Information Regulator is hard at work
The office of the Information Regulator has to date received over 242 complaints from the public, relating to the unlawful processing of personal information and access to information.
This is according to Sizwe Snail ka Mtuze, member of the South African Information Regulator and director of Snail Ka Mtuze Attorneys at Law, speaking on Friday at the Xperien POPI and GDPR Update, held in Johannesburg.
Snail ka Mtuze explained that despite the office of the Information Regulator not yet being fully operational, public complaints have been pouring in.
"Most of the complaints we've received are from clients of organisations within the banking sector, insurance and telecoms industries. To adequately deal with these complaints, we've taken an approach of proactive governance and proactive compliance, and we've engaged the responsible parties in efforts to resolve the issues at hand.
"The general behaviour from most companies has been to agree and propose a resolution. The regulator generally receives a lot of respect from most companies and we often assist responsible parties and data subjects to try and resolve their disputes with the complainant."
The Office of the Regulator has been busy in the past few months dealing with various legal matters pertaining to the unlawful use of personal information. Among these, Snail ka Mtuze continued, is the matter relating to human rights organisation Black Sash Trust versus the minister of social development and others, where the regulator was served as the eighth respondent in the Constitutional Court case, centred on the misuse of personal information of grant beneficiaries.
The Information Regulator, he pointed out, has also received complaints about the 'master deeds' data breach, where personal information of about 30 million South Africans was compromised, making it potentially SA's biggest data breach in the country's history.
Another matter the regulator has been investigating is the Facebook data breach, where personal information of thousands of South Africans was leaked.
"It's good that people are notifying the Office of the Information Regulator about these data leaks, because it's making the office very active. As a result, we have come together with the National Prosecuting Authority and the Hawks to establish a multidisciplinary task force which deals specifically with data breaches and other forms of cyber crimes, because we've noticed this affects different institutions."
Making reference to countries across the globe, where regulators are working closely with the prosecution authorities, Snail ka Mtuze explained the new task force seeks to ensure "prosecutions do take place", as investigations of local security breaches are now more advanced.
In March, Facebook admitted data analytics firm Cambridge Analytica had harvested private information from more than 87 million Facebook users, in developing techniques to support president Donald Trump's 2016 election campaign, according to a Reuters report.
It later emerged that almost 60 000 South African Facebook users were impacted by the data leak, according to a Facebook spokesperson who gave a local update on the data privacy scandal.
Snail ka Mtuze explained: "The regulator did not keep quiet regarding the Facebook data leak matter. We wrote to Facebook SA to establish the extent of the breach and urged them to contact all South Africans affected by the social network's data breach. They referred us to Facebook Ireland, which then replied to the Office of the Regulator.
"In its response, Facebook Ireland acknowledged South African users were affected and the numbers were actually higher than expected. The social media network then referred us to the Data Protection Authority of the UK. Luckily for us, they are now one of our sister regulators as we had just done some benchmarking with them, where we have created a new marriage, and this is one of the matters that we are closely engaging them on. They should release a report which we will share publicly regarding this issue."
While the Protection of Personal Information Act, (POPI) was signed into law on 26 November 2013, it is not yet fully operational. Once it is made effective, companies will have a year's grace period to become compliant with the Act, he explained.
In terms of the project plan for the year, Snail ka Mtuze explained that the regulator has estimated that at least by January 2019, there will be a fully functional Office of the Regulator and the one-year grace period will be announced soon after.
"It is advocate Pansy Tlakula's [chairperson of the Information Regulator] wish that by January next year, the Office of the Information Regulator will be fully functional. We are hoping to have appointed people in key positions to deal with public complaints.
"Also with the elections around the corner, it would be nice to engage with the Electoral Commission of SA, having a full Act in place and not just parts and bits of it," he concluded.