Information Regulator delay leaves citizens unprotected
A further delay in the appointment of SA's Information Regulator is extending the time in which South Africans are being denied protection of their personal information and rights to privacy, according to experts.
MPs will only be able to re-vote on the appointments of the Information Regulator positions when Parliament reopens after the 3 August local government elections. This after the National Assembly last week could not approve the appointment of an Information Regulator chairperson because not enough MPs were in attendance to get a proper majority.
"It's just a few more months that South African citizens are denied the full protection of the law in respect of their rights to privacy," according to ICT analyst Adrian Schofield.
John Giles from Michalsons Attorneys says it is frustrating for everyone, but especially data subjects, because it means it will take longer for them to be protected from harm.
"Many people in SA (often the poor) are having their money and identity stolen because their personal information is not being protected (sometimes by government). They are the ones who are suffering because of the delays in Parliament."
Parliament is required to appoint an Information Regulator to enforce the Protection of Personal Information (POPI) Act.
The POPI Act was signed into law by president Jacob Zuma in November 2013, and promotes transparency with regard to what information is collected and how it is to be processed. The law also makes South African companies globally competitive in terms of international data exchange laws. However, over two years later it is yet to be signed into law.
"POPI cannot commence without the regulator being in place," says Giles.
The justice and correctional services committee has recommended former Independent Electoral Commission (IEC) chairperson, Pansy Tlakula, to the position of chair of the Information Regulator.
However, the vote on her appointment received only 198 votes in favour, while 59 MPs voted against her appointment. Deputy speaker Lechesa Tsenoli explained that at least another three votes were needed for her appointment to succeed.
Tsenoli said under the POPI Act, persons nominated for appointment to serve on the Information Regulator must be approved by the majority of the assembly. Because there are 400 assembly members, at least 201 votes in favour were needed for approval.
"Presumably, the three parliamentarians who were not in the National Assembly to vote for the nominees had good reasons for their absence," says Giles.
The justice and correctional services committee also recommended Johannes Weapond and Lebogang Stroom serve full-time on the Information Regulator board, and Sizwe Snail and Tana Pistorius on a part-time basis.
Schofield says it's hard to quantify how serious another delay is "since we will never know how many people will be disadvantaged by the additional delay".
"One can deduce that the government does not see the rights of citizens as deserving of any urgency - there is no justifiable reason for the extended delay in making the appointment."
The regulator's role
"A strong regulator is a critical ingredient for the success of POPI," says Giles.
"The role is obviously important as the regulator will ensure the effectiveness of the POPI legislation and the fairness of its application," adds Schofield.
He says POPI requires a regulator to perform certain essential functions.
"Public and private enterprises are required to have an information officer registered with the Information Regulator - currently, nobody needs to comply since there is nowhere for them to register. Data subjects with complaints need to complain to the Information Regulator, so they are currently unable to do so."
Schofield says that with all government appointments, the person appointed as Information Regulator needs to be "objective, independent and someone who understands the issues of personal privacy, data management and information security, both from a practical standpoint and a legal perspective".
Giles says they also need to be willing to work with other data protection regulators or authorities around the world; and have the practical skills required to set up and run the regulator on a limited budget.
"But probably most importantly, they will need political skills to deal with some tricky situations. The regulator must make sure government (like home affairs) protects the personal information of the people and hold government responsible (by fining them or claiming damages from them) when they don't. This will not make them popular with government and they'll need to be brave," adds Giles.
Some have been hesitant about Tlakula's nomination because of the circumstances in which she left the IEC. When she resigned in 2014, there were allegations of compromised integrity with regards to the procurement of the lease for the IEC's head office in Centurion.
She spent over a year trying to clear her name after public protector, Thuli Madonsela, found she had broken procurement regulations in securing the lease for Riverside Office Park, and had a conflict of interest as a result of an undisclosed business relationship. A National Treasury probe also found the process was neither fair, transparent, nor cost-effective.
She consistently denied any involvement in corruption and said she did not benefit personally or financially from the transaction.
"We think she will be good in the role. Many people focus on her exit from the IEC, but her other achievements and track record are impressive, which make her suitable for the role," according to Giles.
Schofield also says he has no objection to her taking the role.