No government ‘exceptions’ on personal data
Category : Personal Data
Cape Town – The Protection of Personal Information Act (Popi) should apply to all organisations, irrespective of whether they be government agencies, a security firm has asserted.
Popi was promulgated in 2013 in response to the rampant practice of companies collecting and trading personal information, but the act is intended to limit this behaviour.
The act specifies that personal information must be processed lawfully and “in a reasonable manner that does not infringe on the privacy of the data subject”.
This means that in theory, one government department, home affairs for example should not – under the law – be allowed to share information with agencies like the Metro Police or Sars.
“The law applies to all parties accessing private information as far as we understand. We are not aware of special circumstances being extended to government or their associations,” Andrew Kirkland, regional director for Trustwave Africa told News24.
Trustwave is a security company that specialises in helping organisation fight cybercrime by, among other things, conducting ethical intrusions and monitoring to ensure data fidelity.
Popi places the burden of showing that personal data has been carefully managed with the company or organisation that collects it.
However, while the act does not specifically exempt government departments, it makes an exception as regards the sharing of personal information where it relates to criminal activity.
Specifically, the act describes that the law does not apply to activity “which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities”.
In practice, it is expected that the appointment of a regulator as envisioned in the act will adjudicate on matters where people feel that their personal data has been misused.
The act also specifies that organisations that flout the law will be subject to financial penalties, but it is up to the regulator to make a determination on the extent of these.
However, the regulator has not yet been appointed, potentially leaving citizens in legal limbo as far as their personal information protection is concerned.
Trustwave said that given the importance of personal information and the legal implications for companies that store the individuals’ data, the appointment of a regulator and discussions on the implementation of Popi was key.
“If the data relates to private individuals based in SA then the law would apply no matter where the data sits. We are not yet sure what this will look like yet and are eager to discuss these and others with the regulator once appointed,” said Kirkland.
It is expected that once the act is fully implemented South Africans will enjoy a level of protection of personal information, but access may still constitute a barrier to legal remedies even though the regulator is empowered to act independently.
Kirkland said that despite all the legal protections, it is important that all citizens protect their personal data.
“We all have a responsibility to protect private information.”