The concept of privacy, especially regarding electronic formats, is in a legal no-man`s land despite it having constitutional protection and seen as a common law right.
While this is likely to change, it will take some time for the legislative oversight to be corrected as the SA Law Commission is still in the early stages of examining privacy of information regarding data collected and stored in databases.
Various laws have been enacted that place contradictory obligations on companies on what information they can hold on individuals, what authorities have to be notified and what access they have to give to that information.
These laws include the Electronic Communications and Transactions (ECT) Act, the Financial Intelligence Centre Act, and the Access to Information Act. While all these acts do have some reference to privacy, none of them define what it actually is.
"Privacy protection is there, but one has to ask for it in order to get it," says Paul Esselaar, MD of online resolution company Trustenforce.org.
The SA Law Commission is looking at the concept of privacy, especially relating to information stored on databases, but it will still be a long time before this becomes legislation.
"The current acts, such as the ECT Act, have deliberately stayed away from defining the concept of privacy, as the people drafting it were aware that other legislation would be written," Esselaar says.
While Section 45 of the ECT Act allows people to find out how a company obtained personal e-mail addresses and makes it a criminal offence to keep sending unsolicited electronic correspondence after being asked not to, it is up to the individual to pursue the matter.
However, with the advent of the information age, it is even more important for companies to gather details on people such as their financial status, whether they are married or not, and other details that are considered personal. Furthermore, it may be necessary to transmit this information across international borders to facilitate certain business transactions.
Julien Hofman, a director of Trustenforce, says: "It seems that SA needs legislation that will clarify the legal position of all forms of commercial information collecting and trading."
Hofman says there are two different models for legislation of this sort. The first is that of the European Union (EU), which places the emphasis on the information collector and offers the most protection for the individual.
"The principles that underlie this model are, in brief, that all information must be obtained lawfully and may not be used for any other purposes than the purpose for which it was provided. The information must not be more detailed than is required for the purposes for which it was collected; the information must be kept safe and must not be kept for longer than is necessary for the purposes for which it is collected," he says.
The US approach makes life easier for business. An individual who accepts a business`s privacy policy no longer has control over that information. This means, for example, that a transport company that collects information about commuter habits with the aim of providing customers with a better service can more easily justify passing that information on to suppliers of other goods and services, including the state.
"The US approach also avoids the danger that too much regulation could create a black market in personal information," Hofman says.
Both the European Union and US approaches recognise that the customer is entitled to a say how a business uses the information a customer provides. The difference is that in the US, information flows more freely because the individual is responsible for managing personal information. The EU, on the other hand, makes the information collector responsible for protecting individual privacy.
Hofman says: "Given SA`s traditional preference for state regulation rather than self-regulation, it is likely that SA will be inclined to follow the EU model. Business leaders need to be aware that this is not the only model. They should think seriously about the implications of the different forms of information privacy protection for their business."
Share