Johannesburg, 26 Apr 2022
Recent developments relevant to data protection issues offer some guidance for businesses, including in the event of data breaches and M&A transactions
It has been 10 months since the commencement of the Protection of Personal Information Act, 2013 (POPIA). We have taken stock of recent data protection developments and have set out some key learnings to guide you in your POPIA compliance journey.
The matric results debacle – the parameters of compliance when publishing personal information
At the start of 2022, the Department of Basic Education (DBE) decided not to publish the 2021 matric results on public platforms, as it has traditionally done at the start of each year. The Information Regulator issued a statement following this decision, in which it said that the DBE "has a duty to ensure that matriculants receive their results", but that this must be done in a manner that complies with POPIA. The Information Regulator emphasised the following (non-exhaustive) requirements in her statement:
One matriculant challenged the DBE's decision in the High Court, seeking an order compelling the DBE to publish her results on public platforms. This learner stated that the results could be published without reflecting the learners' names and surnames. The court granted the order as the matter was unopposed, but did not provide any reasons for its decision.
The matter emphasises that the right to privacy must be balanced with the right to access information. This relationship can be complicated, and many factors need to be considered in assessing each particular set of circumstances to strike the right balance. Future judgments should provide further guidance on this dynamic.
Learnings from the TransUnion data breach
In March 2022, credit bureau TransUnion announced it had suffered a data breach. The Information Regulator has expressed its views regarding the handling of this data breach, indicating that the notification by TransUnion was "inadequate, unsatisfactory and falls short of what is required" by POPIA. The Information Regulator's concerns centred on the lack of detail provided to the Information Regulator, indicating that less is not always more when demonstrating to the Information Regulator that a data breach has been managed appropriately.
There are three important takeaways from the Information Regulator's statement on this data breach:
M&A and POPIA
Every business processes personal information about its employees, customers, suppliers, contractors and other stakeholders. A particularly vexing question is how to comply with POPIA when selling a business to a third party. This question must be considered at each stage of the transaction, including post-transaction, when systems are being integrated.
Companies often grapple with determining whether employee consent is needed to transfer employee personal information to an acquirer. If the acquirer is located outside South Africa, the seller must consider how to lawfully transfer personal information to the offshore acquiring party, given POPIA's specific requirements. The Information Regulator has not yet provided a guidance note on this particular issue. In the interim, overseas guidance may prove useful, including the Data Sharing Code of Practice published by the Information Commissioner’s Office (ICO) in the UK.
Ensuring POPIA compliance during an M&A transaction may require some upfront planning and we recommend involving a privacy lawyer at an early stage of the transaction to avoid falling foul of any regulatory requirements.
Useful links
We include some links to guidance notes published by the Information Regulator:
- Information officers and deputy information officers
- Standard for making and dealing with complaints in a code of conduct
- Processing special personal information
- Exemptions from conditions for lawful processing
Our team of expert privacy lawyers are available to help you with any POPIA related issues. We have some unique offerings to assist you on your POPIA compliance journey, including an online alert tool to guide you with a data breach and a POPIA startup kit for those businesses that need to kickstart their POPIA journey.
Please contact Peter Grealy, Nozipho Mngomezulu, Wendy Tembedza, Karl Blom or Christof Pienaar for assistance.
Share