Info Regulator cracks whip on political parties ahead of elections
The Information Regulator has told political parties to safeguard voters’ personal information ahead of next month’s local government elections.
This, after the date of the 2021 local government elections was confirmed as 1 November by minister of cooperative governance and traditional affairs Dr Nkosazana Dlamini-Zuma.
South Africans will be going to the polls to elect councils for all district, metropolitan and local municipalities in each of the country's nine provinces.
“During election campaigning, the processing of personal information of data subjects, who are voters in this instance, is inevitable,” says the Information Regulator in a statement.
“Therefore, the Information Regulator reminds all political parties that they must ensure lawful processing of personal information as prescribed in the Protection of Personal Information Act (POPIA) 4 of 2013,” notes the information watchdog.
The warning comes after government entities have, of late, become victims of cyber crime, with organisations such as Transnet, the Department of Justice and Constitutional Development and the South African National Space Agency being targeted.
The justice department, in which the office of the Information Regulator falls under, this month revealed that 1 200 files containing the names, banking details and contact details of those who had submitted personal information to the ministry were compromised in a ransomware attack.
SA’s data privacy law POPIA came into play in July, after organisations were given a one-year grace period to comply with the new legislation.
Breaching the rules and regulations outlined by this Act can have serious implications for organisations, which can cost more than money and have long-lasting consequences.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
The legislation ensures all local institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information. It holds them accountable should they abuse or compromise personal information in any way.
July 2021 saw the country join the rest of the world in protecting the right to privacy in this digital age of the fourth industrial revolution.
Voters can object
The Information Regulator is mandated to ensure the protection of personal information by monitoring and ensuring compliance of responsible parties.
“Political parties and independent candidates are responsible parties and must comply with the provisions of POPIA,” says the watchdog.
When processing the personal information of a voter, a political party must ensure the processing complies with the conditions for lawful processing of personal information as prescribed in POPIA, such as:
- A political party must take overall responsibility to ensure it processes personal information lawfully.
- A political party may only process information that it reasonably needs and upon obtaining consent directly from a voter. Political parties may not obtain personal information from data brokers, or through applications that automatically generate personal information (such as telephone numbers). A voter may at any stage object to the processing of his or her personal information. If a voter objects, then a political party may no longer process that voter’s personal information.
- A political party can only process the personal information of a voter for purposes directly related to the objectives and purpose of its mandate.
- Voters must be notified that a political party is processing their personal information.
POPIA places obligations on organisations to gain consent when sending SMS messages to their contacts. Specifically, the Act requires an opt-in regime for consumers to receive direct marketing SMS messages.
The regulator points out that in light of the cyber security compromises on personal information that have riddled the country, the Independent Electoral Commission and the political parties have a responsibility to ensure security safeguards are put in place and there are adequate security measures and controls to safeguard voters' personal information against loss, damage and misuse.
Like many laws, it adds, there are some exceptions to the applicability of POPIA.
The regulator notes section 26 prohibits the processing of special personal information, which includes the political persuasion of voters.
“However, political parties may process information concerning the political persuasion of voters in accordance with section 31 of POPIA, if that information relates to members, employees or other persons belonging to the political party, and where such processing is necessary to achieve the aims and principles of the political party.”
Parties have been warned
According to the regulator, in terms of section 31, a political party may process information related to the political persuasion of a voter for the purpose of forming a political party, participating in its activities, engaging in the recruitment of members, canvassing supporters or voters for an election or a referendum, and campaigning for a political cause.
However, it says a political party must still comply with the conditions for the lawful processing of personal information when processing information related to the political persuasion of a voter.
The regulator says it has conducted engagements with political parties, including participation in a Special Provincial Party Liaison Committee meeting to present the importance and need to comply with POPIA and ensure the protection of voters’ personal information during the election period.
The authority has also published guidance notes on the processing of personal information of a voter by a political party, which is obtainable on its website.
“To ensure we protect the constitutional rights of the citizens of South Africa, all political parties and candidates must uphold the law and comply with the requirements in POPIA,” says advocate Pansy Tlakula, chairperson of the Information Regulator.
“The regulator continues to provide guidance and educate responsible parties in applying this law and protecting the rights of citizens,” she concludes.