Is it an offence to access data that is freely available on the Internet? Many of us would think that it isn’t if the data is accessible to the public. Can a person use public data (that may include public personal information) that they collect from an unprotected IT system?
“Fraudulent” access to an IT system
Just because data is publicly available does not mean that a person can do anything with it. There are limits and conditions that they must comply with. There are also obligations on the body (public or private) that makes data publically available to protect it.
Cybercrimes under the ECT Act
If a person accesses public data, they may be committing a cyber crime under the Electronic Communications and Transactions Act 2002 (ECT Act). The cyber crimes set out in ECT Act give us more insight into the current position in South Africa. In terms of this Act “access” to data would include cases where individuals are aware that they are not authorised to access the data, but continue to use it. The continued use of the data for unauthorised purposes is also a punishable offence even if you had the authority to access the information.
R v Douvenga
One of the first cyber crime cases that tested the ECT Act was the case of R v Douvenga (Die Staat v M Douvenga (nee Du Plessis) (District Court of the Northern Transvaal, Pretoria, case no 111/150/2003,19 August 2003, unreported) in 2003. It relates to private personal information processed by a private body but is still interesting. In the case, the court had to determine whether the accused was in contravention of Section 86(1) of the ECT Act.
The court found her guilty as she had sent data to her fiancé to ‘keep’. The accused was aware that the information that she had transferred to another computer was from a confidential database, which she had obtained without authorisation. This act could have cost the company major losses yet she was only fined R1,000 or sentenced to three months imprisonment. The sanction given appears to be low considering the risk that the company had been exposed to due to her actions. Courts in various jurisdictions have issued fines for similar acts, but all of them have the same trend of issuing fines that are by far too low.
An example of failing to protect personal information
The City of Johannesburg made headlines last year after invoices were freely accessible on their website exposing personal information of thousands of people to the general public. Anyone could go onto the site and open invoices containing personal information, which included account numbers. Once the City was informed of the breach, the vulnerability was closed in an attempt to prevent any further unauthorised access. But by the time the site was closed and the problem fixed, information had already been seen by unauthorised persons. Data that was held by a public body became publicly available.
Surely, someone must be held responsible in cases like these. A person will find public data while surfing the net that does not require them to have authorisation to access it. They might think that they cannot possibly be guilty of an offence for using information that is freely available by public bodies. This is not always the case. It can be an offence both by the person accessing it and the person who did not protect access to it.
Does POPIA apply to public bodies? Does POPIA apply to public personal information?
Data privacy laws in South Africa have undergone many changes and one of the significant events is the Protection of Personal Information Act (POPI Act), which was assented to by the President in November 2013. POPI will bring about many changes in the field of data protection and the personal information of people will be much more regulated.
Public bodies must protect the personal information they process
Public bodies are responsible parties in terms of POPI and they must process the information of their data subjects correctly. The information processed by public bodies may be available on the Internet, but they will have a duty in terms of POPI to do what is reasonably practicable to protect the information of their data subjects. The responsible party may be liable for breaches, that they could have prevented.
POPI has been enacted in an attempt to protect the personal information of all vulnerable data subjects. In some cases, personal information has been freely available which exposed data subjects to serious consequences. The City of Johannesburg may have faced serious sanctions had POPI been in force at the time of their breach.
People using public data must do it lawfully
Accessing data that is freely available on the Internet and using it for your own purposes may be an offence if you do not do it lawfully in accordance with the conditions of POPI. Just because personal information is publicly available does not mean it is fair game. If you use data without a specific purpose, chances are you are accessing the information unlawfully. The use of information that is publicly available for your own purposes may result in an offence.
Those responsible for public data must protect it
Once POPI comes into operation, the parties processing the data of persons will need to be more conscious of how they process data. There will no longer be room to avoid liability if you fail to protect personal information of your data subjects. Responsible parties will have to do what is reasonably practicable to protect the personal information that they possess even if the information is publicly available.