26 September 2013

POPI

South Africa has moved towards a comprehensive national data protection regime, with passage by the South African Parliament of the Protection of Personal Information Bill [PDF], aka POPI.

The Billis expected to come into force by the end of the year, after signature by the President. It was introduced in August 2009 and reflects the EU Data Protection Directive 95/46/EC, along with recognition in the South African Constitution of human rights.

Accordingly it features eight data protection principles. The Act will establish a national Information Protection Regulator (IPR),  with investigatory and enforcement authority that includes the power to impose fines of up to ZAR 10 million.  There will be criminal sanctions of up to 10 years' imprisonment for obstruction of IPR activities .

The Act will enshrine a mandatory data breach notification requirement, with reporting to the IPR  and data subject, unless the identity of such data subject cannot be established.

The Bill provides for a  one-year transitional period for corporate compliance, weakened by scope for the IPR to extend that grace period to three years.

The Parliament stated that
The Bill gives expression to the right to privacy provided for in the Constitution. The right to privacy includes the right to protection against unlawful collection, retention, dissemination and use of anyone’s personal information. The Bill is comprehensive and regulates the manner in which personal information may be processed, by establishing conditions in harmony with international standards that prescribe the minimum threshold requirements for the lawful processing of personal information.
The Bill is to
To promote the protection of personal information processed by public and private
bodies; to introduce information protection principles so as to establish minimum
requirements for the processing of personal information; to provide for the
establishment of an Information Protection Regulator; to provide for the issuing of
codes of conduct; to provide for the rights of persons regarding unsolicited
electronic communications and automated decision making; to regulate the flow of
personal information across the borders of the Republic; and to provide for
matters connected therewith.
The Preamble to the Bill indicates that
Recognising that—
● section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;
● the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;
● the State must respect, protect, promote and fulfil the rights in the Bill of Rights;
And bearing in mind that—
● consonant with the constitutional values of democracy and openness, the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information;
And in order to—
● regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.
The Purpose of the Act (Chapter 1) is to
(a) give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—
(i) balancing the right to privacy against other rights, particularly the right of access to information; 
(ii) protecting important interests, including the free flow of information within the Republic and across international borders;
(b) regulate the manner in which personal information may be processed, by establishing principles, in harmony with international standards, that prescribe the minimum threshold requirements for lawful processing of personal information;
(c) provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and
(d) establish voluntary and compulsory measures, including an Information Protection Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.
The Act must be interpreted in a manner that—
(a) gives effect to the purposes of the Act set out in subsection (1); and 
(b) does not prevent any public or private body from exercising or performing its powers, duties and functions in terms of the law as far as such functions, powers and duties relate to the processing of personal information and such processing is in accordance with this Act or any other legislation that regulates the processing of personal information.