The Protection of Personal Information Bill (the Bill) aims to give effect to the constitutional right to privacy by introducing measures to ensure that organisations process personal information in a fair, responsible and secure manner. There are strong indications that the proposed legislation will be enacted by early 2011. Compliance with the Bill will require an integrated approach by business and will impact on a multitude of organisational processes. The Bill is founded on a set of eight core information protection principles that have evolved over time in various jurisdictions around the world.
The principles are as follows:
- Principle 1: Accountability
- Principle 2: Processing limitation
- Principle 3: Purpose specification
- Principle 4: Further processing limitation
- Principle 5: Information quality
- Principle 6: Openness
- Principle 7: Security safeguards
- Principle 8: Data subject participation
Principle 1: Accountability
This principle contemplates the assigning of responsibility by organisations for overseeing compliance with the Bill. It will be difficult for an organisation to ensure that the requirements of the Bill are properly embedded within its business unless an individual at a suitably high level is formally mandated to manage the organisation’s responsibilities in terms of the Bill.
Principle 2: Processing limitation
This principle requires that personal information may only be processed in a fair and lawful manner. Fair processing implies that the processing must be done in a manner that is transparent to the individual, thereby requiring the individual’s explicit consent. In order to minimise intrusion on the individual’s right to privacy, the amount of personal information that is collected should not be excessive in relation to the purpose for which it is needed.
Principle 3: Purpose specification
The principle of purpose specification requires an organisation to do the following:
- Ensure that personal information is only processed for specific, explicitly defined and legitimate reasons relating to the functions or activities of the organisation
- Take steps to make the data subject (person whose personal information is being processed) aware of the purposes for which the personal information will be processed and
- Establish mechanisms to ensure that personal information is only kept for as long as it is required to fulfil the purpose for which it was collected.
This principle provides the context for the application of many of the other principles in the Bill. Once the purpose has been identified, the personal information may generally only be processed insofar as it is necessary for the fulfilment of that purpose. Therefore it would be valuable for the elements of Principle 3 to be borne in mind when considering the impact of the remaining information protection principles described below.
Principle 4: Further processing limitation
Once an organisation has identified and obtained consent for specific, legitimate and explicitly defined purposes, the processing of such personal information may only occur insofar as it is necessary for the fulfilment of those purposes. Thus, the further processing limitation requires that an organisation may only use personal information for those purposes that were specified at the time that the individual consented to the processing of the information. If personal information is to be used for any other purpose or disclosed to any other recipients, the further consent of the individual must be obtained.
Principle 5: Information quality
This principle describes the responsibility of organisations to maintain the quality of the personal information that they process by ensuring that all personal information is kept reliable, accurate and up-to-date. Generally, compliance with this principle will require all organisations to continually assess and evaluate not only the nature of the personal information that they hold, but also any changes to the purposes for which they originally collected the information. This highlights a linkage to the earlier principle of purpose specification. A change in circumstances or a failure by an organisation to keep information up-to-date could result in information that was originally adequate for a particular purpose becoming inadequate. Once the information is inadequate for its purpose or if the purpose no longer exists, the organisation may no longer process that information.
Principle 6: Openness
This principle is linked directly to an organisation’s duty to process information in a fair and transparent manner. It is founded on the notion that in order for processing to be fair, individuals must be aware of the specific personal information held about them by particular organisations. It contemplates two types of notification by organisations that process personal information, namely notification to the Regulator and notification to the data subject (individual whose personal information is being processed).
Much of the detail regarding the manner and form of the notifications mentioned above will likely be contained in Regulations and/or further guidance notes issued by the Regulator. It will therefore not be practically possible for full compliance with the provisions of this principle until after the legislation has been enacted.
In the meantime, to ensure that the notifications contain the requisite information in terms of the Bill, an organisation may want to commence with the identification and collation of certain information such as:
- The types of personal information collected by the organisation
- The purposes for which the information is processed
- The recipients and/or categories of recipients to whom personal information is disclosed (including recipients outside of South Africa)
- An assessment of the security measures in place to protect the personal information that is processed by the organisation and
- An analysis of any other legislation that requires the organisation to collect, use, store or disclose personal information, including the retention periods contained therein.
Principle 7: Security safeguards
The underlying theme of this principle is that all personal information should be kept secure against the risk of loss, unauthorised access, interference, modification, destruction or disclosure. In terms of the Bill the obligation to maintain the security of personal information is made up of the following elements:
- The organisation’s responsibility to implement security measures to safeguard personal information held by the organisation
- The organisation’s responsibility in respect of personal information that is processed by third parties on behalf of the organisation and
- The organisation’s responsibility to notify stakeholders if personal information has been compromised in any way.
Many organisations believe that their current information security environments are sufficiently mature to meet the requirements of this principle. However, it is likely that the biggest challenge for an organisation arising from this principle will revolve around the effective management of its non-technology based security risks. Thus, when designing an information security risk assessment it would be prudent for an organisation to widen its scope beyond the technology risks associated with information processing and focus on other threats such as physical security, people management and third party relationships.
Principle 8: Data subject participation
This principle empowers individuals to access and/or request the correction or deletion of any personal information held about them that may be inaccurate, misleading or outdated. This enables them to have a level of direct influence over the processing of their personal information. It also highlights the need for an integrated approach to compliance by making specific reference to other information protection legislation such as the Promotion of Access to Information Act 2 of 2000 (PAIA). The difference between the Bill and PAIA is that the Bill only deals with an individual’s right to access his/her own personal information, whereas the provisions of PAIA are much broader. PAIA deals with the rights of individuals to access general information (including non-personal information) as well as the personal information of third parties.
The entitlement of individuals to request the correction and deletion of their personal information as described above must also be read in conjunction with the discussion under Principle 5 which set out the responsibility of organisations to ensure and maintain the quality of the personal information that they process.
Organisations that fail to comply with the Bill could find themselves facing civil liability claims, criminal sanctions and significant reputational damage. The responsibility for the monitoring and enforcement of compliance will rest with the Information Protection Regulator, an independent statutory body to be established once the Bill is passed into law. Achieving an adequate level of compliance with the Bill will ultimately depend on how effectively an organisation is able to embed all eight of the information protection principles within the information management, governance and operational processes of the business as a whole, while also factoring in their current information protection obligations in terms of existing legislation.