Greater information protection on its way

July 1st, 2012

By Nomfundo Manyathi

On 17 May 2012 PricewaterhouseCoopers (PWC) held a media briefing in Johannesburg to discuss the Protection of Personal Information Bill (B9 of 2009), which is likely to be passed later this year.

Associate director in the technology team of PWC’s advisory division, Russell Opland, said that the Bill was introduced in 2009, with the final draft meeting of the Bill having taken place on 29 March 2012.

He said that the Bill was South Africa’s first effort at privacy legislation and its purpose includes to give effect to the constitutional right to privacy and to regulate the manner in which personal information is processed.

He added that the Bill applied to natural persons and juristic or legal entities, and would affect all areas of business.

Mr Opland said that the seventh (and final) working draft of the Bill would be submitted to the Portfolio Committee on Justice and Constitutional Development soon. He said that once it was approved by the committee, the remaining legislative process was likely to take three to four months, and then a one-year implementation period would be allocated. However, he said that stakeholders envisioned the implementation would take longer than a year.

He added that it was anticipated that the Bill would be submitted to President Jacob Zuma for signature in the second half of 2012.

In terms of the content of the Bill, Mr Opland said that the definition of ‘personal information’ in the Bill was very broad, adding that he believed it was going to be challenging for businesses to know what to protect and what not to protect as personal information.

The current definition of ‘personal information’ in the Bill reads ‘information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including but not limited to –

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • information relating to the education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;
  • the blood type or any other biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.’

Mr Opland said that the Office of the Information Protection Regulator (the regulator), which will be set up once the Bill is passed into law, will actively monitor and enforce the legislation.

He said that the regulator will have far-reaching powers to carry out inspections and investigations at businesses, to request companies and other organisations to produce documentation, and to interview directors and employees to ensure compliance with the new law. He added that the regulator also had the power to authorise certain exemptions from the Bill’s provisions.

Mr Opland highlighted aspects of the Bill that he deemed to be of paramount importance. These included:

  • Enforcement provisions, which include criminal penalties of fines up to R10 million and prison sentences up to ten years. Enforcement notices could also be issued, which can include requiring the organisation to stop processing personal information. He said that the scope of the order could vary from one individual’s information to all personal information being processed.
  • The Bill prohibits organisations from collecting and processing information relating to children without their parents’ consent, unless approved by the regulator or required by law. Mr Opland added that the definition of a ‘child’ still needed to be finalised in the Bill and that the two options under consideration were a person under the age of 18 or under 13 years. Mr Opland added that the Act, once passed, was intended to give parents control over sensitive and private information collected from their children, including how it is used or shared.

Mr Opland said that, in terms of the Bill, individuals will have the right to know why their information is being collected and the purposes for which it will be used. He added that individuals will be able to object, on reasonable grounds, to the use of their information.

Individuals will also be able to inquire whether an organisation, such as a bank, holds information about them, to view and correct that information and to ask for it to be deleted.

Mr Opland said that organisations will be obliged to collect and use the minimum information necessary to accomplish their objectives, to maintain such information accurately, to safeguard personal information and to delete or destroy information when it is no longer needed. He added that organisations will be required to notify a person and the regulator of any compromises of their personal information such as loss, theft, unauthorised access or disclosure, and any hacking incidents. Mr Opland said that information in the public domain, such as on blogs, will not be protected by the Bill as it is deemed to be ‘public information’.

Mr Opland said that the Bill also stated that if information is collected for a specific purpose, it cannot be used for a different purpose. For example, if a customer’s mobile phone number is collected by an organisation as part of a transaction, the organisation cannot use that mobile phone number to send the customer text messages to promote the organisation’s goods or services as that would constitute a change of purpose. All organisations will be required to inform the regulator that they are processing personal information and why they are doing so. They will also be required to state what they will do with the information.

He concluded by saying that cases dealing with access to information under the Promotion of Access to Information Act 2 of 2000 (the Act) would be impacted by the enactment of the Bill because the Act focuses on the free flow of information.

Mr Opland said that the regulator will have supervisory powers in respect of both the Protection of Personal Information Bill and the Promotion of Access to Information Act.

Mr Opland told De Rebus that, once enacted, the legislation would affect attorneys in that they would have to be more stringent with the protection of their physical and electronic information.

‘For example, if you go to the magistrates’ courts, in the hallways you will find open pigeon hole boxes where attorneys place case files on which you can see people’s names. They will not be able to do that anymore. You cannot leave people’s personal information out there in the open where anyone can walk by and help themselves to it,’ he said.

Nomfundo Manyathi,

This article was first published in De Rebus in 2012 (July) DR 13.