Sleeping sound with data protection
We are living in an information rich world where our actions can potentially be broadcast to the world for all to see.
In 2013, Parliament passed the first comprehensive data protection legislation in South Africa: the Protection of Personal Information (POPI) Act which was designed to prevent the negligent disclosure of South African citizen's Personally Identifiable Data.
Although there is currently no date for the commencement of the Act, a grace period of one year shall be implemented, and this may be extended to a maximum of three years to facilitate organisational compliance with the requirements.
Establishing guidelines
The Act has eight conditions, and provides guidelines on issues such as how to process personal information, what to do with personal information, and the sharing of information with other parties.
Very few laws and regulations have governed personal information in the past, so the impact of POPI on organisations and those who work with personally identifiable data is likely to be severe and far reaching.
Failure to comply with POPI could result in the regulator initiating a civil suit for damages. Fines and a penalty of either a R10m fine or a maximum of 10 years imprisonment could also be imposed.
No hiding
POPI shall make it mandatory for all organisations who deal with an individual's personal information, which includes contact details, biometric information, history and demographic information, to comply with POPI requirements.
Further, they will need permission from the individual to collect and retain their information. Organisations must then also safeguard this information and ensure that the security measures are adequate to protect it.
Information Technology departments need to get on board so that systems can be implemented to keep data secure and specialists are warning that business should not wait for the eleventh hour to start implementing the necessary measures. Those organisations that currently have the bare minimum security measures in place may need to examine email security as well as archiving and data storage very carefully, to ensure all customer information is appropriately protected.
Sharing information
Another issue of concern is the transmission of information, and the necessary permissions that must be granted; should information be transferred to another party. The individual concerned will need to give consent, and due diligence must be exercised to ensure the individual's information is protected.
It is not all doom and gloom though, and despite the strict compliance demands that will be imposed on organisations, there are a number of positives which will come out of POPI.
Of particular interest is a category called special personal information which is information that cannot be processed at anytime. An example of this category deals with information relating to children and minors which will now have comprehensive protection. This aims at reducing cyber bullying, which has become a major societal problem.
Another benefit is that POPI prohibits the processing of items such as religious beliefs, race and sexual orientation, thereby limiting opportunities for discrimination.
Good riddance to bad rubbish
POPI will also limit spam which is yet another welcome benefit of the Act. Chapter 8 of POPI regulates the rights of persons in respect of unsolicited electronic communication and automated decision making.
This section notes that should an individual not respond to a party’s invitation to make use of its direct marketing, the party is prohibited from contacting the individual again.
As organisations are forced to comply with the terms of the new Act to safeguard individual personal information, such data is less likely to fall into the wrong hands. The hope is that over time the new legislation will lead to a decrease in the incidence of financial fraud, identity theft and other misuse and abuse of personal information.
So although there are likely to be challenges in implementing the new POPI Act, there are also hefty potential societal benefits.
