Special Personal Information Under POPIA: What the Section 26 Rules Mean for Your Business
If your business collects health records, biometric data, criminal histories, or information about employees' religious beliefs or trade union membership, POPIA places you in a higher-risk category. Two sections of the Act — section 26 and section 27 — set out a stricter regime for this category of data. Understanding how the Information Regulator interprets these provisions is an important step in building a compliant operation.
> Disclaimer: This article is general information based on published Information Regulator guidance and the text of the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation, consult a qualified attorney.
---
What Counts as "Special Personal Information"?
POPIA draws a clear distinction between ordinary personal information and a narrower category it calls *special personal information*. Section 26 lists the categories that attract the higher standard. They are:
- Religious or philosophical beliefs
- Race or ethnic origin
- Trade union membership
- Political persuasion
- Health or sex life
- Biometric information (fingerprints, facial geometry, voice prints, and similar unique biological identifiers)
- Criminal behaviour — including alleged offences, proceedings, and sentences
For South African SMEs, the categories most likely to come up in day-to-day operations are health data (think occupational health records, sick-leave documentation, or wellness programmes), biometric data (access-control fingerprint scanners, time-and-attendance systems), and criminal records (background checks during hiring).
---
The Section 26 Prohibition: A Starting Point of "No"
Section 26 of POPIA establishes a general prohibition: a responsible party may not process special personal information. This is deliberately framed as a default ban. The logic is that these categories carry heightened potential for discrimination, stigma, or harm if mishandled — the Information Regulator's published guidance consistently treats this starting position as a firm floor, not a soft suggestion.
In practical terms, this means that before your business processes any of the listed categories, you need to identify a specific ground that lifts the prohibition. Simply having a general lawful basis for processing ordinary personal information (for example, a contract or legitimate interest under section 11) is not, on its own, enough to authorise processing special personal information.
---
Section 27: The Authorised Exceptions
Section 27 lists the limited circumstances under which processing special personal information is nonetheless permitted. These general authorisations include, among others:
- Explicit consent from the data subject. The data subject has consented to the processing. Note that the consent standard here is generally understood to be more demanding than ordinary consent — it needs to be informed, specific, and freely given without coercion.
- Necessity to establish, exercise, or defend a right or obligation in law. For example, processing a criminal record as part of a legally required fit-and-proper assessment.
- Necessity for the proper performance of a public-law duty. This ground applies mainly to public bodies, but some private entities performing statutory functions may also qualify.
- Necessity for medical treatment or the vital interests of the data subject. Health data processed by medical professionals or in genuine emergency situations can fall within this ground.
- Processing by certain institutions. Specific bodies — such as insurance companies operating within relevant legislation, or organisations dealing with criminal behaviour for law-enforcement or justice purposes — may process within defined parameters.
The list in section 27 is exhaustive, not illustrative. If your processing does not fit one of the recognised grounds, the section 26 prohibition stands.
---
Three Common Scenarios and How the Rules Apply
1. Biometric time-and-attendance systems
Many SMEs have installed fingerprint-based clocking systems for workforce management. Because fingerprint data is biometric information, it falls squarely under section 26. The most commonly relied-upon ground for this processing is employee consent under section 27 — but the consent must be genuine. Employees who fear job loss if they refuse to enrol may not be giving freely given consent. Businesses in this position should consider whether an alternative (such as a card-based system) can be offered, and should document whatever consent process they use under section 17's record-keeping requirements.
2. Occupational health and wellness data
Health information collected during pre-employment medicals, return-to-work assessments, or workplace wellness days is special personal information. In addition to identifying a section 27 ground, responsible parties are expected to apply the data-minimisation principle: collect only what is necessary for the specific purpose (section 13), retain it only as long as needed (section 14), and restrict access to those who genuinely need it (section 19).
3. Criminal background checks
Screening candidates against criminal records is common in financial services, childcare, and security sectors. Processing this information requires a section 27 ground — typically legal obligation or the necessity to establish a right. Where a sector-specific law (such as FICA, administered by the Financial Intelligence Centre at fic.gov.za) mandates fit-and-proper checks, that legal obligation may provide the authorisation. Outside a clear legal requirement, businesses should be cautious about blanket screening and should take legal advice on their specific circumstances.
---
Practical Steps Your Business Can Take
- Map your data. Identify every process that touches a section 26 category. Many businesses are surprised to discover how many systems — HR platforms, access-control hardware, insurance claim forms — interact with special personal information.
- Document your grounds. For each processing activity involving special personal information, record which section 27 authorisation you rely on and why. This supports your record-of-processing obligations and demonstrates accountability to the Information Regulator.
- Review your consent processes. Where you rely on consent, assess whether it meets the higher standard: specific, informed, and freely given. Generic employment-contract clauses are unlikely to suffice.
- Apply security safeguards. The Information Regulator's guidance makes clear that POPIA's security requirements (which require reasonable technical and organisational measures) apply with at least equal force to special personal information.
- Appoint or engage your Information Officer. Under POPIA, your Information Officer carries specific duties in relation to compliance. Special personal information processing should be part of their oversight brief.
For authoritative guidance, refer to the Information Regulator's published resources at inforegulator.org.za.
---
A Note on Enforcement
The Information Regulator has the power to investigate complaints, issue enforcement notices, and refer matters for prosecution. Unlawful processing of special personal information — processing that cannot be justified under section 27 — sits among the more serious categories of non-compliance. Businesses should treat section 26 not as a bureaucratic hurdle but as a substantive protection for people who share sensitive data in the context of employment, healthcare, or services.
---
> Disclaimer: This article is general information based on published Information Regulator guidance and the text of the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation — including whether a particular section 27 ground applies to your processing — consult a qualified attorney.