What impact will the new privacy bill have on my business?

  • the way you manage information: in terms of the the Protection of Personal Information Bill (“POPI”), you will now have to classify what information you hold constitutes “personal information” (PI). King 3 also requires  companies to identify what “records” and “sensitive” information they hold. You can therefore ‘kill three birds with one stone’  when doing a PI classification.  There will be different handling criteria for PI and non PI.
  • you will have to notify third parties of breaches of their personal info due to a privacy breach.
  • If you want more information on how POPI will affect you, read here and attend one of our webinars.

When will the new privacy bill be promulgated?

Sometime during 2010.

Are there other South Africa legislation that regulates privacy in South Africa?

It is envisaged that POPI will be the primary legislation dealing with the protection of information. This does not mean that it will necessarily be the only one. However, any other Act will have to comply with the principles set out in POPI. Existing legislation will therefore have to be amended (a huge number of Acts will have to be dealt with in consequential amendments when POPI is enacted) to ensure compatibility and any new legislation will have to comply from the start. According to the SA Law Commission which drafted POPI, the following is envisaged in respect of the most important pieces of legislation that has been  identified: The privacy provisions in the Electronic Communications and Transactions Act will fall away in instances of duplication. Sections in the Promotion of Access to Information Act dealing with a person’s own personal information (as opposed to third party information and general information) will fall away and be dealt with in POPI. The National Credit Act (“NCA”) and the Consumer Protection Act (“CPA”) will have to be amended to comply with all the privacy principles or the sections dealing with privacy removed and dealt with in POPI. An arrangement to this effect is already in place with the DTI in so far as the NCA is concerned (the NCA was enacted before the PPI draft was available) and consultation regarding the CPB will still have to take place.

How is sensitive information like a persons “race” protected through the new privacy bill when it is required to submit this information for employment equity purposes?

“Protected” is misleading. If it constitutes “personal information” it has to be processed ito PPI

How should personal information be protected by organisations?

  • First, conduct a privacy impact assessment;
  • Secondly, develop an inward facing privacy policy in place describing how the company deals with employee, company and third party PI;
  • Thirdly, develop an outward facing privacy policy on your website describing how the company deals with 3rd party PI it collect through the website;
  • Fourthly, put appropriate technology in place to protect PI.

What is the difference between privacy and security?

Information security is distinct from the concept of privacy, although the two concepts often overlap. “Privacy” involves the protection of a person’s personal information by inter alia limiting the amount and kind of personal information gathered, notifying the person of the ways in which the person’s information is used or disclosed, obtaining the person’s consent to such use and disclosure and providing means for a person to review and update his own personal information. The concept of privacy also entails that a person’s private information will be kept secure against loss, theft, modification, unauthorised access, use or disclosure. Because the concept of privacy therefore encompasses security, but not vice versa, it is possible to have security without privacy. However, it is not possible to have privacy without security. Privacy is therefore broader than security. There is however a considerable overlap between privacy compliance and security obligations.

How much would it cost to ensure compliance with POPI? One has to factor in the cost of:

  • privacy impact assessment;
  • the identification of PI;
  • drafting and implementation of policies, training and technology.

What type of organisations will be affected most by the privacy bill?

All companies, but in particular companies that deal with a lot of sensitive PI such as banks, insurance companies and other companies in the financial services sector and companies that deal with medical information: medical aids etc…