By Manie Bezuidenhout

The enactment of the Protection of Personal Information Bill (B9B of 2009) (POPI) is imminent and is expected to become effective in early 2013. The draft Bill has been approved by both the Justice Portfolio Committee and the National Assembly, and has been placed on the order paper of the National Council of Provinces (NCOP) as s 75 (of the Constitution)–type legislation.

Parties who will be directly affected early on by the requirements of the legislation include law practices that serve on financial institutions’ legal panels for conveyancing, litigation, collection and other services as third party service providers, as well as those who process personal information of clients of these institutions.

As these financial institutions will need to comply with the requirements of the new legislation when it becomes effective, they will require compliance from their third party service providers who will be affected by the legislation, including law practices.

In view of this, it is expected that law practices currently serving on panels of financial institutions, or which intend to apply for placement on these panels, will be required to comply with the legislation’s requirements.

As far as I am aware, only one of the major financial institutions in South Africa has started assessing the level of compliance of those on their legal panels. It is expected that others will soon follow, which may result in a pressurised situation for law practices to become compliant in the prescribed period in order to retain their engagements or to obtain further assignments.

It can also be expected that these institutions will send out gap assessment questionnaires to establish the level of compliance in respect of information protection requirements in the near future, and may possibly audit the level of compliance required.

Compliance, however, will not be limited to legal panels as the legislation will apply to any institution, entity or body that processes and stores personal information, such as legal practices in general, insurance companies, schools, hospitals, debt counsellors and estate agents.

Becoming compliant

The process of becoming fully compliant will be a time-consuming and costly exercise that will have a significant impact on, inter alia, the following:

• Legal and compliance management.
• Human resources management.
• Information governance.
• Information security.
• Records management.
• Business continuation planning.
• Third party service provider management.

A basic overview of the compliance and implementation process will include, but is not limited to, the following:

• Conducting a privacy gap analysis (also referred to as a privacy impact assessment).
• Designing or obtaining all the required data privacy and information security policy and related documentation if not already in place.
• Updating and/or aligning the policy with other related legislation, personnel policy, business continuation plans, e-mail and acceptable use policies, breach of information security events reports, protection of personal information agreements, etcetera.
• Implementation of the abovementioned policies, agreements and procedures, inclusive of relevant training and awareness interventions.
• Assignment and registration of the prescribed information officer and deputy information officers (where applicable) with the information regulator after implementation of the legislation, etcetera.

The above may place pressure on the budget, time and manpower of a law practice. It is thus recommended that legal practitioners on banking panels initiate the process to become compliant as soon as possible to avoid a pressurised rush for compliance against deadlines once the requirements of the new Act become effective.

There also appears to be a rather dangerous perception by some law firms that they can wait until prompted by a financial institution or body like the statutory law society to initiate the compliance process. This can prove to be costly or even disastrous for a company that is found to be in violation of the prescriptions after enactment of the new legislation. It is not the responsibility of any outside agency to instruct or notify any party to comply with the new legislation.

It must be kept in mind that compliance will been enforced by an information regulator (see s 39 of the Bill), which will have far-reaching powers. It will not be the role of financial institutions or any other body to enforce this compliance.

In addition, accountability will not be limited to the size of an organisation. The awareness and insight of current day consumers and clients should not be underestimated given the civil remedies available to them under the legislation.

Penalties for non-compliance

The legislation provides for the following penalties, in ss 99, 107, 108 and 109, for non-compliance after the initial grace period:

• 12 months’ to ten years’ imprisonment.
• Up to R 10 million fine.
• Civil remedies.

The consequences of non-compliance with the legislation are thus severe and must be viewed from a regulatory, as well as from a reputational, perspective.

The new legislation and its impact on timelines should not be underestimated as it provides for an initial 12-month grace period, which may be extended by the Justice Minister after consultation with the information regulator.

The complicated process from implementation of the new legislation to full compliance may take longer than 12 months, depending on an organisation’s current state of information security. The Bill also provides for the issuing of various industry codes that will have an effect on specific industry requirements that will need to be adhered to where applicable.

Other obligations

A further requirement under s 19 of the Bill stipulates that:

‘(1)    A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent –

(a)     loss of, damage to or unauthorised destruction of personal information; and

(b)     unlawful access to or processing of personal information.

(2)     In order to give effect to subsection (1), the responsible party must take reasonable measures to –

(a)     identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

(b)     establish and maintain appropriate safeguards against the risks identified;

(c)     regularly verify that the safeguards are effectively implemented; and

(d)     ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

(3)     The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.’

These requirements point to more technical requirements that must be adopted and implemented along guidelines and principles that may be found in related ISO/South African National Standards and generally accepted privacy principles.

From a business perspective, organisations that achieve early compliance with the new legislation will have a distinct competitive advantage. Enlightened clients or other business prospects may also require compliance after implementation of the new legislation before engaging parties to handle their affairs or to retain existing business.

Conclusion

Information protection legislation is imminent in the near future and compliance with its requirements is unavoidable.

Companies and other parties affected by the new legislation are advised to initiate the compliance process as soon as possible and ideally should not wait for pressure from an institution such as a bank to adhere to the requirements of the legislation.

Manie Bezuidenhout Dip CIS (Real Estate College, Johannesburg) is a compliance consultant in Centurion.

This article was first published in De Rebus in 2013 (Jan/Feb) DR 40.