Every day we log in to multiple devices and share our personal information with a multitude of apps, online businesses and service providers. Do you ever think about how much of your personal information is online and where it is being stored? What do companies know about you and how safely are they keeping all your personal information? Can you recall how many services and companies you have given your ID number or credit card details too in order to secure a payment or verify your account? What about your personal address details? In a recent article on Bizcommunity it was noted that data is the biggest trend for 2018 and companies will pay top dollar for consumer data and insights. In a digital world, as we share more and more of our personal data every day, the question of how this data is collected, shared and stored is one of ever increasing concern that needs to be taken seriously.
But perhaps even more importantly, is the question of who monitors the collection and safe and just use of all our personal data?
In 2016 the Information Regulator was set-up in order to establish a governing body in South Africa that would be responsible for regulating the use of consumer data and holding companies to account for that data’s safe storage and protection. Since its establishment it has appointed five members including chairperson Pansy Tlakula, but we have not seen any substantial further action from this body. This government body is key to each and every one of our lives – so why have we heard so little about it?
Introduction to the Information Regulator
The Information Regulator is an independent body that has been established with the dual mandate of;
(1) Promoting access to information in line with the Promotion of Access to Information Act, 2000 (Act 2 of 2000) (PAIA) and
(2) Monitoring and enforcing compliance by public and private bodies of the Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPI).
The Information Regulator was established in terms of Section 39 of the Protection of Personal Information Act 4 of 2013. It is subject only to the law and the constitution and it is accountable to the National Assembly.
The Information Regulator was established in December 2016 and the current members of the Information Regulator are Chairperson Pansy Tlakula (Adv), Adv Lebogang Stroom-Nzama, Adv Collen Weapond, Prof Tana Pistorius and Mr Sizwe Snail ka Mtuze.
The creation of this body means that the public can now approach the Information Regulator to address the following:
1. The facilitation of access to information
2. Protection of information and personal data
3. Reporting on misuse of data
However, the law that creates the Information Regulator is not yet in operation. They have yet to appoint staff, after being in operation for a year.
What could the information regulator do?
The Information Regulator has a dual mandate of ensuring access to information and protecting personal information. As part of this role, it is the Regulator’s responsibility to ensure that data is protected and that personal information is held and secured by responsible parties.
The Information Regulator can also hold responsible parties accountable for not complying with the PAIA or POPI Acts.
The Information Regulator’s responsibilities include:
- The responsibilities as outlined in Part 4 and 5 of the Promotion of Access to Information Act (PAIA)
- Monitoring and enforcing POPI compliance by public and private bodies
- Handling complaints by data subjects in line with POPI
- Ensuring compliance with the conditions for processing information
- Ensuring the personal information is processed lawfully by responsible parties
- Educating responsible parties on the conditions for lawful processing of personal information
Find out more about the Powers, Functions and duties of the Information Regulator here: http://www.justice.gov.za/inforeg/about.html
For some time ODAC have been promoting the use of the Promotion of Access to Information Act 2 of 2000 (PAIA). We have accomplished some great successes with PAIA in not only encouraging the public to use the Act but also using it ourselves in the strategic pursuit of transparency. In the 2012 reporting period, the PAIA Civil Society Network (of which ODAC is an active member) noted that only 16% of requests resulted in the release of requested information, and more disturbingly, 54% of requests simply remained unanswered. As the Information Regulator is now responsible for upholding the PAIA Act it is our hope that this will allow for more freedom of information and greater transparency as clearer processes are put in place to facilitate the sharing of information under the Act.
Why is the Information Regulator important?
The Information Regulator reports to Parliament and has extensive powers to regulate and enforce both the Promotion of Access to Information (PAIA) and the Protection of Personal Information (POPI) Acts. The Information Regulator can also investigate and fine any parties who violate the PAIA or POPI regulations. Under POPI businesses and bodies will be responsible for the protection of the personal and consumer data they gather and will not be allowed to sell consumer data without consent. Under this law companies could be fined up to R10 million and Directors of companies found to be in violation of the laws could face prosecution and jail terms.
As recently as October 2017 there was a massive data breach reported in which 30 million South African's personal information was compromised, including their names, addresses, ID numbers, genders, ethnicities and email addresses. The breach was blamed on insufficient security measures and is a stark wake-up call that we should all be questioning what measures companies have in place to protect our personal data.
This is one of the numerous data hacks which have occurred over the last few years. Do you know if your personal data has been compromised? If you would like to you, can test and see if your personal information has been compromised here: https://www.thisisme.com/
Under the POPI Act the Information Regulator should be enforcing stricter security measures to prevent these types of breaches and holding those companies who are responsible for security negligence to account.
The Regulator’s appointment promised a new dawn in access to information and protection of privacy in South Africa. However, so far the Regulator has not received sufficient support from the state to ensure its operation. The five members of the Commission are drawing salaries without enough support staff or their own offices to allow them to function. As there is currently no legislation in action they are effectively bound hand and foot.
Questions for the Information Regulator
With the concerns about data security increasing daily here are some urgent questions that need to be asked and answered by the Information Regulator.
1. How will the POPI Act be regulated and enforced once it is signed into legislation?
2. What authorisation process is in place to ensure responsible parties can process personal information?
3. If there is no authorisation process is place, what is the time frame to have this process established?
4. The law according to PAIA automatically designates a person in each organisation as the Information Officer. What is the process for registering an Information Officer with the Information Regulator?
5. How will the Information Regulator enable compliance with other regulatory bodies, for example the GDPR?
Of further concern is the European Union’s passing of the General Data Protection Regulation (GDPR). The European Union (EU), which governs how countries within the EU such as France, Germany, and Italy interact with each other and the rest of the world, has developed a set of rules to protect the personal information of all residents of the European Union called the General Data Protection Regulation (GDPR).
The GDPR replaces the Data Protection Directive and is set to become the ‘gold standard’ for data privacy regulation globally. Under the GDPR, individuals will have expanded rights over their data including; the right to access, the right to be forgotten, the right to data portability, the right to be informed, the right to restrict processing, the right to object and the right to be notified. The rights outlined in the GDPR mean that the conditions for obtaining consent to use personal information are stricter and organisations will have to prove that consent was given before using individual’s personal data. The security of personal data will also become stricter and businesses will need to put adequate security measures in place to guard against data breaches as well as take quick action to notify individuals and authorities if any data breaches occur. In addition it will be imperative that organisations establish procedures for handling personal data to comply with GDPR rights and regulations.
The GDPR enforcement date is 25 May 2018. The EU has stated that any organisations who are not in compliance with the GDPR will face heavy fines. This can have important implications for companies in South Africa who work with EU customers’ personal data as any company that handles personal data from EU citizens will need to comply with the GDPR whether they are situated in the EU or not. Even non-EU established organizations will be subject to GDPR. If a business offers goods or services to citizens in the European Union, then it will be subject to GDPR.
It is also thought that the GDPR will conduct an adequacy assessment of all companies with customers in the European Union. The question of adequacy will be linked to the role of the Information Regulator and the legislation that South Africa has in place with regards to data protection. This makes the POPI Act legislation even more relevant to South African businesses. Will the EU and the GDPR find South African companies adequate if there is no legislation in place to protect personal data?
We as citizens of South Africa need to start holding our government and the Information Regulator in particular accountable for our data security.
How do you contact the Information Regulator?
Visit their website for more details: http://www.justice.gov.za/inforeg/contact.html
If you have a question or comment about PAIA or POPI that you would like the Information Regulator to address we suggest you write a formal letter to the Office of the Information Regulator for the attention of Chairperson Pansy Tlakula.
For more information on PAIA and POPI:
PAIA: Promotion of Access to Information Act, 2000 (Act 2 of 2000):
- How to Implement PAIA in your organisation: http://www.odac.org.za/index.php/resources/publications
POPI: Protection of Personal Information Act 4 of 2013:
ODAC have put together a guide to assist organisations in engaging with PAIA. Our hope is that as more departments are forced to engage with PAIA though requests, they will be more likely to implement systems to deal with PAIA requests which will lead to more effective and responsive behaviour.
- Download the ODAC PAIA Guide: http://www.odac.org.za/images/docs/publications/implementationguide.pdf
- ODAC REPORT: Accessing Information? What we know from user experiences: http://www.odac.org.za/images/docs/publications/PAIA_Users.pdf
- ODAC REPORT: The Status of Access to Information in Africa: http://www.odac.org.za/images/docs/infographics.pdf