs (s 28), race data for employment-equity and B-BBEE compliance (s 29(b)), trade unions and membership (s 30), political parties (s 31), health information for treatment, schemes and employers (s 32), and criminal records and biometrics obtained in accordance with the law (s 33). Note the deliberate contrast: for churches, unions and parties, supplying member information to third parties does require consent (ss 28(3), 30(2), 31(2)) — the targeted consent-only rules that prove ordinary information never had one. Children’s information has its own parallel regime in sections 34–35.

Frequently asked questions

Is a photograph of a person special personal information?

Not automatically. A photo can reveal race and, processed for identification, can be biometric information — context decides. Ordinary CCTV for security is analysed under the general conditions; facial-recognition systems squarely engage the biometric category.

May an employer record employees’ religion for leave purposes?

Granting religious-holiday leave an employee requested fits the rights-and-obligations gateway (s 27(1)(b)) — the employee is exercising a right and the employer administering it. Recording religion beyond that need fails minimality.

Can I process race data for B-BBEE and employment equity?

Yes — section 29(b) authorises processing of race or ethnic origin where it complies with laws designed to protect or advance persons disadvantaged by unfair discrimination, which is exactly what EE and B-BBEE reporting is.

Does special information need the Regulator’s permission?

Generally no — the gateways operate by law. The exceptions: transferring special or children’s information to a country without adequate protection triggers prior authorisation (s 57(1)(d)), and processing criminal-conduct information on behalf of third parties is a s 57 trigger too.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Special categories & people

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub