Various amendments are in the pipeline and this Bill has been lying in the legislature’s office for some time now! It should not be confused with the Protection of Information Bill, which caused much controversy in recent weeks, especially with regard to free speech and media rights.

The Bill, as published in GG 32495 of 14 August 2009, as the Protection of Personal Information Bill, 2009, aims at regulating in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests of businesses and others. The PPI Bill recognises section 14 of the Constitution of the Republic of South Africa, 1996, which provides that everyone has the right to privacy. The right to privacy is limited only by the limitation clause of the Constitution and includes a right to protection against the unlawful collection, retention, dissemination and use of personal information. It should also be considered that consonant with the constitutional values of democracy and openness, the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information.

^[1]Various criticisms have been levelled against the bill, some of it more relevant than others. Questions that have been asked, are whether proper regulatory impact assessments took place to guide the law? Was the cost for implementation by businesses considered, and particularly whether unnecessary costs or duplications could be avoided if other laws protecting personal information are considered? Was attention also given to all major laws that deal with private information to various degrees to avoid duplication and further complexities?

The Protection of Personal Information bill (PPI Bill) cannot be considered in a vacuum and will become a core consideration when complying with various legislation dealing with personal information such as the new Companies Act, National Credit act, the Financial Advisory and Intermediary Services Act, the Consumer Protection act, the Promotion of Equality and Prevention of Unfair Discrimination Act and especially the Promotion of Access to Information Act and the Regulation of Interception of Electronic Communication Act (RICA).

Personal information is widely defined as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:-

• information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
• information relating to the education or the medical, financial, criminal or employment history of the person;
• any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;
• the blood type or any other biometric information of the person;
• the personal opinions, views or preferences of the person;
• correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence (this part should also consider the RICA);
• the views or opinions of another individual about the person; and
• the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

In terms of section 3, this Bill applies to the processing of personal information entered in a record by or for a responsible party domiciled in the Republic; or which is not domiciled in the Republic, using automated or non-automated means situated in the Republic, unless those means are used only for forwarding personal information, provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof.

Information Protection Principles^[2]

Chapter 3 of the Bill sets out the conditions for lawfully processing private information. The draft Bill sets out eight principles for the processing of personal information:

Principle 1: Accountability

A Responsible party who wants to collect private information can only do so if it gives effect to principles set out in this chapter 3. The responsible party must ensure that the principles set out in this Chapter and all the measures that give effect to the principles are complied with.

Principle 2: Processing limitation

Principle 2 places some limitations on the processing of personal information. Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the person (called a data subject). An employer cannot obtain personal information from an unlawful source or on hearsay and accept that information as lawfully collected.

Section 9 deals with minimalism and determines that personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive. Employers must ensure that they understand why they want certain information and what the purpose is; it cannot be just for the sake of having it. For instance, collecting information about an employee’s criminal record after employment must be justifiable in light of the position and the operations of the employer. Employers who want to access certain personal information such as medical records or criminal records need to consider a policy in terms of which the following subsections are considered. Personal information may only be processed if certain requirements, as set out in the Bill, are met.

Principle 3: Purpose specification

Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the employer or responsible party. The employer or responsible party must take steps to ensure that the data subject is aware of the purpose of the collection of the information. Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless certain conditions apply.

Records of personal information may only be retained for longer periods for historical, statistical or research purposes, if the responsible party has established appropriate safeguards against the records being used for any other purposes. A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record.

Principle 4: Further processing limitation

Further processing must be compatible with the purpose of collection.

Principle 5: Information quality

The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

Principle 6: Openness

Personal information may only be processed by a responsible party that has notified the Regulator in terms of Chapter 6. If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of the information being collected; the name and address of the responsible party; the purpose for which the information is being collected; whether or not the supply of the information by that data subject is voluntary or mandatory; the consequences of failure to provide the information; any particular law authorising or requiring the collection of the information; and any further relevant information.

Principle 7: Security Safeguards

In terms of section 18(1), a responsible party must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information. In order to give effect to subsection (1), the responsible party must take reasonable measures as described in the section. The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

A responsible party must ensure that an operator which processes personal information for the responsible party, establishes and maintains the security measures. The processing of personal information for a responsible party by an operator must be governed by a written contract between the operator and the responsible party, which requires the operator to establish and maintain confidentiality and security measures to ensure the integrity of the personal information.

Principle 8: Data subject participation

In terms of section 22(1), a data subject, having provided adequate proof of identity, has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and request from a responsible party a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information. If, personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 23 to request the correction of information.

A responsible party may or must refuse, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply. In terms of section 23(1), a data subject may request a responsible party to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

Medical and pension fund information/screening, criminal and debt information; pre - employment screening, private electronic information.

Employers involved in the above activities and managers in pre-employment screening and interviews should understand the implications of this Bill. The information we collect about prospective employees and employees are becoming more and more protected and managers should be trained on these obligations and what information you can and cannot obtain and why. The typical question like; “do you plan to have babies” or what rugby team do you support or “how is your health generally” is posing more and more problems for interviewers, not only from an equity perspective but also from a protection of private information and the right to access of information perspective.

Any employer or prospective employer who wants to access or process private information should understand and apply the 8 principles of the Bill, failing which the collection of the information will be unlawful in terms of the Bill. The processing of information relating to criminal behaviour is regulated by section 25 and 31. In terms of section 25, a responsible party may not process personal information concerning a person’s criminal behaviour. In terms of section 31(1), the prohibition on processing personal information concerning a data subject’s criminal behaviour does not apply if the processing is carried out by bodies charged by law with applying criminal law or by responsible parties who have obtained that information in accordance with the law. Section 31(2) determines that the prohibition does not apply to responsible parties who process the information for their own lawful purposes to; (a) assess an application by a data subject in order to take a decision about, or provide a service to that data subject; or (b) protect their legitimate interests in relation to criminal offences which have been, or can reasonably be expected to be, committed against them or against persons in their service. In terms of section 31 (3), the processing of information concerning personnel in the service of the responsible party must take place in accordance with the rules established in compliance with labour legislation. The prohibition on processing any of the categories of personnel information referred to in section 26 (religious and conscience beliefs) does not apply if such processing is necessary to supplement the processing of information on criminal behaviour permitted by this section.

Employers are entitled to do criminal screening of prospective employees, but must comply with the 8

principles, section 31 and any applicable labour laws and legislation.

How must employers protect the private information of employees?

In terms of section 25, and unless specifically permitted by this Part, a responsible party may not process personal information concerning a child who is subject to parental control in terms of the law; or data subject’s religious or philosophical beliefs (unless done by a religious or spiritual institution or body in terms of section 26), race or ethnic origin, trade union membership (unless in terms of section 28), political opinions (unless as provided for in section 29), health, sexual life (unless as provided for in section 30) or criminal behaviour.

Firstly, employers must obtain and be in possession of private information in a lawful manner. Employers will also, naturally emanating from the employment relationship, have personal information of the employee in its possession. This process starts with the submission of a CV for application purposes, where the prospective employee, by the nature of supplying the CV, gives consent to the prospective employer to be in possession of the information. If the applicant is unsuccessful in the application, the company will have no further need for the personal information and must develop a policy in this regard, dealing with destroying the information as soon as possible. Should the employer wish to retain the information for the purpose of setting up a pool of candidates for the future, the consent of the applicant should be obtained.

This Bill will also have an effect on any personal information held by the employer, pension fund and medical aid fund during the life of the employment of the person. The employer should also develop policies about the storing and access to this information and who in the HR department is going to manage, store, collect and disclose this information. Another important factor to consider is giving of references in the future and who in the organisation is going to be responsible for this information. It is advisable to also develop a policy in this regard to prevent each and every manager to give or refuse to give references as they please and in the manner they please.

Medical incapacity procedures and medical boarding procedures will also have to take into consideration the effect of this Bill. The question should be asked which information can be obtained and to what extend to comply with the requirements of this Bill, when it becomes law. The same applies to pension fund and medical aid boards. Training on this bill and the legislation dealing with access to information should be carefully considered.

In order to balance their duties with their rights and especially the rights of employees, companies, boards, directors and employees truly need to understand how to balance their various legal rights and duties to various stakeholders. This will be just another piece of legislation ( to be promulgated) that an employer and the board need to get to know in order to comply with its legal and fiduciary duty towards their businesses.

For more information contact Johanette Rheeder on jrattorneys@yebo.za

Article first published on the SA Labour Guide website

[1] See article Protection of Personal Information Act - 01 Sep 2010 Enterpriserisk.co.za; http://www.blacksash.org.za

[2] See also information from: http://www.deloitte.com