The Protection of Personal Information Bill, 2009 (the "Bill") was tabled in Parliament on 25 August 2009. Public hearings are taking place this week.
If passed by Parliament, the Bill will -
• give effect to the constitutional right to privacy of personal information;
• require all individuals, entities and particularly businesses, to establish new methods of operating with regard to the collection and/or dissemination of any personal information stored in any manner;
• require businesses to review their arrangements with agencies and intermediaries;
• necessitate the amendment of all contracts to include consent provisions;
• require businesses to implement policies on privacy and information security; and
• bring South Africa into line with international laws on data protection.
The Bill aims to protect the individual's right to data privacy and protection of personal information and seeks to balance this right against other rights, for example the right of access to information, including the needs of businesses to be able to process information and data for commercial ends.
In summary, it seeks to achieve these goals by requiring that users of Personal Information (as defined below) comply with certain data protection principles which regulate how an individual's personal information may be used. Users are also required to notify a new body, the Information Protection Regulator (the "Regulator"), about their use of any individual's personal information.
In addition, the Bill regulates -
• unsolicited electronic communications, directories and automated decision-making (ie spam); and
• the flow of Personal Information (as defined below) across the borders of the Republic.
This alert briefly highlights who is obliged to comply with the Bill, how they must comply and what the consequences of non-compliance are.
Who is subject to the obligations imposed by the Bill? The Bill applies to any public or private body or any other person who (alone or in conjunction with others) determines the purpose of, and means for, processing Personal Information (called a "Responsible Party"). What information is protected? The Bill regulates the processing of "Personal Information", being information relating to an identifiable, living, individual, and where applicable, an identifiable, existing juristic person such as a company or close corporation (the "Data Subject"). Personal Information includes, but is not limited to -
• information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
• information relating to the education or the medical, financial, criminal or employment history of the person;
• any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;
• the blood type or any other biometric information of the person;
• the personal opinions, views or preferences of the person;
• correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
• the views or opinions of another individual about the person; and
• the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person.
The Bill distinguishes "Special Personal Information" from "Personal Information". Special Personal Information is information concerning -
• a child who is subject to parental control in terms of the law; or
• a Data Subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, or criminal behaviour.
Subject to certain exclusions, the processing of Special Personal Information is generally prohibited by the Bill. What kinds of use of Personal Information are covered by the Bill? The Bill regulates the "Processing" of Personal Information. This is very widely defined and covers any activity or operation involving Personal Information, whether automated or not. It includes the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, erasure or destruction of information. This would therefore cover, among other things, Personal Information stored in databases; address books; payroll systems or manual filing systems; sent via email; found in word processing programmes; exchanged in contracts with the suppliers and recorded on CCTV and in telephone records. What restrictions are imposed on the use of Personal Information? To be lawful, the Processing of Personal Information must comply with certain requirements which are framed as eight "information protection principles" ("Principles") in the Bill. In addition, the Bill envisages that the Regulator will, from time to time, develop Codes of Conduct which will prescribe how the Principles should be complied with in specific sectors.
The Principles are extensive. They state, for example -
• that a Responsible Party may only Process Personal Information if, given the purpose for which it is Processed, it is adequate, relevant and not excessive;
• how Personal Information may be collected and that it must be collected for a specific, lawful purpose related to a function or activity of the Responsible Party;
• when and for how long records of Personal Information may be retained;
• that reasonably practicable steps must be taken by the Responsible Party to ensure that the Personal Information is complete, accurate, not misleading and updated where necessary; and
• that appropriate and reasonable security measures must be taken, for example against the loss of, damage to or unauthorised destruction of Personal Information, and any unlawful access to or Processing of such information.
The Data Subject is also given a number of wide-ranging rights which include rights to object to the Processing of Personal Information; rights to request details of any Personal Information held about him and information about any third parties who have or have had access to that information; and rights to correct or have deleted certain Personal Information.
Personal Information that is Processed in a fully or partly automated manner may only be Processed if the Responsible Party has notified the Regulator in the prescribed manner, in advance. Failure to notify is an offence (dealt with below).
The Regulator may authorise the Processing of information that is in breach of the Bill in certain circumstances such as where public interest in the Processing of the Personal Information substantially outweighs any resultant interference with the Data Subject's right to privacy.
Further, the processing of Personal Information for the purpose of direct marketing by means of automatic calling machines, facsimile machines, SMSs or electronic mail is prohibited unless the Data Subject has given consent to the processing; or the Data Subject is a customer of the responsible party (subject to conditions).
Any communication for the purpose of direct marketing (such as spam mail) must contain details of the identity of the sender or the person on whose behalf the communication has been sent; and an address or other contact details to which the recipient may send a request that such communications cease. Enforcement and penalties The Bill contains a complaints procedure whereby any person may lodge a complaint with the Regulator in certain circumstances, including for a breach of the Principles or the provisions relating to unsolicited communications, directories and automated decision-making. The Regulator has extensive powers of investigation including the right to apply to court for a warrant to enter and search premises. Data Subjects (or the Regulator on behalf of a Data Subject) may also bring a claim for damages in certain circumstances, irrespective of whether there is intent or negligence involved.
Contravention of any of the Principles is not, in itself a criminal offence. However the Regulator has the power to issue enforcement notices for certain breaches of the Bill and failure to comply with an enforcement notice is a criminal offence.
On conviction of an offence under the Bill, a person is liable to a fine and/or up to 12 months imprisonment, except if the offence relates to obstructing the Regulator, in which case the person is liable to a fine and/or up to 10 years imprisonment. Timing Companies must, within one year from the date that the Bill comes into force, ensure that their Processing of Personal Information complies with the legislation and is notified to the Regulator. This one year grace period may be extended by the Minister to a maximum of three years. It is as yet unclear when the Bill will come into force. Conclusion It is clear that this Bill, if passed by Parliament, will significantly impact how companies and public bodies manage the processing of any Personal Information held by them, for example, about employees or customers. Although individuals are likely to welcome the Bill, businesses are likely to find the costs of compliance are high.
Written by: Dario Milo, Partner at Webber Wentzel