Data protection legislation on its way
2/09/2009

The Protection of Personal Information Bill, 2009 (“the Bill”) has been approved by cabinet. Although the Bill is not yet in force, there is an indication that parliament intends to pass it in time for the Soccer World Cup in 2010.

Apart from the right to privacy in the Constitution, limited provisions in certain Acts and the common law, South Africa does not currently have any specific legislation that regulates the processing and protection of personal information (data protection). However, there is a need to bring South Africa’s legislation in line with international standards relating to data protection by way of a comprehensive statute.

The aim of the Bill is to regulate the manner how personal information is processed and to provide for remedies in cases where personal information is not handled accordingly. It will also establish an Information Protection Regulator that will oversee its administration.

The following aspects of the Bill require mentioning:

• In order to process personal information, someone must comply with the requirements set out in the Bill.
• Steps must be taken to ensure that the person to which the personal information relates (“the data subject) is aware of the purpose for which the information is collected.
• Security measures must be put in place to protect personal information against loss, damage and unlawful access. If a third party processes information on behalf of another party, the parties must conclude a written contract which requires the third party to establish and maintain confidentiality and security measures.
• The Bill deals with the period during which information may be retained.
• Steps must be taken to ensure that processed information is complete, accurate, not misleading and updated.
• If a party that processes personal information has reasonable grounds to believe that there has been unlawful access to the information, it must notify the Regulator and data subject.
• There are specific provisions that deal with unsolicited communications (“spam”) as well as subscriber directories (such as telephone directories).
• Data subjects have the right to obtain details regarding their personal information from parties holding such information. They may also request the correction of the information.
• The transfer of information across South Africa’s borders is dealt with.
• The Bill deals with the processing of special personal information in particular. This information includes personal information concerning a child or a data subject’s religious beliefs, race, trade union membership, sexual life and criminal behaviour. Such information may only be processed in terms of the Bill’s strict requirements.

It is important for businesses and individuals alike to take note of the Bill since it will affect their operations and lives in one way or another. In particular, businesses will need to review their employment and other policies once the Bill is passed into law in order to ensure compliance with it.

Danie Strachan
Senior Associate danie-s@adamsadams.co.za