A guide to the Protection of Personal Information Act

September 30th, 2015

By Elizabeth de Stadler and Paul EsselaarBook_A guide to the Protection of Personal Information Act

Cape Town: Juta

(2015) 1st edition

Price: R 250 (incl VAT)

178 pages (soft cover)

In the last years of the 20th century, as we took our first uncertain steps into the information society in which we live today, data protection legislation was the initial jurisprudential effort to address the potential abuses heralded by computers to the privacy of our information. Accelerated exponentially by the advent of the Internet and cellular technologies, the very rapidly developing jurisprudence facilitating the protection of the fundamental human right of privacy has been the cornerstone in shaping law relating to novel applications of technology in the 21st century. In South Africa, the recognition of privacy as a fundamental human right was enshrined in our Constitution in 1996. Regrettably, the mechanisms for the protection of this constitutional right would only become a reality 20 years thereafter, with the likely commencement of the Protection of Personal Information Act 4 of 2013 (POPI) in 2016.

Consistent with the lamentable reticence to embrace technology as part of their daily lives and therefore our law, South African lawyers have generally taken the enactment of POPI extremely lightly. With very few exceptions, South African lawyers are not properly equipped to deal with the enormous impact that the Act will have on their own practices, let alone advice that they may be required to provide to clients. It is against this background that the publication of the first book on POPI is to be welcomed.

The authors are to be congratulated on providing a concise and easy to read explanation of POPI, which addresses numerous key points and frequently asked questions relating to the processing of personal information. Their explanations of the law are also supplemented by ‘rules of thumb’ that are helpful in establishing some of the essential actions to be taken in complying with POPI and alerting readers to provisions of POPI that may be unclear and potentially in conflict with existing law.

In addition, the authors have provided useful references to guidelines and other information published in jurisdictions that are more mature than South Africa in protecting personal information. This is important as it can be confidently predicted that the Information Regulator will take into account the constitutional imperative to consider and, where appropriate, apply laws developed in other jurisdictions. In many instances lawyers will be well advised to consider the detailed guidelines and approaches taken in other jurisdictions to the processing of personal information.

Due to the dynamic nature of the protection of personal information, the rapid rate at which technologies disrupt current concepts of processing of information and the development of a novel legal concepts (such as ‘Do not track’, ‘The right to be forgotten’ and the right not to be subject to geolocational surveillance) as well as the rulings that can be expected from the regulator. It will be necessary for the authors to revise the publication regularly, if it is to remain relevant. In doing so the authors are encouraged to address the importance of information security in the protection of privacy of information. Information security has developed as a direct response to data protection legislation in those countries that took the initial steps in this direction some 30 years ago. It is a discipline, which is not confined to technologists, and the development of the discipline has been a collaborative effort between technologists, lawyers and other subject experts. Therefore, while the authors indicate the importance of collaboration with technologists in a useful annexure to their commentary entitled ‘POPI checklist’, it must be recognised that addressing the information security issues will be critical to the achievement of compliance with POPI. Further, if responsible parties are serious about the protection of personal information, they will have to develop information security skills as a core competency within their organisations. These changes will, as the authors have emphasised, require ongoing training.

This book is a must read for all lawyers. Our professional duty to protect the confidentiality of client information is identical in principle to the protection of personal information. Unfortunately, the safeguards developed for paper and text have little or no application in electronic communications and records. Commentaries on the subject make the point that the protection of the privacy of information is impossible without information security.

It is also a book that should be recommended by lawyers to their clients. While lawyers can assist clients in identifying and addressing their compliance obligations, it is the processors of personal information themselves that have to develop the appropriate safeguards for the protection of information.

From an educational perspective the book provides material not only for businesses but also those universities who are seeking to introduce informations and communications technology law in general, and in particular the protection of personal information, into their curriculae, in preparing our future lawyers for the realities of the 21st century.

Mark Heyink BA LLB (Wits) HDip Company Law (Wits) is an attorney at Mark Heyink Information Attorney in Johannesburg.

This article was first published in De Rebus in 2015 (Oct) DR 60.