More time needed for privacy Bill

Audra Mahlong
By Audra Mahlong, senior journalist
Johannesburg, 22 Oct 2009

Business associations have called government's implementation plans for the Protection of Personal Information Bill unrealistic, saying the three-year timeframe will only lead to surging costs and poor compliance.

Business Unity SA (Busa), the South African Insurance Association (SAIA) and the Banking Association of SA (Basa) have all called for government to introduce long-term implementation plans.

However, government has shown little concern, saying that, while some changes could be made, business would have to accept the final Bill. Business should have brought up its concerns earlier, as the process has been “protracted and in-depth” and had involved different stakeholders, says justice and constitutional development minister Jeff Radebe.

In August, Cabinet approved the Bill to go before Parliament. The draft law has been nine years in the making and will have a profound impact on business. The SA Law Commission has been drafting the Bill since 2000 and issued the first discussion paper in 2003.

The associations argue that longer timelines, for government and business, are necessary and the three-year implementation period provided for in the Bill is inadequate.

“The proposed legislation, once enacted, would necessitate a review or introduction of a number of IT policies within insurance companies in order to ensure compliance. Compliance would be difficult without the necessary changes to the IT systems and this cannot be completed in the timeframe set out by the Bill,” says the SAIA.

The Protection of Personal Information Bill, which was submitted to the justice minister in February, aims to promote the protection of personal information processed by public and private bodies. The Bill looks to establish minimum requirements for the processing of personal information and provide for the establishment of an information protection regulator.

Rights regarding unsolicited electronic communications and automated decision-making would be increased and the flow of personal information across borders would also be regulated.

High costs

Government has to rethink the implementation of the Bill and consider ways to avoid excessive costs to small businesses, says Busa. More time for implementation is needed to ease the cost burden.

Busa estimates the total cost to business could exceed R2 billion, while Basa says it could cost one of the four major banks R200 million to change IT systems to ensure compliance.

The SAIA says all businesses would have to review information management policies and procedures and update their systems to ensure compliance. Training would have to be provided and the Bill currently doesn't allow enough time for this.

“It is worrying to note that the full implementation of the provisions of the draft Bill would take time, money and scarce technical resources - and this has not been taken into careful consideration by government,” says Busa.

“The proposed legislation had to be drafted properly in order to avoid high compliance costs and potential litigation. More needs to be done to balance the right to privacy with the rights of parties to access process information and the current legislation doesn't adequately provide for this,” says Basa.