The Protection of Personal Information Bill

13 February 20131

INTRODUCTION

•The POPI Bill, developed out of the Open Democracy Bill in 1996• Consumer protection legislation•Growth of the information age•Growth of credit, banking, insurance, pharmaceutical, direct marketing and health care industries•Growth of electronic and technological databases•Personal information has become saleable to highest bidder in order to increase sales• Data protection legislation; personal info must be processed with privacy of data subject in mind

2

BACKGROUND

•If collection of personal information is allowed, then it has to be regulated to allow for fairness, and effectiveness of such collection and integrity of information•Open Democracy Bill•Removal of data protection provisions from the Bill by Cabinet•Different from PAIA(2 of 2000): Free flow of information•POPI regulates the flow of personal information•Eight years of research (SALRC)•First introduced into Parliament in 2009,adopted 9th version on September 2012

3

OBJECTS OF THE BILL

4

DEFINITIONAL ISSUES

•Personal information’ includes information relating to:A wide range of personal characteristics - race, gender, sex, marital status, national, ethnic or social origin; colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth, etc.Educational and medical, financial, criminal, or employment history.Any identifying number/symbol and contact details (email address, physical address, telephone number etc), location identifier, online identifier, or biometric data. Opinion information, including views/opinions of another person abut that person; Private/confidential personal correspondence. The name of the person (if with other personal information).

5

DEFINITIONAL ISSUES

‘Processing’ covers all aspects of the information cycle – including collection, dissemination, and destruction. ‘Record’ is any recorded information, regardless of medium, in the possession of the responsible party including –

6

KEY ISSUES

Consent, justification and objection11(3)(a)

There is no definition of what constitutes ‘reasonable grounds’The objection by a data subject should be enough and should not be qualified by ‘reasonable grounds’

Retention and Restriction of RecordsChapter 3(14)(1)

The Committee should consider placing a time limit on the retention of records. How This ultimately protects data subjects

7

KEY ISSUES

Notification of security compromisesS 21(4)(c),(d)

Clause (c)-(d) provides for the publication of the notification when the Regulator. The Committee should consider whether the publication process not affect the right to privacy of a data subject?

Correction of Personal InformationS 24(2)(a-c)

The Committee should consider whether it is appropriate to place time limits on the correction of information applicable to both the Regulator and data subject

8

KEY ISSUES

Authorisation concerning data subject’s health or sexual lifeS 32 (1)

The Bill proposes exemptions for certain categories of people such as medical professionals, insurance companies and probation institutions or child protection. The Minister and Minister of Correctional Services, pension fund administrators are also excluded. The question that should be considered is whether the exemption should be granted to those companies that in the longer term will benefit or profit from information held by them on data subjects. There are ethics involved in processing the information and should be clarified

9

OTHER ISSUES

Authorisation concerning data subjects’ criminal behaviourS 33 (1)

The processing of information by law enforcement agencies, are exempted. However, clause 33(2) can be considered too wide ranging because it allows pre-emptive data processing if the responsible party for their own lawful purpose, to ‘protect their legitimate interest’. The Committee may want to consider placing a qualification on this clause so that such exemption is within the constitutional boundaries

Exemption from information protection principlesChapter 4 S 36 +37

The Regulator may, in the public interest or the data subject’s interest, grant an exemption to authorise the responsible party to process information even if it breaches the principles of information protection. The Committee should consider this clause and weigh it up with the right to privacy

10

OFFENCES AND PENALTIES

The Bill provides for offences and Penalties

•Obstruction of Regulator.•Breach of confidentiality.•Obstruction of execution of warrant.•Failure to comply with information/enforcement notices is a criminal offence.•Failure of witnesses to attend and give evidence or to produce a book/document or object.•Failure to comply with conditions for lawful processing in so far as they relate to the processing of a data subject’s account number. •Knowingly or recklessly obtaining or disclosing a data subject’s account number or procuring a data subject’s account number to another party without consent.

11

CONCLUSION

•The Bill provides protection for data subjects in the processing of their information •The Committee should ideally consider the positive features of the Bill •Propose that the Committee considers support for the Bill after satisfying itself that the all areas that require clarity has been addressed

12