The Protection of Personal Information Act (POPIA) has not yet fully come into force. Its aim is to protect personal information from “leaks”.
One of the largest data leaks recorded in South Africa was traced to a web server registered to a real estate company in Pretoria in 2017. An estimated 60 million records were available to anyone with a small amount of technical knowledge to view or download. The leak was traced to Jigsaw Holdings, which includes Aida, ERA and Realty-1 estate agencies and included information such as ID numbers, email addresses and phone numbers. Had the Information Regulator established by POPIA been in place at the time of the breach, those responsible would have faced massive fines or even imprisonment.
Currently, the protection of privacy of individuals is derived from the common law, the Bill of Rights and, to some extent, legislation. Protection under common law takes two forms:
- where there is a public disclosure of private facts without permission, for which a remedy is available to the person whose information is revealed; and
- an unreasonable intrusion into the private sphere without permission which is also actionable and may involve criminal liability.
Generally, and within reason, people, including companies, have the right to choose what information they wish to keep private, but the person claiming an invasion of privacy is required to prove that the invasion was intentional or negligent. It is difficult to successfully prove either and successfully establish a claim. Even where intention or negligence is successfully proved, the monetary relief awarded by the courts is often low.
Under POPIA, the collection, storage and transfer of personal information will be strictly safeguarded, and heavy penalties will apply whether non-compliance is intentional or negligent. POPIA prescribes very specific requirements as to how personal information is to be processed, which includes how it is collected, stored, transferred, and destroyed.
In the European Union (EU) the General Data Protection Regulation (GDPR) is already in force, and even third-party non-compliance can leave a company liable to penalties under this Regulation. Organisations that can demonstrate GDPR compliance and effective control over personal information are at an advantage to competitors who can’t do the same.
Compliance presents an opportunity for organisations to identify what information is important and what is just filling storage space, so it will provide organisations with the opportunity to be more consistent with industry best practices. Benefits of doing so may include: more efficient operation, a reduction in the costs associated with data storage, and may even create a competitive advantage where information is processed more efficiently.
While the GDPR and POPIA pertain only to personal information, compliance is an opportunity to re-evaluate management and control of information as a whole.
This article has been written by Clea Rawlins, an Associate in the Commercial Department of Garlicke & Bousfield Inc.
NOTE: This information should not be regarded as legal advice and is merely provided for information purposes on various aspects of mediation.