Protection of Personal Information Bill
The Protection of Personal Information Bill aims to regulate the collection and processing of personal information by both private and public bodies, including the State. The Bill was introduced in Parliament recently.
Personal information means any information related to a person, such as his/her:
- Name, address and ID number;
- Blood type and fingerprints;
- Educational, medical, criminal or employment history, as well as information pertaining to financial transactions;
- Views or opinions; and
- Information relating to the race, gender, sex, pregnancy, marital status, nationality, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
Information Protection Commission
The Bill provides for the establishment of the Information Protection Commission (Commission) to enforce the provisions of the Bill. The Commission will receive and deal with complaints, and may lodge investigations where non-compliance is suspected.
The Commission should be notified before any personal information is collected or processed. In certain instances (e.g. where the processing of information may affect an individual’s rights or freedoms) the Commission may initiate an investigation. In such cases processing may not commence while the investigation is ongoing.
Information Protection Principles
The draft Bill sets out eight principles for the processing of personal information:
Principle 1: Processing imitation
Personal information must be collected directly from the data subject and may only be processed with the consent of the data subject, or where it is necessary to comply with a legal obligation, public law duty or contractual obligation.
Principle 2: Specific purpose
Personal information must be collected for a specific, explicitly defined and legitimate purpose. The data subject should be aware of the purpose for which the information is collected, and who the likely recipients of the information will be.
Principle 3: Further processing limitation
Personal information may not be processed further in a way that is incompatible with the purpose for which the information was collected initially. Thus, if information was processed for the purpose for which it was collected, it may only be processed further if it can be shown that the purpose for the further processing is compatible with the original purpose. The Bill provides guidelines to assist with such an assessment.
Principle 4: Information quality
The person or institution that determines the purpose and means for processing personal information should ensure that the information is complete, not misleading, up to date and accurate.
Principle 5: Openness
Personal information may only be collected if the Commission was notified. Also, where personal information of a data subject is collected, the person or institution responsible for such collection must ensure that the data subject is aware of:
- The fact that the information is being collected;
- The name and address of the person or institution collecting the information;
- Whether or not the supply of the information by that data subject is voluntary or mandatory and the consequences of failure to reply ;and
- Where the collection of information is authorised or required under any law, the particular law to which the collection is subject.
Principle 6: Security Safeguards
The Bill requires the implementation of technical and organisational measures to secure the integrity of personal information, and to guard against the risk of loss, damage or destruction of personal information. Also, personal information should also be protected against any unauthorised or unlawful access or processing.
Principle 7: Individual Participation
A data subject is entitled to the particulars of his or her personal information held by any institution or person, as well as to the identity of any person that had access to his or her personal information. The data subject is also entitled to require the correction of any information held by another party.
Principle 8: Accountability
The party or institution that holds personal information must give effect to the principles for the protection of personal information as set out in the Bill.
Processing of personal information in the public interest
Despite the principles set out above, the Commission may authorise the processing of personal information where it will be in the public interest, or where there is a clear benefit for the people concerned. The ‘public interest’ as referred to here may include:
- Interests of State security;
- The prevention, detection and prosecution of criminal offences;
- Important economic and financial interests of the State and other public bodies; or
- Scientific research and government statistics.
Trans-border information flows
The Bill regulates the transfer of personal information to parties outside South Africa. In essence, personal information may only be transferred to a party in a foreign jurisdiction where the information will enjoy similar protection to that afforded in terms of this Bill. Incidentally, since the EU and US have similar privacy laws with strict requirements for the protection of personal information, personal information of EU or US citizens may only be sent to jurisdictions with adequate measures to ensure protection of data. The fact that this Bill is not yet promulgated, may cause difficulties prior to and during the Soccer World Cup in 2010.