Overview of the South African Protection of Information Bill
By Clinton Pavlovic
The methods used to collect and store information and data have evolved over time.
In the past personal information was collected primarily through direct means by companies that people did business with. The collected information would be stored to enable the company to provide a service to the customer and to bill the customer after service delivery. The high cost of storing information typically meant that a company would only store information that was strictly necessary for these purposes and that the information would be stored for a limited time once it was no longer needed.
In the last two decades new technologies, including the internet and mobile devices, have dramatically changed the way in which people interact with each other and with companies, leading to an increase of the number of ways which companies can collect personal information about data subjects; a cell phone application which has access to your precise GPS coordinates, phone book and text messages; an internet website tracking its visitors; an in-store loyalty card which tracks shopping habits; an internet search engine which logs and stores each of your search queries; a social network application for your tablet computer which redirects your personal and business email to its own servers.
In many cases people are either unaware that data collection is happening or are unaware of the scope of the data collection. The falling cost to store information electronically now means that this personal information which is collected can be stored for longer periods of time, perhaps indefinitely.
Once this personal information has been collected, which could include individual’s names, gender, phone numbers, home address, email addresses, or shopping and internet browsing habits, the question has often been whether this information still belongs to the private individual or whether the information now belongs the company collecting the information? What can a company use the collected information for after collection?
In South Africa a person’s right to privacy has been entrenched in section 14 of the South African Constitution 1996, which provides that “[e]veryone has the right to privacy”, before going further to cater for specific circumstances. The South African Protection of Personal Information Bill, or POPI, which may become law soon takes further steps to entrench the right to privacy and to protect personal information which is collected and stored.
The Protection of Personal Information Bill draws on years of research and contains many broad principles which were developed and incorporated into the European Union’s Data Protection Rules. It seeks to introduce measures to ensure that personal information is protected, but aims to balance this objective against the right to access to information and the principle of free flow of information.
The bill accomplishes its objectives by codifying the rights that persons have in their own personal information and specifying eight conditions, or principles, that must be complied with by persons when collecting, storing and processing the personal information.
The Protection of Personal Information Bill may have far reaching consequences on some businesses operating in South Africa. Businesses should evaluate the information which is currently being collected, the reasons for the collection including what the information is used for after collection, in order to determine whether the bill applies to the activities of the business. If the bill does apply a business will have to evaluate and determine what technical and organisational measures need to be taken to ensure that the legislation can be complied with once it is enacted.
Application of the Protection of Personal Information Bill
In terms of section 3, the Protection of Personal Information Bill applies to any activity concerning personal information which is either conducted in South Africa, or which is conducted outside South Africa by a responsible party which is domiciled (a resident) in South Africa.
The bill binds both public and private bodies, extending to any South African state department or administration, state functionary, state institution, private companies, private partnerships, sole proprietors and any other individual.
The activities relating to personal information which are regulated in terms of the bill include:
- collection;
- receipt;
- recording;
- storage;
- retrieval;
- dissemination; and
- use.
The definition given to “personal information” ensures that the legislation will have a wide application.
Personal information is defined as any information relating to an identifiable, living natural person or existing juristic person, including a person’s name, gender, sexual orientation, religion, education, identifying number, e-mail address, telephone number, personal opinion and correspondence. There are, however, some exclusions, such as the exclusion of data relating to a purely personal or household activity, data which has been de-identified and data collected by a public body involving national security and the investigation or proof of criminal offences.
Rights Granted in Terms of the Protection of Personal Information Bill
The section 5 of the Protection of Personal Information Bill briefly sets out the rights granted in terms of the bill which are elaborated and expanded on in further chapters. The rights granted in terms of the bill include:
- the right to be notified that personal information is being collected;
- the right to be notified if there has been any security compromises and if personal information has been unlawfully accessed;
- the right to establish if a person or entity holds any personal information and if so request access to the personal information;
- the right to know the identity of third parties who have had access to the personal information;
- the right to request the correction, destruction or deletion of personal information;
- the right to object to the processing of personal information;
- the right to submit a complaint to the Information Regulator, which is to be established in terms of the bill; and
- the right to institute civil law suits to claim damages suffered as a result of a contravention of the bill.
Conditions for the Lawful Processing of Personal Information
Chapter 3 of the Protection of Personal Information Bill sets out eight conditions, or principles, which must be complied with when processing personal information.
Failure to comply with these conditions when collecting and processing information protected by the bill would constitute an interference with the rights of the individual in terms of section 73 and may result in civil liability in terms of section 93 for damages suffered by the individual.
Contravention of other chapters of the bill can also result in administrative penalties or a criminal conviction punishable by fines or imprisonment of up to ten years for some offences.
These conditions for the lawful processing of personal information are:
Condition 1: Accountability
The first condition provides that the responsible party, namely the public or private body which determines the purposes and means for processing personal information, must ensure that personal information is processed lawfully and that the conditions are complied with at the time when the purposes and means of data processing is determined and during the processing itself.
Condition 2: Processing Limitation
The second condition sets limits on the methods which may be used when collecting personal information and on the scope of processing the information. Focus is placed on the protection of privacy and prevention of excessive collection and processing.
This condition provides that personal information may generally only be collected directly from the individual and not from other third party sources. It also provides that personal information may only be collected and processed if:
- the individual has consented;
- it is necessary to perform in terms of a contract concluded directly with the individual;
- it protects a legitimate interest of the individual or the person collecting or processing the information; or
- it is necessary for the proper performance of a public law duty by a public body.
Data subjects are also granted the right to object to the collection and processing of personal information, including the specific right to object to direct marketing from companies which they are not already an existing customer of.
Condition 3: Purpose Specification
The third condition sets limits on the reasons for the collection of personal information and limits the duration that the records may be retained.
This condition specifies that personal information may only be collected for specific and explicitly defined purposes and that data subjects must be informed of the purpose for collecting the information.
Once the personal information has been collected it may not be retained any longer than what is necessary for achieving the defined purpose. After the personal information is no longer required it must be either destroyed or “de-identified” in a manner which would make identification of the individual impossible either on its own or if combined with other information.
Condition 4: Further Processing Limitation
The fourth condition limits the use of personal information once collected, providing that all processing must only be in accordance with, or compatible with, the purpose for which the information was originally collected.
Condition 5: Information Quality
The fifth condition ensures that reasonable steps must be taken by the responsible person to ensure that all personal information which is collected or processed is complete, accurate, not misleading and updated where necessary.
Condition 6: Openness
The sixth condition ensures openness of records relating to the processing of personal information by requiring responsible persons who collect and process personal information to retain records of the processing operations in terms of the Promotion of Access to Information Act.
This condition also requires that data subjects are notified of their rights in terms of the bill. Steps must be taken before the actual collection of personal information to ensure that an individual is aware of:
- what information is being collected;
- the name and address of the responsible party collecting or processing the information;
- the purpose of collecting the information;
- the consequences of not providing access to the personal information; and
- if the information is to be transferred to another country, the level of protection afforded to the information in that country.
Condition 7: Security Safeguards
The seventh condition introduces safeguards to protect the integrity and confidentiality of personal information once it has been collected.
In terms of this condition any person collecting or processing personal information must take appropriate and reasonable technical and organisational measures to ensure that personal information is not lost, damaged or unlawfully accessed or processed. This requires the responsible party to take measures to identify internal and external risks, establish and maintain safeguards and continually update procedures and safeguards in response to new risks or deficiencies.
Data subjects must also be informed of any security breaches as soon as reasonably possible.
Condition 8: Data Subject Participation
The final condition applicable to the lawful processing of personal information provides data subjects with the right to participate in the collection and processing of their personal information.
This condition provides data subjects with the right to:
- request whether or not a party is in possession of personal information belonging to the data subject;
- request a record of the personal information held;
- request information regarding all third parties who have had access to the personal information;
- request the correction or deletion of inaccurate personal information; and
- request the deletion or destruction of personal information.