Control of sensitive information is important to both large companies and private individuals. Yet the extent to which industry players can re-use personal information in outsourced business processes, while the Protection of Personal Information Bill (PPI) is not yet enacted, is cause for concern.
"Second use of personal information is the most critical privacy topic in South Africa today," said Michael Erner, international privacy lawyer from Mission100, at last week's IT Governance Africa Conference, in Sandton. According to Erner, the cumulative effects of identity theft pales in comparison to that of second use, in the general personal privacy debate.
'Second use' occurs when a service provider, which acquires personal information to render a service, sells that information to a third party, such as a company providing outsourced business process services.
"The subject of the information does not usually know about the second use. We've had some discussions with local banks and insurance companies. One of the banks told us: 'privacy is not an absolute right. Although there is a definition in the Constitution of South Africa that everybody has the right to privacy, we have another understanding about this right'.”
Erner said the bank puts a clause in its customer contract, so that the customer agrees to "the bank using my account information, the movements of my bank account, for other business purposes".
Marketing vs privacy
Key to Erner's argument was that large South African retail banks are members of the Direct Marketing Association (DMA), as are mobile network operators and many retailers and marketing companies.
"The DMA profiles the customers of the three or four biggest banks in the country, who are its founders. The lawyers and experts call this 'second use'. I call it cheating, because the subject does not know what is happening in the background," said Erner.
One possible example of second use of information is a when person, who has never had a retail loyalty card or retail brand credit card, still gets promotional post delivered to his street address, even though he never gave that information to that retail store. He gets the post because his shopping at the store fits a certain profile.
The outsourcing model, which makes second-use practices such as profiling possible, is called 'delegation of function', explained Erner. Here, the client (also called the controller) takes all the processing of a business department, and sends it to an outsourcer (also called the processor). The processor can be a data centre, HR development or HR processing department for payroll, taxes, insurance, and so on.
When the PPI finally becomes law, predicted Erner, existing outsourcing models will have to be changed to deal with second use. Until then, second use of personal information in outsourced business processes pose a privacy threat worthy of more attention in SA.
Share