PRIVACY AND DATA PROTECTION LAW IN SOUTH AFRICA
Currently, the South African Law Reform Commission is conducting an investigation entitled “Privacy and Data Protection” in an attempt to enact a legislation which would ensure the safeguard of people’s rights to privacy. Concern about information protection has increased worldwide as a result of the expansion in the use of computer and telecommunications technologies. The recognition and recognition of the right to privacy as a fundamental human right in the Constitution (South African) provides an indication of its importance. It is, however, not an absolute right and in protecting a person’s personal information, consideration should also be given to competing interests such as the administering of national social programmes, maintaining law and order, and protecting the rights, freedoms and interests of others, including the commercial interests of industry sectors such as banking, insurance, direct marketing, health care, pharmaceuticals and travel services.
The preliminary recommendations of the Commission, as set out in the Bill accompanying the Discussion Paper, can be summarised as follows:
(1) The protection of personal information in the public and the private sector should be regulated in an act of general application, called the Protection of Personal Information Act, supplemented by codes of conduct for specific sectors. Both automatic and manual processing of information will be covered and identifiable
natural and juristic persons will be protected.
(2)The proposed Bill gives effect to eight core information protection principles which, inter alia, prescribes the following duties and obligations for responsible parties and provides for the following rights for data subjects (i.e. persons whose information is being collected):
(i) information can only be collected or stored if it is necessary for or directly related to a lawful, explicitly defined purpose and does not intrude upon the privacy of the data subject to an unreasonable extent;
(ii) information must be collected directly from and with the consent of the data subject;
(iii) data must be informed of the purpose of any such collection and of the intended recipients of the information, at the time of collection;
(vi) information must not be kept for any longer than is necessary for achieving the purpose for which it was collected;
(v) information must not be distributed in a way incompatible with the purpose for which is was collected;
(vi) reasonable steps must be taken to ensure that the information processed is accurate, up to date and complete;
(vii) appropriate technical and organizational measures have to be taken to safeguard the data subject against the risk of loss, damage, destruction of or unauthorized access to personal information;
(viii) data subjects are allowed a right of access to their personal information and a right to demand correction if such information should turn out to be inaccurate.
(3) Exceptions to the information protection principles are provided for and exemptions are furthermore possible for specific sectors in applicable circumstances. Special provision has furthermore been made for the protection of special (sensitive) personal information such as those revealing racial or ethnic origin, political
opinions, religious beliefs, philosophical or ethical persuasions, trade union membership, health and sexual life.
(4) Provision has been made for an independent Information Protection Commission with a full-time Information Commissioner to direct the work of the Commission. The Commission will be responsible for the implementation of both the new, envisaged Protection of Personal Information Act and the current Promotion of Access to Information Act 2 of 2000.Data subjects will be under an obligation to notify the
Commission of any processing of personal information before they undertake such processing. Provision has also been made for investigations to be conducted by the Commission prior to commencement of the processing to establish whether it complies with the law in instances where the nature of the information being collected warrants a stricter regime.
(5) Enforcement of the Bill will be through the Commission using as a first step a
system of notices where conciliation or mediation has not been successful. Failure
to comply with the notices will be a criminal offence. The Commission may
furthermore assist a data subject in claiming compensation from a responsible party
for any damage suffered. Obstruction of the Commission’s work is regarded in a
very serious light and constitutes a criminal offence .
(6) A flexible approach will be followed in which industries will develop their own codes of conduct (in accordance with the principles set out in the legislation) which will be overseen by the regulatory agency. Codes of conduct for individual sectors may be drawn up for specific sectors on the initiative of the specific sector or of the Commission itself. This will include the possibility of making provision for an adjudicator to be responsible for the supervision of information protection activities in the sector. The Commission will, however, retain oversight authority. Although the codes will accurately reflect the information principles as set out in the Act it should furthermore assist in the practical application of the rules in a specific sector.
(7) It is the Law Commission’s objective to ensure that the legislation provides an adequate level of information protection in terms of the EU Directive. In this regard a provision has been included that prohibits the transfer of personal information, except under special circumstances, to countries that do not, themselves, ensure an adequate level of information protection.
It should be noted that the promulgation of information protection legislation in South Africa will necessarily result in amendments to other South African legislation, most notably the Promotion of Access to Information Act (No. 2) of 2000, the Electronic Communications and Transactions Act (No.25) of 2002 and the, still to be enacted, National Credit Bill [B18-2005]. All these Acts contain interim provisions regarding information protection in South Africa.