South African organisations have for some time inhabited a data protection law haven. Whilst the right to privacy is enshrined in the Constitution of South Africa, legislation that gives practical credence to such a right and a Regulator to govern and administer corresponding data protection and privacy practices has been absent. That’s about to change, writes PRIA CHETTY.
The highly publicised Protection of Personal Information Bill (PPI Bill) is due for promulgation in South Africa. Public and private companies would do well to assess their practices associated with the collection, retention, dissemination and use of personal information against the prescriptions of the Bill and engage in a readiness exercise in order to gear for the necessary changes to such practices.
In short, the PPI Bill introduces eight Information Protection Principles that affected organisations must adhere to. These Principles establish the minimum requirements for the lawful processing of personal information.
In general terms, organisations are required to implement, amongst other measures:
– Measures to ensure that the use of personal information collected by the organisation is restricted to the purpose for which it was collected;
– Measures to ensure that data subjects from whom personal information is collected consent (opt-in) to the processing of their personal information;
– Measures to ensure that the organisation secures the personal information;
– Records Management measures that indicate when the organisation is required to dispose of personal information;
– Due Diligence measures when contracting with third parties to process personal information on the organisation’s behalf or transmitting personal information cross-border.
Notwithstanding the intention to give effect to the constitutional right to privacy in South Africa, the PPI Bill is largely influenced by the need to regulate processing of personal information in a manner that is in accordance with international standards.
The minimum requirements are to a large extent, therefore, synonymous with the prescriptions of similar legislation introduced in other jurisdictions such as the United Kingdom and Canada as early as 1998. With this in mind, organisations in South Africa are well advised to review how organisations in such jurisdictions have dealt with the prescriptions of the corresponding legislation.
The Information Commissioner’s Office of the United Kingdom for instance, issued a Data Protection Guide that describes, in detail, how organisations may deal with the UK Data Protection Act which corresponds to a large extent to the PPI Bill.
Organisations are also advised to direct their attention to the provisions of the PPI Bill which deal with unsolicited electronic communications and the repeal of section 45 of the Electronic Communications and Transactions Act of South Africa.
The effects of the section in the PPI Bill and the repeal of the section in the ECT Act are, in general terms a reverse of a current opt-out requirement of the relevant unsolicited communications to an opt-in via (consent or business relationship) to such communications.
Accordingly, select organisations have undertaken a review of the procedures and documentation related to collection of personal information in order to ensure that the consent of the data subjects, as will be mandated by the PPI Bill, is obtained.
In addition, organisations are casting a magnifying lens at their records management policies and procedures. The PPI Bill requires diligent records procedures that for instance, (i) allow data subjects to access their personal information; and (ii) ensure that the personal information is retained for no longer than is necessary in line with the purpose for which the information was collected.
The PPI Bill further prescribes that organisations demonstrate accountability and provide certain assurances vis-à-vis the organisation’s dealing with the requirements of the Bill.
With this in mind affected organisations should (i) appoint or designate a person who will be responsible for the implementation of PPI Bill policies and procedures (ii) develop and implement a Framework and Action Plan that reduces the requirements of the PPI Bill into actionable items and indicates a timeline for implementation of the policies and procedures; and (iii) be in a position to show reporting, oversight and sanction in respect of the implementation of the requirements of the Bill.
The Bill provides for an Information Protection Regulator who will regulate the implementation of the legislation.
The date for promulgation of the PPI Bill is yet to be announced. Accordingly, South African organisations are opting to review practices and seek guidance as to the import of the PPI Bill rather than overhaul privacy and data protections practices.
Notwithstanding the onerous duties attached to compliance with the legislation, organisations should not lose sight of the constitutional right to privacy which underpins the proposed legislation.
It is a right hard won, particularly in South Africa, and it is a right due the highest degree of respect.
Pria Chetty is principal attorney at Chetty Law. She can be reached by email: pria@chettylaw.co.za or visit www.chettylaw.co.za
Twitter: @PriaChetty /@ChettyLaw