Protection of Personal Information

There is currently no overall, all-encompassing law which deals with privacy protection in South Africa. Certain pieces of legislation, such as PAIA and the Electronic Communications and Transactions and the National Credit Act deal with rights in respect of personal information, in part. As a consequence, the right to privacy in South Africa currently remains largely within the realm of the common law and the Constitution.

In terms of data transfer, management, storage and retrieval, the protection of privacy is considered fundamental to people, both in business and in private. Legal experts believe that legislation, such as the Protection of Personal Information Bill (POPI), signals the level at which users of information and communication technology have to now operate to safeguard the personal information of third parties.

Data privacy has emerged as arguably the single most important aspect of secure digital communication today. According to Nick Altini, a Director of law firm Cliffe Dekker Hofmeyr, the concept applies to any circumstance where one person wants to collect and process the personal information of an identifiable, living person – usually a natural person – but in some cases juristic persons can also have personal information.

“The basic idea is that if you collect and process personal information, you shouldn’t use that data for a purpose other than for which it was collected and other than for which you have permission from the person who the information relates to. Also, the -purpose for which the data is collected must be legitimate.

Personal information

The concept of personal information is widely defined in the Protection of Personal Information Bill and it includes all infor-mation about an identifiable, living, natural person and in some cases an identifiable, existing juristic person.

Such information may include information about physical characteristics like gender, race and pregnancy status and non-physical personal characteristics such as marital status, sexual orientation, religion, culture and political affiliation,” explains Altini.

“The concept also includes indentifying information such as numbers, symbols,  telephone numbers, addresses and blood types linked to individuals. Personal information even extends to private correspondence, views and opinions about other people and a person’s name where it appears with other personal information and may reveal information about the person concerned,” he adds.

The advent of social networking and related threats aside, by definition data privacy has significant and far-reaching implications in the commercial sense.

Due to the fact that it involves the way in which a corporate or individual is allowed to handle personal information of clients, employees or customers, whose information becomes available to them in the course of business, it is open to manipulation.

Increasing incidents of cybercrime and of corporate espionage have heightened awareness over the need for protection of infrastructure in business and the data that this houses.

“Any information that falls within the definit-ion of ‘personal information’ and which will be processed (as defined in the Bill) must be processed in a manner complaint with the Bill unless some form of exemption applies. What this entails in any given case depends on a wide array of factors,” says Altini.

Need to comply

It is important to remember that while the -Protection of Personal Information Bill is new (and represents the first form of adjectival -legislative compulsion to protect personal information), the concept of data privacy has been around for some time he adds. The law will place a compliance obligation on many firms that, to date, have not made any effort to protect personal information.

“Up until now we had no law that really regulated data privacy, other than in an incidental fashion, such as under the Promotion of Access to Information Act. The Electronic Communications and Transactions Act has a voluntary code of conduct for data processing, but since it is voluntary, firms that don’t have a strong privacy policy culture (because, for example, they are not connected to European firms that are used to complying with data privacy laws) would not typically have elected to comply.”

Experts put forward that, from a legal point of view, the relevance of the POPI legislation is to give effect to the constitutional right to privacy and to balance this right against other rights – such as the right of access to information and to regulate the free flow of information.

Altini says that at a high level, the right to privacy is really about the right to not have personal information disseminated without permission or used for a purpose that an individual has not consented to. But he adds that while the right recognises that people should be entitled to a certain amount of freedom from unwelcome or unsolicited commercial advances and the right to freedom of thought, it can be limited.

POPI does not outlaw the processing of personal information, it facilitates it in a way designed to balance the right to privacy with, for example, the right of a third party to obtain information or protect its own interests through obtaining personal information.

POPI only applies to personal information that is processed. The term processed is broad and encompasses a great number of activities, however, for businesses the key issue is to recognise whether they deal with personal information at all. If this is the case, the next consideration is whether what they do with the information constitutes processing. Taking this further, the business is then obliged to comply with the Bill, unless it is exempt from doing so.

“The right to privacy is not absolute, it can be limited. That means that means that third parties can require people to divulge personal information, for legitimate and disclosed purposes, where that is necessary,” adds Altini.

Data publicly available

Then there is the contentious issue of data publicly available. According to the Companies Act, any person can obtain copies of company related documents kept at CIPRO, subject to payment of a fee, and provided the general procedure for accessing documents at CIPRO was followed.

Judgement records as they appear in Court case files can also be considered to be public records, freely available to the public, provided the requester pays any prescribed fee and -follows the correct application procedure.

The same principle applies to records held under the National Road Traffic Act and by the Department of Rural Development and Land Reform.

These records can be processed without the consent of the person involved. On several occasions within POPI (and other Laws), the words “required or authorised by law” (or similar) are also used to denote circumstances where personal information can be processed without consent, making the processing lawful.

In whatever way the situation develops, influenced by legislation to balance the protection of consumer rights to privacy and the need for access to information, legal experts suggest that there are various facets that make up the legal framework governing data privacy and it would be prudent for decision makers to understand their rights, obligations and responsibilities. Failure to take responsibility places data at risk they say. This in turn places the data processor at risk.