All articles

POPIA Section 71 and Automated Decision-Making: What Counts, What's Required

Section 71 of POPIA is the section that catches AI workflows. It governs decisions made 'solely on the basis of the automated processing of personal information' — and it gives the data subject the right to refuse them. Information Officers in 2026 cannot afford to misread it.

Section 71 is the cornerstone POPIA provision for artificial intelligence in South Africa. Most Information Officers can recite §19 (security safeguards) and §22 (breach notification) without checking the Act. Far fewer have audited their organisation’s exposure to §71 — and yet, in 2026, §71 is where the regulatory risk is concentrating. The Information Regulator has not yet issued AI-specific guidance, so §71 is doing the heavy lifting for every automated decision a South African responsible party makes about a customer, employee, applicant or patient.

What Section 71 actually says

Section 71 prohibits a data subject from being subject to a decision that has “legal consequences” or that “substantially affects” them where that decision is “based solely on the basis of the automated processing of personal information intended to provide a profile” of the person — including profiles of performance, credit worthiness, reliability, location, health, preferences or conduct.

There are carve-outs. A solely-automated decision is permitted where it is taken in connection with the conclusion or execution of a contract, or where it is authorised by law or code of conduct — provided that appropriate safeguards exist. Those safeguards are not optional. The data subject must be able to make representations against the decision, and the responsible party must provide sufficient information about the underlying logic. The carve-outs are narrow; the safeguards are real.

What counts — typical AI use cases that trigger §71

  1. Credit scoring by financial institutions and lenders. This is the canonical §71 case. An automated affordability or scorecard decision determines whether a loan, credit facility or store account is granted. It has clear legal consequences and substantially affects the data subject. Meaningful human review would require a credit analyst with discretion to override the model, visibility of the input variables, and authority to vary terms or request additional evidence — not simply signing off the model’s output.

  2. Claims triage at insurers. Models that auto-approve or auto-decline claims, or that route claims for investigation, fall squarely within §71 where the output produces or denies a payment. A claims handler who reviews only flagged cases does not bring the auto-approved bucket back inside the safeguard — every individual decision must have human discretion available.

  3. Fraud flagging and account blocking in banking and fintech. Real-time models that freeze accounts, decline transactions or place holds on funds substantially affect the data subject — sometimes within seconds. Banks routinely argue these are contract-performance carve-outs, but §71’s safeguards still apply: the customer must be able to make representations and be told, at a meaningful level, why the system acted.

  4. Hiring screens that auto-reject CVs without human review. Applicant-tracking-system filters and CV-screening models that remove candidates from a pipeline before a recruiter sees them are §71 decisions. The affected person is a job applicant, the decision is “solely automated”, and it substantially affects them. Meaningful human review means a recruiter who actually sees the rejected candidates’ material and can reinstate them.

  5. Educational placement decisions driven by AI. Where institutions use models to allocate students to courses, streams or interventions, §71 applies if the decision is taken without genuine human judgement. A placement panel that signs off model recommendations after reading them — and that has the standing to deviate — sits outside §71. A spreadsheet that auto-populates allocations does not.

  6. Healthcare prior-authorisation decisions made solely by algorithm. Medical-scheme or insurer models that pre-authorise or refuse procedures touch §71 directly. The Health Information Regulations finalised in March 2026 reinforce this: where a clinical or financial decision affecting a patient is made by algorithm, a qualified clinician’s discretion must be in the loop, not behind it.

What “solely automated” means in practice

The Act says “solely”. The Information Regulator’s interpretation expectation, as reflected in 2026 enforcement signalling, is functional rather than formal — and Information Officers should approach the boundary the same way.

Does a rubber-stamp human review count? No. If the human reviewer is presented with a single “approve” button next to a model recommendation, without the data, the variables or the discretion to depart from it, the decision is in substance still solely automated. Form follows function.

Does sample-based human review for quality control count? Probably not. QC sampling tests the model; it does not give the individual data subject — whose case was not sampled — a human in the loop. The §71 question is asked one decision at a time.

Does a final human sign-off after an AI recommendation count? Yes, if three things are true. The human must have genuine discretion to depart from the recommendation. The human must have visibility of the inputs and outputs at a level that allows judgement. And the human must, in practice, sometimes depart from the recommendation — a 100% concurrence rate over time is evidence that the review is not meaningful.

The Information Regulator has not published an AI-specific code, but its public enforcement posture in 2025 — 1,607 reported breaches in six months, fines against the Department of Basic Education and Lancet Laboratories, the active development of the eServices Portal — indicates that “we had a human reviewer” will not survive scrutiny if the reviewer was never empowered to disagree.

What responsible parties must do to comply

  • Identify every automated decision touching personal information. This is the AI Usage Audit step. Most organisations underestimate it by half. Shadow AI inside marketing, HR and finance is a common discovery.
  • Classify each against §71’s scope. Does the decision have legal consequences or does it substantially affect the data subject? If yes, it is in scope. If no, document why.
  • For in-scope decisions, build meaningful human review into the process. Define what discretion the reviewer has, what information they see, what their override rate is expected to be, and how their performance is monitored. Train the reviewers.
  • Preserve the data subject’s right to refuse the automated decision. Have a documented exception-handling process. The reviewer must be reachable; the process must be timely; the outcome must be recorded.
  • Update privacy notices to disclose the automated processing. Vague references to “we may use technology” do not discharge the §71 logic-disclosure obligation. Describe the decision, the variables and the right to representations.

What §71 audits typically find

Recurring gaps in our audit work:

  • Reviewers who are signing off model outputs with no authority and no training, producing concurrence rates indistinguishable from the model alone.
  • No documented exception-handling process — data subjects who phone in to contest a decision are routed back into the same automated funnel.
  • Privacy notices that disclose data collection but omit the automated processing entirely.
  • AI use cases inside HR, marketing and finance that the Information Officer was unaware of and that have never been mapped to §71.
  • Operator agreements (with third-party model vendors) that do not contain the §71 safeguard obligations the responsible party is on the hook for.

How Rhentech helps

Our AI Governance and Compliance engagements map §71 exposure across every AI use case in the organisation. We start with an AI Usage Audit — shadow AI included — classify each decision against §71’s scope, design and document the human-review controls, train the reviewers, and put ongoing oversight in place so the Information Officer is not finding out about a new model the month before the Regulator does.

Section 71 will not be the last word the Information Regulator says on artificial intelligence. It is, however, the law right now, and it is enforceable. Getting it right in 2026 is the difference between a defensible compliance position and a public enforcement notice.

Book a free initial consultation to discuss your organisation’s §71 exposure and what a structured AI governance programme would cover.

This article is for informational purposes. It does not constitute legal advice.

Back to all articles
Free consultation

Ready to act on
what you've read?

Book a free consultation with a senior consultant to discuss your cybersecurity posture and next steps.

Book a free consultation