A law seeking to protect personal information has been passed by Parliament and now only awaits president Jacob Zuma's signature before coming into effect.
The Protection of Personal Information (PPI) Bill will now be translated into Afrikaans before being sent to the president for assent, notes law firm Bowman Gilfillan. The company expects the Bill to become law before the end of this year, after which companies will have a year to comply with its requirements.
SA's privacy law, several years in the making, is the first consolidated piece of privacy legislation in the country, and dictates how and for what personal information can be used. It also dictates how data must be stored securely, and forces companies to tell people if their information has been breached.
The Bill also seeks to regulate direct marketing and unsolicited communications, and should cut down on spam, as it specifically speaks to electronic communications, and calls from telemarketers. SMS and e-mail account for the bulk of spam.
Non-compliance carries hefty penalties under the proposed legislation, with fines of as much as R10 million for breaches. Michalsons points out that non-compliance also carries the risk of reputational damage, which could lead to companies losing customers and failing to attract new ones.
Keeping data safe
Bowman Gilfillan notes, in its e-mail update, that the pending law will introduce comprehensive new requirements around data privacy to protect personal information. "In future, businesses that collect, hold and use individuals' personal information will have to do so under certain conditions."
The law's requirements will apply to personal information that companies keep relating to employees, customers and clients, prospective customers and clients, visitors to premises, and any other personal information that a business holds "in the context of its particular activities", says Bowman Gilfillan.
"From a practical perspective, businesses will need to identify the types of personal information that they hold, the policies, processes and procedures that are used when dealing with personal information, and the types of systems that are in place to protect and secure personal information, in order to assess levels of compliance with the Bill."
Not ready
According to the results of the ITWeb/Deloitte PPI Bill Survey, which ran online for 14 days during June, 41.11% of respondents had not yet started complying with the PPI Bill.
Just over half of the respondents, at 56.1%, said their organisations do have information security policies, processes and procedures in place; 10.98% said they have no high-level data security; 12.2% only secure softcopy data; and 10.98% only secure hardware data.
It also emerged from the survey that 21.18% of respondents regard systems that have not been secured correctly as one of the highest privacy risks to their organisations; however, third-party service providers and poor policy governance were also viewed as significant concerns, at 16.47% and 14.12%, respectively.
Some 44.3% of survey respondents stated their organisations do not transfer personal information across borders, while 27.85% do.
Some of the important features of the Bill:
* A business cannot collect more personal information than is necessary to fulfil the purpose for which the information was collected.
* Employers may not collect and process their employees' personal information apart from as allowed under the pending law.
* Businesses will have to allow customers or prospective customers to specifically opt-in to receive direct marketing communications.
* Steps must be taken to secure the integrity and confidentiality of personal information in a responsible party's possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, and unlawful access to or processing of personal information.
* Transfers of personal information outside SA will have to meet certain requirements.
* A new regulatory body, called the Information Regulator, will be established and will be tasked with issuing codes of conduct, educating the public on issues relating to the protection of personal information, monitoring and enforcing compliance with the law, receiving and handling complaints about alleged violations, serving information notices, enforcement notices and infringement notices, and obtaining a warrant for search and seizure.
* The Bill provides for a transitional period: all processing of personal information will be required to comply with the provisions of the Act within one year after its commencement. This transitional period may be extended to three years if necessary.
(Source: Bowman Gilfillan)
Share