Protection of Personal Information Act: Harmony with other legislation essential

The Protection of Personal Information Act, expected later this year, has so far seen numerous draft versions and has been a matter of considerable debate over the last few years. It deserves this type of attention as it will touch on many aspects of the business cycle and of one’s private life.

Very few people would argue today against the need to protect personal information. In our country this right is based on the Constitutional right to privacy. In this regard it’s worthwhile remembering that the Constitutional right to privacy is only limited by the provisions of the Constitution itself (for example, the section 36 limitation and the need to balance it in every circumstance with the Constitutional Right to access).

What may reasonably raise concerns is whether there will be effective implementation and ongoing monitoring of the new law.

Questions that have and will be asked, and will hopefully be answered, will focus on whether proper regulatory impact assessments took place to guide the law. Were gaps in private information identified? Were time and costs for implementation by businesses considered, and particularly whether unnecessary costs or duplications could be avoided? Was attention also given to all major laws that deal with private information to various degrees to avoid duplication and further complexities?

As with all laws, the Protection of Personal Information law cannot be considered in a vacuum and will become a core consideration when complying with laws such as, but not limited to, the Companies Act, National Credit Act, the Financial Advisory and Intermediary Services Act, the Consumer Protection Act, the Promotion of Equality and Prevention of Discrimination Act and especially the Promotion of Access to Information Act.

Further questions may be asked regarding the capacity of the regulator to, from the start, find an effective system to manage its monitoring and enforcement duties vis-à-vis the myriad of wide-ranging businesses within the country, interact with all other departments (as all laws ultimately deal with information) and, at the same time, continuously balance the seemingly opposite requirements of promoting access and protecting information.

In principle the Compliance Institute welcomes the establishment of a new regulator as, to date, there has been a fragmented approach by different departments when it comes to accessing and protecting information. If the Regulator can take charge of the mammoth task of harmonising the overall approach taken in various laws to dealing with information, and if this charge is led by Constitutional consideration, then we should all support it and assist where we can with improving the application of the new law. The Compliance Institute will assist in promoting the principles of the new law to members, while simultaneously charting a course for the complexities that the new law may superimpose on existing laws.

The Compliance Institute will also continue to consider best compliance practices for companies and the like, who may not have personal information, but who still need protection of their (or their third parties) other legitimate confidential information. At present this will involve a hybrid application and understanding of the common law, sections of the Companies Act, the right of refusal provisions in the Promotion of Access to Information Act and the various legal limitations placed on regulator requests for information, and more. Such protection is actually a requirement for both directors (who must in terms of the Companies Act 2008, once it commences, act in the best interests of the company) and employees (who must in terms of the common law act in the interests of the employer). Of course this duty does not apply to illegal activities.

It remains an ongoing concern whether directors and employees truly understand how to balance their various legal duties to various stakeholders. Hopefully the new regulator can also assist here with guidelines that can be understood by all reasonable persons.

A compliance risk that needs to be carefully considered long before the law commences is that expensive processes that were implemented to comply with other laws such as FAIS and the NCA may need to be reviewed to ensure that they also comply with this act.