The increased use of digital networks and advances in database technology are transforming the types of information available about individuals and the manner by which business, including interactive service providers and online merchants, can collect and process and use such information.
Personal information has been used and (in light of emerging jurisprudence and regulation) abused for many years by a variety of businesses to market their goods and services to potential customers and to retain their existing customers.
However, failure to adequately inform users about data policies and implementing strong privacy protection, risks alienating a public who fears that computer networks will be used to undermine their individual privacy and autonomy. This was graphically illustrated by the outrage evidenced by those whose unlisted numbers had become accessible to all on the Internet in the Easyinfo debacle. While there may have been other issues, central to the debate was that personal information had been used in a manner contrary to the wishes of the owners of that information.
In the response of business, facilitated by KPMG, to the Green Paper on e-Commerce, it was indicated that Privacy regulation is urgently required to bring SA into line with our most important trading partners. While privacy is addressed in the Bill, the provisions of this section are not mandatory and allow for voluntary subscription to the principles set out in the Bill. This does not go far enough and SA remains out of line with international best practice and regulation in this sphere.
Perhaps the drafters felt that, as the Law Commission is to appoint a workgroup to deal with privacy as a separate issue, it was not necessary to do more than what they have done to date.
In the event, the Bill (a more detailed summary of its provisions is dealt with later in this article) does not do more than set out the basic principle of "informed consent" which underpins the legitimate use of personal information. As stated above, compliance with these principles is voluntary and subject to the agreement of the data-controller (the party collecting, collating and processing the information) and the data-subject (the party from whom the information is collected). Once this agreement has been reached, the Bill provides that all of the principles set out in the Bill must be observed. Sanctions for non-compliance will need to be dealt with in the agreement between the parties.
The distinction between the provisions contained in the Bill and regulation emerging internationally is very clear. In many jurisdictions (importantly those of our major trading partners), data protection is legislated: be that by way of sectoral legislation as is found in the US or in general data protection legislation which is found primarily in Europe. Data protection is no longer an area where the private sector is able to regulate itself without some sort of legislative interference. Furthermore, most countries have now recognised that the creation of legislation in this area without some kind of enforcement mechanism doesn`t protect the data subject`s right to privacy adequately.
The enforcement mechanism is usually given to either a private or public regulatory body (in Europe this is usually the task of the Data Protection Commissioner who can investigate complaints relating to data protection and who has the right to institute criminal or civil proceedings in this regard). An example is that recently in Canada, the Commissioner ordered Air Canada to obtain positive consent from its six million Aeroplan (frequent flyer) members before it may share the personal information it has with third-parties.
The Bill therefore merely sets out a preferred way of conduct when businesses process personal information. In light of the deficiencies of the Bill, what can concerned business do to ensure that they or their industries comply with international best practice? It is suggested that they can begin to create their own industry codes, which contain the principles as set out in the Bill and which will cater for their respective industry needs. When these are created a private regulatory body can oversee the enforcement of the industry-specific codes to ensure that the principles are not merely being played lip-service. In the US, Europe and Australia these types of Codes of Conduct have proved very valuable in the protection of data subjects` privacy.
The banking industry is perhaps a good example. Clients expect and take for granted that information given to their bankers enjoys banker-client confidentiality. The banks give comfort to their clients by stating that they comply with the Code of Banking Practice. However, an examination of that code will quickly establish that the principles applying to the code are not in line with international best practice.
The code provides: "We will treat all your personal information as private and confidential (even when you are no longer a customer). Nothing about your accounts nor your name or address will be disclosed to anyone, including other companies in our group, other than in for exceptional cases permitted by law.
These are:
. Where we are legally compelled to do so;
. Where it is in the public interest to disclose;
. Where our interests require disclosure;
. Where disclosure is made at your request or with your written consent.
These principles are based on a 1936 appellate division case, which in the light of developments is clearly outdated. The provision allowing disclosure where the banks interests (decided presumably by the bank) require is no longer tenable. The Banking Council has indicated that it is awaiting legislative reform before it amends the code. However, this is an instance (particularly in light of the general principles being contained in the Bill) that it can and should take the lead in regulating its industry in line with international best practice and regulation.
It is also suggested that especially companies with an international presence (all of the major banks have an international presence or ambitions), should adhere to these basic principles to insure the free flow of information across national borders; as non- compliance could severely impair trading relationships between companies (see discussion of the EC Directive below). Companies internationally have come to realise that the protection of personal information can create a competitive advantage to them especially in the e-commerce environment where trust is critical in the retaining and gaining of customers. In a survey conducted by KPMG in 2001 relating to e-fraud and security, in which the world`s largest companies in 12 countries were participants, it was revealed that to more than 80% of the respondents privacy was a concern in doing business online. If a tenant of good business is that we take heed of our clients concerns then, for the sake of good business, business needs to consider and govern its conduct with proper consideration for these concerns.
Details of the Bill`s principle privacy provisions
The Bill provides that, unless otherwise permitted by law, a data controller must have the express written consent of the data subject for the collection, collation, processing or disclosure of any personal information. Personal information refers to any information relating to an identified or identifiable natural person (data subject), where this identification process can be either direct or indirect. The provisions in the new Bill will only apply to personal information obtained through electronic transactions.
Processing of personal information rests on seven basic principles as set out in the Act. These principles are in line with international best practises and the draft legislation is based largely on the "OECD Guidelines on the Protection of Privacy and Transborder flows of Personal data". The principles are the following:
. No data controller may electronically request, collect, collate or process or store personal information on a data subject, which is not reasonably necessary for the lawful purpose for which the personal information is required.
. The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.
. Unless otherwise permitted by law the data controller may not use the personal information for any other purpose than the disclosed purpose without the express consent of the data subject.
. The data controller must, for as long as the personal information is used and a period of one year thereafter, keep a record of the personal information and specific purpose for which the personal information was collected.
. Unless required by law or if the data subject has given consent, personal information may not be disclosed to any third-party.
. The data controller must, for as long as the information is being used, and for a period of a year thereafter keep a record of any third party to whom the personal information was disclosed.
. The data controller must delete or destroy all personal information obtained otherwise than is permitted for in the Bill or which has become obsolete according to the provisions of the Bill.
The Bill also makes clear that the use of profiles will only be permissible if the profile cannot be linked to any specific data subject.
Promotion of Access to Information Act
In addressing the status of privacy regulation in SA, we need to recognise the rather strange phenomenon that while we have not yet regulated privacy, aside from the overall rights to privacy contained in the Constitution, we have regulation on the access to information.
Access to information usually forms part of Data Protection Legislation and the Open Democracy Bill initially dealt with both privacy and access. We therefore currently have an aspect of data protection legislation, which is extensively dealt with in the form of the Promotion of Access to Information Act.
The Promotion of Access to Information Act 2 of 2000 seeks to advance the values of transparency and accountability that underpins our new democratic order. The legislation flows directly from the constitutional requirements of section 32 of the Constitution of SA. This Act allows not only for access to information held by the state but also by private bodies.
In terms of the Act, organisations are required to appoint a "head" - usually the CEO - who is responsible for not only disseminating and monitoring requests for access to information, but in whose discretion it lies what information to divulge.
The process of accessing information held by a private body is as follows:
The requester must lodge a request with the duly appointed head of the organisation. He/she must decide and notify the requester within 30 days from the date of the request whether access is granted or refused. A formal request, however, will not need to be lodged in instances where the information is automatically available. The basis on which information will be accessed must be set out in a manual, which, according to section 51 each organisation is to publish within six months after commencement date of the Act and which sets out in sufficient detail a description of the categories of records held by the organisation.
Although the Act strongly safeguards the interests of individuals wishing to assert their right to access to information, it also provides for instances in which a denial of access to information may be defended. Chapter 4 lists the grounds upon which an organisation may refuse to divulge information. For example, an organisation may refuse access to information if it contains trade secrets or other financial, commercial, scientific or technical information other than the trade secrets of a private body.
The Promotion of Access to Information Act serves to open the door to accountability not only in the public domain, but also in the private sphere.
An extremely useful guide to those charged with dealing with the provisions of this Act is: The Resolve - KPMG; Commentary on the Promotion of Access to Information Act.
EC directive on the processing of personal information
With the establishment of the European Union, data protection is one of the areas of law that is being harmonised. This is in line with the rationale of the European Union, which is aimed at promoting an internal market where goods and services may be traded without any barriers. Thus a Directive of the European Community on the Processing of Personal Information came into force in 1995. It gave the 15 member states until 1998 to enact domestic legislation, which contained the general provisions in the directive.
The directive also puts into affect the principle that any country within the European Union would be prohibited from exchanging data with a country, which do not have adequate legal protection of the privacy of personal information.
It is important to note that SA was "blacklisted" by the European Commission for not having an adequate level of data protection. To ensure that data between SA and Europe (our main trading partner) can be exchanged freely, the importance of adequate regulation of privacy of information cannot be underestimated. One would hope that in the light of the inadequacy of the Bill in dealing with this issue that the urgency of the establishment of a workgroup of the Law Commission to address the current deficiencies is both realised and acted upon with considered haste.
Recently in addressing a conference on Cybercrime in Hong Kong, FBI assistant director Ronald Eldon stated: "Government must respond not at government time but at Internet time." Given the urgency of putting into place adequate regulation, we can only hope that our government`s response is swift. Should it not be, the consequences may prove to be severe.
Conclusion
SA lags behind many of its important trading partners in regulating the protection of personal information. However, it is not a purely legal issue. The importance of understanding, implementing and creating a culture of respecting personal information is a business issue. Those companies that do so are likely to reap the dividends of what is internationally accepted conduct. Those that do not may find that the public may penalise them far more heavily than the courts.
Share
Editorial contacts