Thursday, February 09, 2012
Follow Us! facebook-iconTwitter-icon

Search

 fatmeltzemailbanner

The Protection of Personal Information Bill

Legal Matters

South Africa is finally set to fall in line with international standards for the collection and handling of personal information with the passing, late last year, of The Protection of Personal Information Bill, 2009 (the Bill). The Bill is not yet in force and may still be substantially amended but it is useful at this stage to gain an overview of what the regulatory framework will look like,

so that companies can start preparing for compliance or even become involved in the finalization of the Bill before it is enacted.

So, can we look forward to the end of spam and unsolicited sales calls? The Bill aims to protect our right to privacy by introducing measures to regulate the collection, storage and distribution of personal information. It aims to do so whilst achieving a balance between a people’s right to privacy and other important societal interests and rights such as the right of access to information and the importance in today's World of maintaining a free flow of information.

The Bill has a broad application and applies to the processing (which includes collection, storage, dissemination etc.) of personal information by or on behalf of any “responsible party”, which is defined as a public or private entity or any other person who, alone or in conjunction with others, determines the purpose of and means for processing personal information. The Bill will even apply if the responsible party is not domiciled in South Africa – so long as they make use of automated or non-automated means that are locally situated.

The ambit of the Bill is narrowed by a number of exclusions and, for example, will not apply to the processing of personal information for personal or household activities; information where the identification of the personal subject is not possible; the processing of personal information carried out in the interests of national security, defence or public safety or the prevention, investigation or proof of offences; the processing of personal information for exclusively journalistic purposes; information processing by the Cabinet and its committees, the Executive Council of a province and a Municipal Council of a municipality; or information processing relating to the judicial functions of a court .

The Bill sets out eight core principals which will be the minimum conditions for the lawful processing of personal information, namely, accountability; processing limitations such as reasonableness and minimality, purpose specification, further processing to be compatible with purpose of collection, quality of information, openness, adequate security safeguards and data subject participation.

The Bill also contains particularly rigorous regulations concerning the processing of so called “special personal information”, which is information concerning children; or information concerning an individual’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, or criminal behaviour. Generally, the processing of special information is prohibited but the Bill provides certain necessary exclusions and exceptions – for example special personal information regarding an individual’s health or sexual life may be processed by medical professionals if such processing is necessary for the proper treatment of the individual and information concerning a person's race may be collected where it is required to comply with laws designed to protect or advance previously disadvantaged persons.

The Information Protection Regulator (a body to be established in terms of the Bill) has broad powers to authorise exemptions in circumstances where the public interest substantially outweighs any interference with an individual’s privacy or where the processing involves a clear benefit to the individual that outweighs the interference with their privacy.

The Bill envisages that regulation will take place through external enforcement by the Information Protection Regulator but also through the internal appointment, by both private and public bodies, of information protection officers and deputy information protection officers, who amongst other things, are to be responsible for dealing with requests that are made to their organisations in terms of the Bill and for ensuring that their organisations comply with the provisions of the Bill.

Responsible parties are obliged to notify the Regulator before they commence with the processing of personal information and to furnish it with comprehensive details such as the purpose of the processing and a description of the categories of data subjects and of the information or categories of information relating to them. The Regulator in turn must maintain a register of all notices that must be made available to the public. In addition, the Regulator must initiate a prior investigation before any processing commences where a party intends, for example, to process information in respect of criminal behaviour on behalf of third parties or for the purposes of credit reporting. Responsible parties may not carry out information processing until the Regulator has completed its investigation.

Welcome news for many are the provisions in the Bill that deal with unsolicited e-mails and automated decision making. The general principle is that if a data subject does not respond to a responsible party’s invitation to make use of its direct marketing advances, the responsible party will not be allowed to contact the consumer for a second time – contraveners may even be sentence to a fine or a period of imprisonment, which is a pleasant thought for the many of us who spend a great deal of our time fielded unsolicited sales calls for the latest life changing product.

The Bill in fact creates various criminal offences, such as obstructing the Regulator’s duties; failing to comply with the Regulator’s enforcement notices or breaching a person’s confidentiality – which offenses attract penalties of imprisonment for periods of up to ten years or fines. Perhaps more significantly is the provision the Bill makes for civil remedies for individuals whose personal rights to privacy are infringed, including the right to claim compensatory damages for financial and non-financial loss as well as the right to claim aggravated damages that a Court deems just and equitable.

The Bill envisages further the development of Codes of Conduct that will contribute to the proper implementation of the Bill and may for example indicate how a particular sector should comply with the information protection principles. The Regulator may issue codes on its own initiative but also on application by persons or entities that process personal information. Provision is also made for consultation by interested parties in the issuing of a code.

These provisions create the opportunity for various sectors and stakeholders to become proactively involved in how the implementation of the Bill can take place effectively and practically within their sector.

About the author
Brigit Rubinstein is a Director in the firm's Dispute Resolution: Litigation and Arbitration practice. She has extensive experience in general commercial litigation, specifically for the publishing industry, oil industry and film industry. Brigit is a member of the Cape Law Society.

Brigit began her career as a Candidate Attorney at Cliffe Dekker Fuller Moore (now Cliffe Dekker Hofmeyr) in 1999. She was promoted to Associate in 2000, Senior Associate in 2001 and became a Director in 2003.
http://www.cliffedekkerhofmeyr.com/