The revelations of Mark Zuckerberg’s congress hearing on 11 April 2018 put the spotlight on privacy restrictions and the value of one’s personal data. However, 5 years prior to this historical exchange of unintelligible questions, evasive answers, and not so sincere apologies, the South African Government had compiled the Protection of Personal Information Act (PoPIA). This Act, which was gazetted in November of 2013, has taken some time to be implemented but never has it been more relevant a time for us as private citizens and a business community, to take it seriously.
The PoPIA is defined and inspired by the Constitution of the Republic of South Africa, where in section 14 it states that: “…each individual has the right to privacy…” This right includes: “…the protection against unlawful collection, retention, dissemination and use of personal information…”. When this part of the constitution was written in 1996, never did it occur to the newly democratised state that it would become the main topic of debate in parliament 22 years later. As a democratic state, the constitutional values must be upheld and maintained in accordance with advancements in technology and in relation to international standards.
How it works
The PoPI Act insures that organisations that intend to use citizens’ personal information do so through a process that is fair, responsible, and secure. That means acquisition of personal information through a) consent of the data subject via b) direct collection of information from the data subject c) for the purpose of the contract for which it was intended and no more. There are 8 conditions for the lawful process of personal information as follows:
- Condition 1: Accountability
- Condition 2: Processing limitation
- Condition 3: Purpose specification
- Condition 4: Further Processing Limitation
- Condition 5: Information Quality
- Condition 6: Openness
- Condition 7: Security Safeguards
- Condition 8: Data Subject Participation
These conditions are in place to help all responsible organisations reduce their risk of processing information unlawfully. It is paramount for organisations -no matter their size- to take the time to install and follow law abiding privacy policies and effective practices in accordance with the PoPI Act.
Responsibility of the organisation
Once an organisation controls personal information, it is their responsibility to take appropriate, reasonable, technical, and organisational measures to prevent it being accessed unlawfully by external parties.
This key part comes down to supported training and accountable education for employees and trust by the public in these organisations to protect their information.
However, the Information Regulator has the overarching reach to issue monetary fines and prosecute organisations publicly for failing to comply with the PoPIA and, if need be, sentence those at fault to up to 10 years in prison.
Now, putting this in a South African context, we must cast our minds back to the Jigsaw Holdings data breach in 2017. Even though this breach occurred after President Zuma had passed the PoPI Act, it was not yet implemented. The onus to look after and secure the 63 million records of personal data mined by Jigsaw Holdings was lost to outside parties. This breach was unfortunately acknowledged as an accident by the Information Regulator but, if it were to occur under the full enforcement of the PoPI Act today, the organisation in question could have been issued with a culpable negligence finding and up to 10 years in jail (criminal judgement). That is why it is so important for all businesses today to put in place the processes listed above, respect all citizens’ personal information and to take this matter very seriously.
Data leaks in the 21st Century
The question then arises, where do the Social Media and Tech giants feature in honouring the core values of the PoPIA and democracy? We, as citizens, must ask ourselves exactly what our privacy means to us in today’s digital age?
When the news of the Facebook scandal was known to the world. The Information Regulator at the Department of Justice wrote to the social network to discover the effect on the almost 60 000 South African Facebook accounts that had been utilised by Cambridge Analytica. These are early signs of how serious this issue is, but it also shows the reach the Information Regulator and PoPI Act has over an organisation like Facebook to take accountability for the precious data it must protect for its 2 billion users. What is needed are new measures of self-regulation by the $500 Billion business. Since the scandal, Facebook has set more stringent rules for app developers and their users. If an account holder does not use an app for more than 3 months, Facebook will cut off the developers’ access to any information about the individual. All pre-existing apps that already hold account holders’ personal information, will undergo an audit and, if an application were to refuse, it will be removed from the social network platform immediately. These steps taken by Facebook are necessary to ensure our data is not being used in ways that can cause polarisation of our societies both online and in the real world.
The narrative that has dominated the news -as it should be- has been focused on the organisations not doing enough to protect this information but we as consumers are also to blame (inadvertently) as the consent of this information was agreed upon by us, be it through service agreements or social media profile T’s & C’s.
The Protection of Personal Information Act was discussed all those years before the recent debacles because Government(s) knew the imminent need to protect its citizens’ Constitutional rights in the digital age from serious negligence. That is why the 8 core conditions have been outlined with the sole intent to protect the data subject. Through its network partners in the Change Collective, Litha-Lethu Management Solutions now offers an integrated approach to addressing governance, risk, and compliance, including conducting a POPI Act Health Check, and matching services (including training, skills transfer, and change management processes) to mitigate the risks identified, and cement compliance.
This article was submitted by Dr Peter Tobin.