The newly established Information Regulator has to date received 107 complaints relating to the unlawful processing of personal information and access to information, despite not yet being fully operational.
An analysis of these complaints revealed a majority of the complaints relate to banking, insurance and telecommunications, chairperson of the regulator, advocate Pansy Tlakula, told the media.
"It should be noted that most of these complaints relate to direct marketing through unsolicited electronic communications. Citizens are bombarded by e-mails and phoned by marketers but the question is where they get your personal information," Tlakula said.
Regulator member, professor Tana Pistorius, said at the moment not all sections of the regulator are active, such as the ability to investigate.
"But we accept and deal with the complaints in the best of our ability. We forward complaints to responsible parties and request protective control."
Of the reported complaints, Pistorius said they are engaging with relevant sectors to indicate where problems are at, while some of the cases have been resolved.
Last year, president Jacob Zuma appointed Tlakula as chairperson, Lebogang Stroom-Nzama and Collen Weapond as full-time members of the regulator, while Pistorius and Sizwe Snail Ka Mtuze would serve as part-time members. Having being appointed in December 2016, the members will all serve a term of office of five years.
With a budget of R19 million for the 2017/18 financial year, the members endeavour to fully operationalise the regulator in 2018.
According to Tlakula, since taking office, the members have embarked on a number of activities, such as finalisation of the organisational structure, which she said has been submitted to the Department of Public Services and Administration for processing.
"The processes are not moving as fast as we would have wanted to. We have set ourselves a date of 2018 for the establishment and full operationalisation of the unit. I would not say they are blockages but the processes are moving slowly as it is the nature of government processes," said Tlakula.
Tlakula told ITWeb in February that she hoped to have the compliance body fully established by the end of 2017.
POPIA and PAIA
Establishing the Information Regulator is one of the conditions set out in the Protection of Personal Information Act (POPIA). The regulator is empowered to monitor and enforce compliance by the public and private bodies in line with the provisions of both POPIA and the Promotion of Access to Information Act (PAIA).
The POPIA promotes the protection of personal information by public and private bodies, and all public and private bodies will be expected to be compliant with its provisions within one year of its commencement. It is also the responsibility of the regulator to issue codes of conduct for different sectors and is responsible for education, monitoring and enforcing compliance, handling of complaints, performing research and facilitation of cross-border cooperation.
With regards to its outstanding Section 112(2) of POPIA, Tlakula said the draft regulations were published for public comments on 8 September, with the closing date for public comments being 7 November.
The regulator has not made provision for regulations relating to section 112(2)(c) of POPIA, which provides for the processing of health information by certain responsible parties, such as insurance companies, medical schemes and pension funds as provided for in section 32(6) of POPIA. Tlakula was of the view that interested parties should make submissions in this regard.
The regulator will conduct public hearings in all nine provinces, with the draft regulations expected to be submitted to Parliament for tabling in February 2018.
SASSA debacle
The regulator was also cited as the seventh respondent in the Constitutional Court case of the Black Sash Trust vs minister of social development Bathabile Dlamini and others. In this case, the Black Sash Trust had sought relief with reference to the contract between the South African Social Security Agency (SASSA) and Net1 UEPS Technologies subsidiary, Cash Paymaster Services (CPS), including that the personal information of grant beneficiaries be declared the property of SASSA.
The regulator said the manner in which the grant beneficiaries' personal information was being used by CPS was unlawful.
"The regulator filed an explanatory affidavit to the effect that the personal information of grant beneficiaries belongs to them and could never vest in a third party," she said.
The regulator has also gone on to interact with national stakeholders, such as the South African Human Rights Commission, the National Consumer Commission, the Banking Association of South Africa and the Electoral Commission, to discuss areas of mutual interest.
The regulator is also in the process of applying for membership with the Network of African Data Protection Authorities. The regulator is already an accredited member of the International Conference on Data Protection and Privacy Commissioners.
Share