CLIFFE DEKKER HOFMEYR EVERYTHING MATTERS
Email  
Print   Print Page
Contact   Email Us

KEY CONTACTS

photo of Preeta Bhagattjee
Preeta Bhagattjee
Director
National Practice Head: Technology, Media and Telecommunications
+27 (0)11 290 7210
preeta.bhagattjee@dlacdh.com
photo of Hans Evenhuis
Hans Evenhuis
Director
Technology, Media and Telecommunications
+27 (0)21 481 6446
hans.evenhuis@dlacdh.com

Protection of Personal Information

Information, data and technology: are you ready to comply with your obligations?

If your organisation processes (ie collects, receives, records, organises, collates, stores, updates, modifies, retrieves, alters, consults, uses, disseminates, distributes, merges, links, erases or destroys) personal information, it is important to consider the implications of new draft legislation in the form of the Protection of Personal Information Bill.

Introduction

The Protection of Personal Information Bill will significantly impact on the way in which organisations collect, store, process and disseminate information from and to clients, employees and customers.

In summary, the legislation promotes the protection of personal information processed by public and private bodies and aims to introduce certain information on protection principles to establish minimum requirements for the processing of personal information.

"Personal information" is defined widely to include:

  • information relating to an identifiable, living natural person and, where applicable, an identifiable, existing juristic person;
  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • information relating to the education, medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;
  • the blood type or any other biometric information of the person;
  • the personal opinions, view or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature;
  • the view or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Background

The amended version of the Bill was published during August 2009.

The Explanatory Memorandum to the Bill states that "the Bill emanates from the South African Law Reform Commission's report on privacy and data protection. The Bill aims to give effect to the right to privacy, by introducing measures to ensure that the personal information of an individual (data subject) is safeguarded when it is processed by responsible parties. The Bill also aims to balance the right to privacy against other rights, particularly the right of access to information, and to generally protect important interests, including the free flow of information within and across the borders of the Republic."

Contents

The Bill is divided into 12 chapters as follows:

Chapter 1: Definitions and purpose

Chapter 2: Application provisions and exclusions
The wide ambit of the Bill necessitates certain exclusions as far as its application is concerned.

Chapter 3: Conditions for lawful processing of personal information
This chapter contains eight so-called information protection principles, namely:

  • Accountability
  • Processing limitation
  • Purpose specification
  • Further processing limitation
  • Information quality
  • Openness
  • Security safeguards
  • Data subject participation

Chapter 4: Exemption from information protection principles

Chapter 5: Supervision
This chapter deals with the Information Protection Regulator and Information Protection Officers.

Chapter 6: Notification and prior investigation

Chapter 7: Codes of Conduct

Chapter 8: Rights of data subjects regarding unsolicited electronic communications and automated decision making

Chapter 9: Transborder information flows

Chapter 10: Enforcement

Chapter 11: Offences and penalties

Chapter 12: General provisions

Application

By adopting legislation of this nature, South Africa is finally set to fall in line with international standards for the collection and handling of personal information. The Bill is not yet in force and may still be substantially amended but it is useful at this stage to gain an overview of what the regulatory framework will look like so that organisations can start preparing for compliance or even become involved in the finalisation of the Bill before it is enacted.

So, can we look forward to the end of spam and unsolicited sales calls?

The Bill aims to protect our right to privacy by introducing measures to regulate the collection, storage and distribution of personal information. It aims to do so while achieving a balance between a person's right to privacy and other important societal interests and rights such as the right of access to information and the importance in today's world of maintaining a free flow of information.

The Bill has a broad application and applies to the processing (which includes collection, storage, dissemination, etc) of personal information by or on behalf of any "responsible party" which is defined as a public or private entity or any other person who, alone or in conjunction with others, determines the purpose of and means for processing personal information. The Bill will even apply if the responsible party is not domiciled in South Africa - as long as they make use of automated or non-automated means that are locally situated.

The ambit of the Bill is narrowed by a number of exclusions and, for example, will not apply to the processing of personal information for personal or household activities; information where the identification of the personal subject is not possible; the processing of personal information carried out in the interests of national security, defence or public safety or the prevention, investigation or proof of offences; the processing of personal information for exclusively journalistic purposes; information processing by the Cabinet and its committees, the Executive Council of a province and a Municipal Council of a municipality; or information processing relating to the judicial functions of a court.

The Bill also contains particularly rigorous regulations concerning the processing of so-called "special personal information" which is information concerning children; or information concerning an individual's religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, or criminal behaviour. Generally, the processing of special information is prohibited, but the Bill provides certain necessary exclusions and exceptions, for example, special personal information regarding an individual's health or sexual life may be processed by medical professionals if such processing is necessary for the proper treatment of the individual or information concerning a person's race may be collected where it is required to comply with laws designed to protect or advance previously disadvantaged persons.

The Information Protection Regulator has broad powers to authorise exemptions in circumstances where the public interest substantially outweighs any interference with an individual's privacy or where the processing involves a clear benefit to the individual that outweighs the interference with their privacy.

The Bill envisages that regulation will take place through external enforcement by the Information Protection Regulator but also through the internal appointment by both private and public bodies of information protection officers and deputy information protection officers, who among other things, will be responsible for dealing with requests that are made to their organisations in terms of the Bill and for ensuring that their organisations comply with the provisions of the Bill.

Responsible parties are obliged to notify the Regulator before they commence with the processing of personal information and to furnish it with comprehensive details such as the purpose of the processing and a description of the categories of data subjects, and of the information or categories of information relating to them. The Regulator, in turn, must maintain a register of all notices that must be made available to the public. In addition, the Regulator must initiate a prior investigation before any processing commences where a party intends, for example, to process information in respect of criminal behaviour on behalf of third parties or for the purposes of credit reporting. Responsible parties may not carry out information processing until the Regulator has completed its investigation.

Many will welcome the provisions in the Bill that deal with unsolicited e-mails and automated decision making. The general principle is that if a data subject does not respond to a responsible party's invitation to make use of its direct marketing advances, the responsible party will not be allowed to contact the consumer for a second time - contraveners may even be sentenced to a fine or a period of imprisonment.

The Bill creates various criminal offences such as obstructing the Regulator's duties, failing to comply with the Regulator's enforcement notices or breaching a person's confidentiality - these offenses attract penalties of imprisonment for periods of up to 10 years, or fines. Perhaps more significant is the provision the Bill makes for civil remedies for individuals whose personal rights to privacy are infringed, including the right to claim compensatory damages for financial and non-financial loss as well as the right to claim aggravated damages that a court deems just and equitable.

The Bill further envisages the development of Codes of Conduct that will contribute to the proper implementation of the Bill and may, for example, indicate how a particular sector should comply with the information protection principles. The Regulator may issue codes on its own initiative but also on application by persons or entities that process personal information. Provision is also made for consultation by interested parties in the issuing of a code. These provisions create the opportunity for various sectors and stakeholders to become proactively involved in how the implementation of the Bill can take place effectively and practically within their sector.

Our Services

Cliffe Dekker Hofmeyr offers extensive services with regard to:

  • Commenting and making submissions on the draft legislation
  • Specialist advice on compliance with any aspect of the legislation
  • Compliance familiarisation seminars
  • Training (focusing on, for example, the implications from a corporate/commercial perspective, a telecommunications perspective and an employment perspective)
  • Reviewing internal documentation, systems and processes to ensure compliance.

[ Go to Top ]

Publications

Click here to download our Protection of Personal Information brochure

 

Cliffe Dekker Hofmeyr is a member of DLA Piper Group, an alliance of legal practices. Access to Information | FICA | Disclaimer | Legal notices | Site map