The current law of data privacy in South Africa
Legislatures over the world have woken up to the threat posed to the privacy of citizens by the rapid pace of technological development, notably in the field of data science. As a result, we have seen international enactments with substantial penalties find their way into law.
In South Africa, the Protection of Personal Information Act (commonly known as "POPI" or "POPIA") is not currently fully in force, but is substantially aligned with this trend and will be come into full effect in due course.
Although we do not yet have legislation dedicated to the topic of data privacy fully in force at the moment, that certainly does not mean there is a vacuum. Our constitution enshrines the right to privacy in the bill of human rights and our common law, which for instance provides for remedies in delict in the event of unlawful infringement of a person's right to privacy.
Aside from that, other substantive pieces of legislation, notably in the fields of consumer, financial and medical services (such as the National Credit Act, the Consumer Protection Act and the Electronic Communications and Transactions Act) already have bearing on the topic of data privacy.
It follows that just because we do not have dedicated legislation fully in force does not mean there are no obligations in respect of data privacy in South Africa.
Practical first steps
1. Identity the personal information in your care
Broadly speaking, "personal information" in this context is information relating to an identifiable, living, natural person in the broadest form.
Although POPIA is not fully in force, the definition is instructive. Section 1 defines "personal information" in a fair amount of detail. You will note that in the South African context, the definition also explicitly extends to similar information in respect of an identifiable, existing juristic person (to the extent applicable).
In identifying the personal information in your care, it is important to note that not all pieces of personal information carry the same compliance duty. You should identify the personal information of minors in your care and so-called "special personal information". The latter includes health data, biometric data and the like. Section 26 defines the sorts of data of this type and is again instructive.
Once you have an understanding of the types of information in play, you should identify when any such information is:
- processed by you;
- processed by another at your request;
- processed by you at the request of another.
The term "process" (as used in POPIA) is very broad and essentially covers just about any action in relation to personal information taken by you or on your behalf.
You can find a nicely formatted copy of POPIA here: http://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf.
2. Assess current legal compliance obligations
At the risk of stating the obvious, you should take account of existing obligations pertaining to data privacy. Such obligations may originate from:
- existing legislation, as aforesaid;
- industry-specific regulations and binding codes of practice;
- foreign legislation with extra-territorial effect, such as the General Data Protection Directive (commonly "GDPR") of the European Union.
You should understand your existing legal compliance obligations and take care to comply with them. Here you may want to engage the services of someone knowledgeable on the topic if you do not have such expertise in-house.
If you find that GDPR applies, the steps that follow can still be useful, but they would have to be executed without delay given that you already have a compliance duty and the administrative penalties are potentially crippling (as you will see from some examples below).
3. Information security
You have to be seen to be acting with reasonable care when dealing with personal information in your care. One way to assist in doing so, is developing clear business rules in the form of appropriate policies and procedures that apply to dealing with personal information.
At a high level should consider the following:
- Your policy should deal with threats to the unauthorised disclosure of personal information, such as internet, network and database security, data destruction and data taken offsite. There are some handy standards in the marketplace that you could use to calibrate against.
- Your policies should not only address technical measures, but also operational measures.
- Contractors that process personal information on your behalf should agree to abide by your standard and notify you if they are unable to do so or an incident has taken place. You may want the right to audit their compliance in appropriate cases.
- Your policy should ensure that management is notified as soon as an incident is detected.
Resist the temptation to stop at merely writing a policy, as it will not in itself manage the risk. Take care to train and retrain relevant employees and to do internal compliance checks from time to time.
If you work with very sensitive personal information, consider engaging a third-party to conduct an audit of your information security and perhaps even a penetration test.
4. Review business practices and datasets for incompatibility with POPIA
What follows is only useful for purposes of an initial, high-level risk assessment. It is NOT intended to be the yardstick for compliance.
Generally speaking, the following practices tend to pose a lesser risk:
- where the consent of a person to use his or her data has been obtained, provided that such consent was (really) obtained by specific, voluntary and informed;
- use of personal information where it is absolutely necessary for legitimate business purposes rendered at the request for the relevant person.
Again, generally speaking, the following practices tend to pose a higher risk or could even be illegal in due course:
- using personal information for a purpose you did not collect it;
- collecting unnecessary personal information, especially if the person involved is not aware of it;
- failing to take reasonable care to secure data;
- sharing personal information with a third party without express consent of the relevant person;
- combining personal information from multiple sources;
- transferring personal information across borders; and
- any processing of special personal information or personal information of minors.
Business practices and datasets should be scrutinised against the above considerations to analyse the risk that they pose at a high level.
5. Roadmap to full compliance
You should be able to build on what was done in the previous steps to formulate a roadmap to substantive compliance, addressing the biggest risks in your business first.
For instance, where a particular business practice or data set is found to be potentially non-compliant, remedial action must be taken while POPIA is not yet fully in effect. Such action may include engaging the relevant persons regarding their data, changing or stopping a business practice, purging non-compliant data or anonymising it.
Here you may want to again consider engaging the services of someone knowledgeable on the topic if you do not have such expertise in-house to avoid an unsighted risk or compliance duty being left unattended.
Calibrating the risk
If penalties contained in POPIA and recent international precedent is anything to go by, our regulator and courts will seek to give full effect to right to privacy.
Let's look at two recent international examples:
- The hotel group Marriot is facing a fine of £99m from a security breach in 2014 of hotel company Starwood, which was acquired by Marriott in 2016. The breach was however only detected in November 2018.
- British Airways is facing a record fine of £183m for last year's breach of its security systems. The regulator alleges that a variety of information was compromised by poor security arrangements at the company, including log in credentials, as well as personal and transactional information.
In both case the lead regulator, Information Commissioner Elizabeth Denham, is quoted as saying: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience."
Aside from the aforegoing, consumer activism is at an all-time high when it comes to breaches of data privacy. Surprisingly, the reputational damage to a brand can far outweigh the administrative penalty levied.
When acquiring another business, you should also understand that you are inheriting a legal compliance risk that may only manifest itself in the form of large fine or illegal business practice many years after closing. By this time, it may no longer be possible to recover your losses from the sellers and aside from that, your reputation may have suffered untold damage.
Careful consideration should accordingly be given to the risk of non-compliance and an appropriate due diligence investigation be conducted.
Seen from the seller's perspective, presenting a prospective purchaser with a business that has responded diligently to its current and impending data privacy obligations should be put forward as a selling point to achieve a favourable valuation.
Privacy legislation is a necessary response to the rampant growth of potentially invasive technologies and market practices.
Properly handled, compliance with data privacy legislation should not be a headache. In fact, more and more discerning consumers want to see that trustworthy brands say what they do, and do what they say, when it comes to personal information.
In this day and age, it is impossible to guarantee that data will always be safe. Luckily that is not what the law requires. If things go wrong, regulators and courts should take into account the fact that reasonable care has been taken to understand your obligations and to take demonstrable steps to comply with them.
Showing a disregard for the law and the sanctity of personal information entrusted to you on the other hand, sets you up for making the headlines in a bad way.