Open Meetings!

Posted in Blog

Recent weeks have seen an increasing tendency toward closed meetings being instituted by South Africa's Parliamentary Committees. Along with a number of our civil society partners and Parliament Watch, ODAC have issued a condemnation of this practice, including the tendency to initiate these closures without justification.

In Primedia Broadcasting and Others v Speaker of the National Assembly and Others [2016] ZASCA 142, ODAC - alongside media partners and others - challenged the threats to the openness of Parliament presented by the jamming of transmission signals by State Security, and interference with the parliamentary television broadcast feed. Importantly, that judgment confirmed the finding of Ngcobo J in the Doctors for Life case, which states:

"The participation by the public on a continuous basis provides vitality to the functioning of representative democracy. It encourages citizens of the country to be actively involved in public affairs, identify themselves with the institutions of government and become familiar with the laws as they are made. It enhances the civic dignity of those who participate by enabling their voices to be heard and taken account of . . . . It strengthens the legitimacy of legislation in the eyes of the people. Finally, because of its open and public character, it acts as a counter-weight to secret lobbying and influence-peddling."

Openness is the starting point for all Parliamentary meetings. And, if Committees wish to deviate from this, one of the things required is adequate justification for that deviation. Section 59(2) of the Constitution after all instructs that: "...the National Assembly may not exclude the public or the media unless it is reasonable and justifiable to do so in an open and democratic society" [Emphasis added]. In addition, sufficient consideration must be given to the reasons for closing the meeting, which must include consideration of the public's interests in the matters being discussed. It is particularly noteworthy for instance that, in looking at the list of meetings that were closed, these included those that were considering issues around SAA, SASSA, and Eskom, amongst others.

We join our partners in the call for more openness in our Parliament, and demand for:

  1. A record of all meetings which have been fully or partially closed to the public since the opening of the 5th Parliament in May 2014 and the reasons put forward for closing these meetings.We request this information by Friday 23 November 2018.
  2. Amendments to the Rules of the National Assembly to clearly stipulate that in the event of a meeting or part thereof being closed a) due consideration must be given to the question of public interest prior to a decision being taken, b) reasons for closing these meetings shall be made public, and c) prior notice of the closure of the meeting be reasonably provided to the public. We consider it important that these amendments should be considered and finalised prior to the closing of the Fifth Parliament in 2019, and should allow for public engagement in the process.
  3. In the interim we request intervention by your office to prevent Committees from closing meetings without following robust process and providing public justification for doing so.

You can read the joint civil society statement here.

The Price of Speaking Out

Posted in Blog

- Alison Tilley

Tlholo Phakoe is planning his father’s memorial for early next year. It will be 10 years since the death of Moss Phakoe, his father, on 14 March 2009. Moss Phakoe, a whistleblower, was assassinated.

He was an ANC municipal councillor, who had attempted to expose corruption in the Municipality. The then Rustenburg mayor, Matthew Wolmarans, attempted to have him removed three times from the executive mayoral committee, apparently because of these disclosures. Phakoe was then gunned down in his driveway.

Matthew Wolmarans and his former bodyguard, Enoch Matshaba, were arrested, charged and sentenced with his murder. Wolmarans was acquitted after serving a year of his sentence as was Matshaba. This acquittal followed one of the witnesses in his conviction recanting. That witness is now being charged for perjury.

And Wolmarans? He is now an ANC Member of Parliament. He sits on the Portfolio Committee on Human Settlements, and the Portfolio Committee on Higher Education and Training.

And what happened to the dossier that Moss Phakoe meticulously compiled, and took to everyone he could in the majority party, including the former President Jacob Zuma at his home in Nkandla? Gone. Yet now Police Minister Bheki Cele has ordered the reopening of investigations into a series of high-profile murders, including those of Bafana Bafana goalkeeper Senzo Meyiwa, North West businessman Wandile Bozwana - and Rustenburg whistle-blower Moss Phakoe.

Neither the Minister nor any SAPS member has contacted the Phakoe family. They remain bereft from the loss of their father, husband and breadwinner. They were on the verge of losing their home after not being able to pay their bond instalments. The EFF stepped in and paid off the outstanding bond.

The price of speaking out as a whisteblower is high. In the workplace the remedies are based in labour law through the Protected Disclosures Act (the Act). Relatively recent amendments to the Act have extended the workplace remedies available to whistleblowers, but much work remains to be done to create a safe environment.

According to research by SALGA, more than 70% of municipal managers reported that threatening and intimidation negatively impacted on their 
work performance, while 65% saw the issue as severe enough to contemplate resignation. Of the 54 councillors who participated in the study, 66% reported being threatened, whilst 46% reported being threatened often.

According to an Assassination Witness report, a collaboration between the Centre for Criminology at the University of Cape Town and the Global Initiative against Transnational Organized Crime, there were 159 reported assassinations in South Africa in 2017– a figure that was up by 36% from 2016 (when 117 hits were recorded) and up by 346% from 2012 (46 hits). “There is a notable proportion who had been politicians, whistle-blowers, proprietors of taxi businesses (known colloquially as ‘taxi bosses’) and members of the legal fraternity,” say the authors.

What does all this tell us about protecting whistleblowers? Obviously, workplace protection is not enough. And reporting is a necessary but insufficient condition for the disclosure to be acted on. Many whistleblowers say their main reason for blowing the whistle is to ensure that malpractice is acted on.  In the current climate, you can hardly blame people for assuming that there is little likelihood of a conviction for corruption. We will have to think harder and better about how to help ensure whistleblowers speak out, and in the meantime ensure that stories such as that of the devastating loss of Moss Phakoe are never forgotten or brushed aside.

* A close reproduction of this article was published by our partners at the Daily Maverick.

If you thought Facebook was interesting...

Posted in Blog

- By Gabriella Razzano

Facebook’s been ‘spying’ on you, and privacy is a farce. For many, these sorts of revelations have been a startling and upsetting reality check, rather than the histrionics of nerds previously ignored. For others, it was a “but of course” moment. For us at the Open Democracy Advice Centre, it has instead been a “and so we must” moment.
 
Personal data and privacy is not just about people knowing about you. The terrifying revelation for many about the role of Cambridge Analytica in the Facebook data leak is how power over data can even extend to influencing you. And the extent of what is known about you may go beyond what you have imagined too – as Dylan Curran, of the Guardian, painfully noted, the data Facebook or Google hold on you could be your movements, your emails, your stickers, information you hold and information you deleted. Not to be put too fine a point on it, they essentially hold your thoughts. And we trust them somewhat unthinkingly to defend this data (though in many senses, we gave it to them to ‘own’ for free). 
 
The Internet in many ways confronts us with new forms of risk we might not feel ready to handle. But the law has been responsive to these threats, which in many ways echo the fundamental way rights have been threatened since the Universal Declaration of Human Rights was declared. And the impact of these risks has been felt directly in South Africa, with data breaches hitting the headlines with almost disturbing regularity. If you use a computer or a smart phone, you should realise that your personal data is not just bits and bytes- and you have to learn how to protect it.
 
In South Africa, the Protection of Personal Information Act (POPIA) was written specifically to defend and protect your personal data. Yet the agency charged with implementing and operationalising this law is not yet fully able to function. South Africa’s Information Regulator knows its own relevance – it wrote a letter to Facebook to question what steps would be taken to comply with POPIA. But as any citizen will tell you, writing angry letters will never be enough. If the Information Regulator was fully operational, fines or even prison time could be on the cards for violators.
 
If you care about the Facebook data breach, or about those annoying phone calls you get on your cell phone (and think how did they get my number? How do they know my name?), you should care about the Information Regulator. But the question then has to be: what can we do to get the Regulator operationalised?
 
When addressing Parliament, the Regulator noted that blame for the failure to be fully able to establish itself lay somewhere between the Department of Public Services and Administration, National Treasury and the Public Finance Management Act. All we know at ODAC is – if you stay in contact with us over the next few weeks – we’ll be doing our best to find practical solutions to getting your data safe, even if the powers that be aren’t prioritising it. 

A call to action for the Information Regulator

Posted in Blog

 

In 2016 the Information Regulator was established in South Africa with the dual mandate of ensuring access to information and protecting personal information for all citizens.

Since it has been established it has appointed five members to the board and set up its offices. However there has been little further action in the past year.

The public must now ask what are the reasons for these continued delays and for how much longer must we continue to wait?

The PAIA Act was written in 2000 and POPI Act passed in 2013 but we are still waiting for the commencement date for these Acts to be proclaimed by the President. This year will have been waiting for PAIA for almost 18 years. And with the European Union’s GDPR regulations coming into effect on the 25 May 2018, POPI can no longer be kept on the back-burner.

Action needs to be taken. It is time for the Information Regulator to fulfil its duties to the citizens of South Africa and start holding companies and organisations accountable to the PAIA and POPI Acts.

In a fair and democratic society the PAIA Act is a vital piece of legislation to facilitate access to information in order to increase the transparency of governmental bodies and public enterprises and to hold them accountable to the people.

As we move further into the 21st Century, cyber-security and threats to personal data are going to continue to be one of the most pressing concerns of people and governments.

Improving citizens’ data security, educating the public about data security and protecting people’s personal information is of paramount importance in modern society.

It is time for the Information Regulator to start encouraging swift and sustainable action in this regard.

As this issue becomes ever more pressing here are 20 questions we as citizens of South Africa want answered by the Information Regulator:

  1. How do I find out which companies have access to my personal data?
  2. How do I find out if my personal data has been compromised?
  3. How do I report a company that I think is abusing my personal information?
  4. What rights do I have with regards to protecting my personal data?
  5. Can I ask companies to tell me how much of my personal data they have?
  6. Can I ask businesses to remove my personal data from their systems?
  7. Do I have a right to claim compensation from companies who abuse my personal data?
  8. What rights do I have with regards to getting information about the purposes for which my personal data will be processed?
  9. Do I have the right to restrict or object to the processing of my personal data?
  10. Do I have the right to object the processing of my personal data for direct marketing purposes?
  11. Will the Information Regulator set-up a complaints channel for people to report data violations?
  12. How do citizens know if organisations are PAIA and POPI compliant?
  13. How will the Information Regulator ensure that companies communicate transparently with people about the processing of their personal data?
  14. How will the POPI Act be regulated and enforced once it is signed into legislation?
  15. What authorisation process is in place to ensure responsible parties can process personal information?
  16. What is the process for gaining access to information from Public and State Owned Enterprises?
  17. What are the criteria for requesting access to information from Public and State Owned Enterprises?
  18. How do we encourage sharing of public information for greater transparency and accountability from Public and State Owned Enterprises?
  19. What is the process for registering an Information Officer with the Information Regulator?
  20. How will the Information Regulator enable compliance with other regulatory bodies, for example the GDPR?

What you need to know about the Information Regulator

Posted in Blog

 


Every day we log in to multiple devices and share our personal information with a multitude of apps, online businesses and service providers. Do you ever think about how much of your personal information is online and where it is being stored? What do companies know about you and how safely are they keeping all your personal information? Can you recall how many services and companies you have given your ID number or credit card details too in order to secure a payment or verify your account? What about your personal address details? In a recent article on Bizcommunity it was noted that data is the biggest trend for 2018 and companies will pay top dollar for consumer data and insights. In a digital world, as we share more and more of our personal data every day, the question of how this data is collected, shared and stored is one of ever increasing concern that needs to be taken seriously.


But perhaps even more importantly, is the question of who monitors the collection and safe and just use of all our personal data?


In 2016 the Information Regulator was set-up in order to establish a governing body in South Africa that would be responsible for regulating the use of consumer data and holding companies to account for that data’s safe storage and protection. Since its establishment it has appointed five members including chairperson Pansy Tlakula, but we have not seen any substantial further action from this body. This government body is key to each and every one of our lives – so why have we heard so little about it?


Introduction to the Information Regulator


The Information Regulator is an independent body that has been established with the dual mandate of;
(1) Promoting access to information in line with the Promotion of Access to Information Act, 2000 (Act 2 of 2000) (PAIA) and
(2) Monitoring and enforcing compliance by public and private bodies of the Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPI).


The Information Regulator was established in terms of Section 39 of the Protection of Personal Information Act 4 of 2013. It is subject only to the law and the constitution and it is accountable to the National Assembly.

The Information Regulator was established in December 2016 and the current members of the Information Regulator are Chairperson Pansy Tlakula (Adv), Adv Lebogang Stroom-Nzama, Adv Collen Weapond, Prof Tana Pistorius and Mr Sizwe Snail ka Mtuze.

The creation of this body means that the public can now approach the Information Regulator to address the following:

1. The facilitation of access to information
2. Protection of information and personal data
3. Reporting on misuse of data

However, the law that creates the Information Regulator is not yet in operation. They have yet to appoint staff, after being in operation for a year.


What could the information regulator do?

The Information Regulator has a dual mandate of ensuring access to information and protecting personal information. As part of this role, it is the Regulator’s responsibility to ensure that data is protected and that personal information is held and secured by responsible parties.

The Information Regulator can also hold responsible parties accountable for not complying with the PAIA or POPI Acts.
The Information Regulator’s responsibilities include:

  • The responsibilities as outlined in Part 4 and 5 of the Promotion of Access to Information Act (PAIA)
  • Monitoring and enforcing POPI compliance by public and private bodies
  • Handling complaints by data subjects in line with POPI
  • Ensuring compliance with the conditions for processing information
  • Ensuring the personal information is processed lawfully by responsible parties
  • Educating responsible parties on the conditions for lawful processing of personal information


Find out more about the Powers, Functions and duties of the Information Regulator here: http://www.justice.gov.za/inforeg/about.html


For some time ODAC have been promoting the use of the Promotion of Access to Information Act 2 of 2000 (PAIA). We have accomplished some great successes with PAIA in not only encouraging the public to use the Act but also using it ourselves in the strategic pursuit of transparency. In the 2012 reporting period, the PAIA Civil Society Network (of which ODAC is an active member) noted that only 16% of requests resulted in the release of requested information, and more disturbingly, 54% of requests simply remained unanswered. As the Information Regulator is now responsible for upholding the PAIA Act it is our hope that this will allow for more freedom of information and greater transparency as clearer processes are put in place to facilitate the sharing of information under the Act.

Why is the Information Regulator important?


The Information Regulator reports to Parliament and has extensive powers to regulate and enforce both the Promotion of Access to Information (PAIA) and the Protection of Personal Information (POPI) Acts. The Information Regulator can also investigate and fine any parties who violate the PAIA or POPI regulations. Under POPI businesses and bodies will be responsible for the protection of the personal and consumer data they gather and will not be allowed to sell consumer data without consent.   Under this law companies could be fined up to R10 million and Directors of companies found to be in violation of the laws could face prosecution and jail terms.


As recently as October 2017 there was a massive data breach reported in which 30 million South African's personal information was compromised, including their names, addresses, ID numbers, genders, ethnicities and email addresses. The breach was blamed on insufficient security measures and is a stark wake-up call that we should all be questioning what measures companies have in place to protect our personal data.


This is one of the numerous data hacks which have occurred over the last few years. Do you know if your personal data has been compromised? If you would like to you, can test and see if your personal information has been compromised here: https://www.thisisme.com/


Under the POPI Act the Information Regulator should be enforcing stricter security measures to prevent these types of breaches and holding those companies who are responsible for security negligence to account.


The Regulator’s appointment promised a new dawn in access to information and protection of privacy in South Africa. However, so far the Regulator has not received sufficient support from the state to ensure its operation. The five members of the Commission are drawing salaries without enough support staff or their own offices to allow them to function. As there is currently no legislation in action they are effectively bound hand and foot.

Questions for the Information Regulator


With the concerns about data security increasing daily here are some urgent questions that need to be asked and answered by the Information Regulator.


1. How will the POPI Act be regulated and enforced once it is signed into legislation?
2. What authorisation process is in place to ensure responsible parties can process personal information?
3. If there is no authorisation process is place, what is the time frame to have this process established?
4. The law according to PAIA automatically designates a person in each organisation as the Information Officer. What is the process for registering an Information Officer with the Information Regulator?
5. How will the Information Regulator enable compliance with other regulatory bodies, for example the GDPR?

The GDPR


Of further concern is the European Union’s passing of the General Data Protection Regulation (GDPR). The European Union (EU), which governs how countries within the EU such as France, Germany, and Italy interact with each other and the rest of the world, has developed a set of rules to protect the personal information of all residents of the European Union called the General Data Protection Regulation (GDPR).


The GDPR replaces the Data Protection Directive and is set to become the ‘gold standard’ for data privacy regulation globally. Under the GDPR, individuals will have expanded rights over their data including; the right to access, the right to be forgotten, the right to data portability, the right to be informed, the right to restrict processing, the right to object and the right to be notified. The rights outlined in the GDPR mean that the conditions for obtaining consent to use personal information are stricter and organisations will have to prove that consent was given before using individual’s personal data. The security of personal data will also become stricter and businesses will need to put adequate security measures in place to guard against data breaches as well as take quick action to notify individuals and authorities if any data breaches occur. In addition it will be imperative that organisations establish procedures for handling personal data to comply with GDPR rights and regulations.

The GDPR enforcement date is 25 May 2018. The EU has stated that any organisations who are not in compliance with the GDPR will face heavy fines. This can have important implications for companies in South Africa who work with EU customers’ personal data as any company that handles personal data from EU citizens will need to comply with the GDPR whether they are situated in the EU or not. Even non-EU established organizations will be subject to GDPR. If a business offers goods or services to citizens in the European Union, then it will be subject to GDPR.

It is also thought that the GDPR will conduct an adequacy assessment of all companies with customers in the European Union. The question of adequacy will be linked to the role of the Information Regulator and the legislation that South Africa has in place with regards to data protection. This makes the POPI Act legislation even more relevant to South African businesses. Will the EU and the GDPR find South African companies adequate if there is no legislation in place to protect personal data?


We as citizens of South Africa need to start holding our government and the Information Regulator in particular accountable for our data security.


How do you contact the Information Regulator?


You can email the Information Regulator with your query at This email address is being protected from spambots. You need JavaScript enabled to view it. or call them on 012 406 4818.
Visit their website for more details: http://www.justice.gov.za/inforeg/contact.html
If you have a question or comment about PAIA or POPI that you would like the Information Regulator to address we suggest you write a formal letter to the Office of the Information Regulator for the attention of Chairperson Pansy Tlakula.

For more information on PAIA and POPI:


PAIA: Promotion of Access to Information Act, 2000 (Act 2 of 2000):


POPI: Protection of Personal Information Act 4 of 2013:


ODAC have put together a guide to assist organisations in engaging with PAIA. Our hope is that as more departments are forced to engage with PAIA though requests, they will be more likely to implement systems to deal with PAIA requests which will lead to more effective and responsive behaviour.