A report on the Protection of Personal Information Bill (POPI) is set to be presented to Parliament on 24 June, after further deliberations scheduled for later this month and early in June.
The Bill was submitted to the justice minister in February 2009 and aims to protect personal information processed by public and private bodies. The implementation phase was set to begin on 10 September 2010, but the deadline was not met.
A panel at ITWeb's Security Summit yesterday said the law has been in the pipeline for more than 10 years.
Discussing privacy in SA, the panel said Parliament has appointed a technical committee to deal with the technical issues in the Bill.
Service differentiator
The law will have a profound impact on business, including large costs to implement the correct systems.
The panel said when POPI comes into play, failure to have proper privacy controls in place would be deemed an offence. The law will give more access and definition to the rights of privacy.
There is going to be significant impacts in both the public and private sectors with POPI, although the private sector may not experience as big an impact with POPI as the public sector will, said panel members.
They added that the financial sector has been regulated quite stringently in the past. The sector already has good competition at play, but POPI will act as a service differentiator and will affect competition in this way.
Global force
Organisations have the responsibility to satisfy the requirements of the Act. In terms of IT, technology needs to be placed in such a manner as to protect information.
All staff need to understand their responsibility in complying with the Act. Staff working with personal information, such as HR departments, also need to be properly screened, according to the panel.
When hiring employees, companies need to ensure they understand the principles and processes of the Act.
For marketing, data subjects must be informed of the intended use of their personal information that was gathered. Companies also need to provide mechanisms so data subjects can give or revoke consent.
The panel also said POPI makes the assumption that an organisation already has a governance mechanism in place. There are quite a few processes that organisations need to keep in mind, such as data handling.
The trans-border flow of information means once POPI is in place, before an organisation can send information across the border, it has to ensure the recipient country has the same principles as POPI, and must get consent from the data subject to send their information across.
The positive aspect of this is a global legislative force where citizens know their data is not going to be at greater risk outside of SA, said the panel.
Full disclosure
POPI is not limited to companies, but will be applicable to natural persons, juristic persons, an administrative body, or any other entity.
The Act will create additional obligations for all organisations that deal with personal information (automatic and non-automatic processing of personal information).
Organisations must now act and execute the necessary information classification to establish whether they actually deal with personal information, and then to label the same for internal purposes.
Organisations will have to process personal information in accordance with specific principles. Each principle entails a variety of obligations and actions to be executed by the organisation, like obtaining consent from the data subject and fully disclosing the organisation's details and details of any third-party that may act on behalf of the responsible organisation.
Firms that deal with personal information will have to make changes internally to ensure they can deal appropriately with it.
Companies will have to amend their current internal policies current agreements with customers and privacy policies presented to clients.