Protection of Personal Information Bill – the implications for you

Are you wondering what the implications of the Protection of Personal Information Bill are for you? On the one hand, virtually every organisation processes personal information – it is an important part of the business. Up until now, there have been very few laws and regulations that an organisation had to comply with. That is about to change.  Organisations will still be able to process personal information, but it will have to be done in accordance with the regulatory environment. What is the regulatory environment?

On the other hand, many people are sick and tired of getting unsolicited calls from call centres to their phones, unsolicited SMS’s, and emails. What they do want is to be left alone and only to be contacted when they request it.  They also want to know that they can sleep safely at night knowing that their various medical conditions are being kept private and that their financial information is being protected.  Will their wishes be granted?

We will only know with certainty when the journey we are about to embark on with the passing of the Protection of Personal Information Bill (POPI) by Cabinet last week becomes law and has been interpreted by the Information Protection Regulator who has given rulings that will provide clear guidance on what is permissible and what is not.  Until then, the common-law and constitutional right to privacy will apply.

For many people, it might be too late.  For years in order to buy certain goods or get certain services people have had to furnish the supplier with some of their personal information (“PI”), usually their name, address, contact numbers, email address, and sometimes their ID number (which they often find the most offensive, given the horror stories one reads all the time about identity theft) – both online and in the real world.  Much of their personal information has often unwittingly ended up in the hands of marketing companies who create lists (with personal information on them) which are then sold to people who think it includes their target market. It has also been scraped off websites where these details appear and ended up in the same place.  Because of the frequency of the unsolicited communications, people receive, people often think that Scott McNealy was right when he said:

“You have zero privacy – get over it.” – Scott McNealy.

Cabinet passes POPI

On 14 August 2009, we received notice that POPI had been passed by Cabinet (in terms of General Notice 1107 of 2009) and that “the Minister of Justice and Constitutional Development intends introducing the Protection of Personal Information Bill, 2009, in the National Assembly shortly“.

Does this mean that POPI is now law and we need to comply with it?

No. POPI is not yet law.  It has merely been approved by the Cabinet.  There is a long road that still needs to be travelled before it becomes law.  The Bill still needs to be tabled in Parliament and thereafter comments will be invited by the Parliamentary Portfolio Committee on Justice.  After that, it will be forwarded to the National Council of Provinces for approval, and then to the National Assembly for approval.  It will then be sent to the President for signature and then Gazetted.  See our diagram on the Life Cycle of an Act of Parliament.  POPI may still be amended, possibly substantially.

Background to privacy

The passing of POPI by Cabinet marks the end of a very long process that started in 2003 with the release by the South African Law Commission of its Data Protection Issue Paper.  Along the way, much has been written in the press about privacy.  It is clear that the privacy debate is an emotional one which is one of the reasons why everyone is interested.  Ultimately, it impacts so much that is personal to us that we consider being private and inviolable.  Everyone wants the right to be left alone and have control over their PI.

What needs to be borne in mind from the outset is that the debate around privacy is nothing new.  Variations of action for invasion of privacy are to be found in Roman law, Jewish law, medieval English law, Roman Dutch law, and American and German law.  Nowadays, the debate around privacy is a complex one as the individual’s right to privacy is not absolute.  One can lawfully intrude into a person’s personal life or affairs in certain circumstances.

There also competing interests that need to be balanced, such as the maintenance of law and order and the interests of industry sectors such as marketing, banking, insurance, healthcare, and pharmaceutical services whose core business involves the processing of PI.  It is also important to remember that there always have been and there always will be threats to your right to privacy and the important thing is to ensure that the competing interests are balanced.

Very often, it is a case of the law not keeping up to speed with the pace of change in technology which leaves gaps in the various protections:

• witness increased video surveillance, electronic commerce, and the associated issues that it brings:
• Spam, information security breaches, information brokers (and the associated privacy enhancing technologies) commonly referred to as PETs) such as encryption.

It is also important to remember that the exchange of PI between businesses allows them to extend credit (in the case of banks, businesses offering credit and micro-financing companies) to consumers about whom they have no first-hand knowledge.  Accurate credit history information allows businesses to charge lower interest rates to customers with good credit records.  These rewards customers who manage their finances well and do not default on payments.  It turns them into repeat customers and reduces the temptation for customers to cheat their creditors.  Anyone who has been involved with a credit bureau knows that information is only useful if it is comprehensive and accurate.  An individual with a poor credit record is unlikely to agree to financial institutions exchanging this information.

At the end of the day, and at the risk of greatly simplifying the complex issues, the central issue is to what extent personal information may be used for purposes for which the individual has not consented.

Brief summary of POPI

The word cloud on the right provides an overview of POPI.

POPI is divided into 12 chapters with a number of them being further subdivided into different parts.  For more information read the Parliamentary Privacy Explanatory Memo which accompanied the Bill. Chapter 1 contains two clauses dealing with “definitions” and the “purpose” of the Bill.  Clause 2 provides that the purpose of the Bill is to (i) protect the right to privacy with regard to the processing of personal information; and (ii) balance the right to privacy against other rights, such as the right of access to information.

Chapter 2 reflects those provisions dealing with how the Act is to be applied.

Two core concepts in the Bill relate to the definition of “processing” and “personal information“.  POPI only applies to PI that is processed.   Processing includes collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, use, dissemination, and merging.  Another core definition is that of “personal information” (PI) as this lies at the core of whether a person’s right to information privacy has been infringed.  If the information that has been processed does not fall within the definition of “personal information“, it is excluded from POPI (in terms of clause 3) and the processing of the information will not be illegal.

No processing of children’s PI

On the flip side, there is a particular category of PI called “special personal information” (SPI) which cannot be processed at all (in terms of Part B of Chapter 3).  An example of SPI that cannot be processed is information relating to a child (i.e. under the age of 18 years).  I think that the protection of minors is fantastic and is most welcome (ask any parent who has a child in school how much bullying goes on nowadays via Facebook and Instant Messaging).  POPI further prohibits the processing of your “religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour” (these exceptions are dealt with in clauses 26 to 32).

Information Security Legalised

Another welcome development is the formal introduction of information security to South African law with the introduction of Principle 7 (security safeguards) in clause 18.  This is the first time that information security has directly been addressed in any South African law – something CISSPs will be happy to read about.  Principle 7 introduces requirements around security measures having to be introduced to secure the integrity of personal information as well as the requirement to notify third parties of a breach of security.  This is the first of many evolving and current information security trends in our law.

No more (or less?) spam

Probably the most welcome development for many is that Parliament has decided to tackle spam again. I say “again” as spam was addressed in the ECT Act, but not too successfully. Chapter 8 of POPI regulates the rights of persons in respect of unsolicited electronic communication and “automated decision making”. Some forms of direct marketing are or have the capacity to be, more intrusive than others. The three clauses reflected in Chapter 8, therefore, regulate matters relating to:

1. “unsolicited electronic communications” (clause 66),
2. “directories” (clause 67) and
3. “automated decision making” (clause 68).

The general principle contained in this Chapter is that if a data subject does not respond to a responsible party’s invitation to make use of its direct marketing advances, the responsible party will not be allowed to contact the consumer for a second time.

So what can you do to see how POPI will affect you?

POPI is still a Bill that may still be amended, possibly substantially.  It is therefore not appropriate to deal with the compliance issues at this stage.  We will, however, do so in detail in subsequent posts.

What organisations should be doing is reading and considering the Bill and preparing for compliance.

Compliance will not simply be an issue of operating within the law, but also a question of the effective handling of PI and respecting the interest of data subjects.

Compliance with POPI is a process: it requires adherence to a well-defined methodology, documentation of information, systems and uses to which data is put.  The first step is to identify where the company is, where it should be, and finally, the path to get there.  In between numerous activities are required.  Organisations should also consider conducting a privacy impact assessment.