Subscribe

Data privacy Bill in suspended animation

By Leon Engelbrecht, ITWeb senior writer
Johannesburg, 20 Feb 2008

Government is making haste slowly to enact the Protection of Personal Information Bill that will fundamentally alter the way companies handle data related to clients and staff.

Once law, the legislation will help protect people from criminals by holding companies and individuals, who fail to take adequate steps to protect other people's private information, legally liable.

In terms of the proposed law, companies, for example, will be required to notify all customers affected by security breaches that could result in identity theft. Offenders could face up to 10 years in prison, as well as fines and punitive damages.

The SA Law Reform Commission (SALRC) has been intermittently working on the Draft Bill since 2000. "I discussed the SALRC draft privacy Bill with the departmental officials in charge of legislation," Democratic Alliance MP Sheila Camerer told ITWeb a year ago.

"Although it is regarded as a priority, the project is still at an early stage and has not yet moved from the SALRC. In other words, the justice department is not yet working on the legislation. It is certainly not on the agenda for this year," Camerer added.

That is still the case in 2008. A look at Parliament's legislative programme for this year makes no mention of the draft law and lawyers are becoming impatient.

Webber Wentzel Bowens (WWB) partner Dario Milo says the situation is "not desirable". "We are entitled to know what is going on and where it [the legislative process] is at," he says. Milo says a discussion paper and draft Bill was published in 2005 and nothing further has been heard since.

Lance Michalson, senior partner at Michalsons, the specialist IT law firm, says public awareness about the issue has grown in recent years, but the absence of legislation has led to uncertainty. "There is a lot of confusion about what the law will mean for business. People are confused what it will practically translate into. They must hurry up now," he says.

'Wild West'

"Currently, no other law properly deals with the protection of personal data in electronic format," says Buys Incorporated lawyer Reinhardt Buys. "In other words, the Bill should be enacted as soon as possible. The longer the Bill's enactment is postponed, the longer the gross violation of data privacy in SA will continue."

Buys says the Bill will end the current Wild West attitude towards electronic data privacy in SA, as well as the "wholesale commercialisation of personal information and databases".

There is a "general lack of any rules or controls over the collection, use, disclosure and sale of digital personal data like e-mail addresses. The sale of databases containing personal details is rife in SA and leads to numerous abuses like SMS spam, cross-selling and the like."

There are no rules requiring the secure storage of personal data "and if such data is stolen by hackers or rogue employees the victims are left without any legal recourse".

Milo adds that WWB advises its clients to anticipate the principles contained in the Bill. "We've been telling them to gear up for the law... we're telling them it is on the radar and it will have cost and process implications."

"You can sell your information to the highest bidder as the law now stands," says Michalson. He adds the Electronic Communications and Transactions Act contains interim data privacy provisions, but these are voluntary and are mostly ignored.

Related stories:
Effective record retention requires destruction
Local data protection steps up
Privacy essential for corporate governance
Government to protect personal information

Share