IT has taken six years, but at last a new law to control those who would access our personal information without permission, is operational. The new measures hope to stop the invasions of our privacy that have accompanied our entry into the digital world.
One must wonder why it took so long for the legislation to reach the lawmakers. It came before Parliament in 2013, and took another seven years for the civil service to get its act together to carry out Parliament’s wishes.
But we should be grateful that the much anticipated — and some say deeply-needed — Protection of Personal Information Act, 2013 (POPIA), which, incidentally, gives effect to our constitutional right to privacy, is now fully enacted.
Although the original Bill was passed seven years ago, enabling the appointment of an Information Regulator, it is not clear if it was actually appointed or will now be appointed. Despite its name, The Regulator is not one person but a committee with sub-committees, some committee members being part time, and others full time employees who may be civil servants or co-opted (and paid) members of the public.
What is clear is that there are now legal conditions on the processing of special personal information; there is (or will be soon) a Code of Conduct for dealing with complaints; there are rules governing junk mail (“unsolicited electronic communication” is the polite name); and general rules for the direct marketing industry.
POPIA also transfers the functions of the Promotion of Access to Information Act from the South African Human Rights Commission to the new Information Regulator.
What does this mean for the private sector? Well, theoretically, all organizations must be POPIA compliant by 1 July 2021, but no one yet knows exactly what that would mean. The Act is typically long on the subject, requiring a fully-trained legal mind to understand it. We have to hope a simple guide will be provided by the Information Regulator.
Meanwhile, companies could do well to read POPIA closely. They should consider appointing a company information officer, explore the implications for company contracts; draft the right policies, and establish controls and processes to ensure the compliance framework is effective.
In sum, access to your private information will now be guarded by a new set of civil servants with new regulatory powers to prevent it being used by people trying to sell you stuff.
Organs of State, on the other hand, are still able to look over your shoulder as you WhatsApp, Email, SMS your friends or send pictures to whomever and of whatever you chose – as they always have.
The private sector businesses, who pay taxes to pay the salaries of the new Information Regulator staff, will have to employ more people to ensure that they are obeying a new law and avoiding a jail term – unless of course they wish to avoid such unpleasantness and cough up a fine not exceeding R10 million (which may be increased in line with future inflation).
If they take the fine route, they will be happy to know that paying it will not provide an automatic criminal record.
Comment from Geoff Jacobs, President of the Cape Chamber of Commerce & Industry.