Subscribe

Bill to shake up data collection

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 05 Oct 2010

Adoption of the imminent Protection of Personal Information (POPI) Bill will make SA a safe harbour for the transfer of personal information from third countries, says Clem Daniel, director at law firm Cliffe Dekker Hofmeyr.

Comparing the country with other regions, Daniel says in terms of the European Union Directive on Data Protection, as well as the frameworks developed by the Working Party on Data Protection, sufficient data protection laws should be enacted and enforced in third countries that wish to process personal information from Europe.

He believes this places SA at an obvious disadvantage for the purposes of international trade and investment.

“Related to this is the fact that the world is becoming ever more interconnected; it simply makes economic and business sense for SA to bring its legal framework into line with the emerging international norm,” says Daniel.

He adds that it is better for SA to start engaging with data privacy issues and move with the flow as the global data privacy environment develops. This as opposed to trying to catch up later, at which point disruptive effects on business are likely to be more significant.

Business not as usual

In regards to business, Daniel says the draft legislation will have fairly significant operational, technical and financial impacts.

“It seems that, with rare exception, almost all businesses are going to have to set up new processes and methods for handling personal data. In addition, it seems that almost every business in the country will be affected by the legislation as now drafted,” he notes.

Illustrating how the Bill will affect business, Daniel says organisations are going to have to limit their gathering and processing of personal information to the minimum required for an explicit, defined and lawful purpose.

He adds that all businesses that collect or process personal information will be required to register with the regulator and define precisely the purpose for which they collect and process data.

“Some of the more significant impacts that POPI will have on the way we do business pertain to the notification requirements to the data subject as well as obtaining consent from the data subject, for, among other things, the processing of personal information, the transfer of personal information, and the retention of records,” Daniel points out.

Information protection principles

According to Daniel, the most important aspect of POPI is the eight core information protection principles. This includes accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security, safeguards and data subject participation.

He says these principles are largely based on an emerging international consensus as to what the key principles surrounding personal data protection are or should be.

Other issues arising in the working draft of the legislation are sections dealing with the misuse of what is referred to as 'unique identifiers'.

“This essentially refers to the type of information you would use by way of a profile and password when logging on to your bank account or other system which relates to a financial institution,” explains Daniel.

The proposed law also prohibits the processing of personal information for direct marketing by electronic communication, subject to specific exemptions. The Bill defines electronic communication as being “not limited to” automatic calling machines, faxes, SMSes and e-mails.

In that vein, it says a business may only send unsolicited communications to persons who consent to receive the same information or to its customers. In addition, a business may only deal with the personal information of its customers if it has obtained the customer's details in the context of a product or service sale.

Daniel says: “The effect is to limit marketing to existing customers. The products that may be promoted may only be similar products or services to those already sold to the customer. This may mean having to separate customer databases according to product types, which may add a layer of technical complication. Customers are to have the usual opt-out rights.”

Daniel also points out that the proposed penalty for contravening the legislation is a maximum of R1 million or 10 years or both. “In my view this is insufficiently severe given that it only applies to offences of a serious or persistent nature where there is knowledge or ought to have been knowledge.

“It is a maximum limit and the amount of damage which may be caused by the misuse of such information may far exceed the value of the penalty.”

Wait and see

According to Deloitte, much of the debate around POPI centres on how onerous the minimum requirements for compliance will be, how long organisations will be given to comply, and what the cost implications are likely to be.

In a press release, the consultancy firm says many companies have chosen to take a 'wait-and-see' approach.

“Our experience has shown that those companies that see regulatory change as an opportunity for increasing business value adopt a more positive, proactive approach and also spend considerably less in achieving compliance over the long-term,” comments Dean Chivers, director of tax and legal at Deloitte.

The Bill is set to become law in December.

Share