South Africans stand to gain greater control over personal information held by the state, banks, insurers and credit bureaus under a contemplated privacy and data protection law currently being researched by the South African Law Commission.
The aim is to ensure personal information is only used for the purposes for which it is gathered, to regulate collection and storage, compel the notification of a person that their data is held and give a right of access to it, correct mistakes or delete irrelevant information.
It would, for example, apply to credit bureaus, which have been accused of collecting not only information on creditworthiness, but also drinking habits, health, political and religious convictions and race.
Although most financial institutions have codes of conduct on privacy, these are not necessarily enforceable in law and most require individuals to request disclosure.
Under the proposed privacy law, the state is restricted to collecting only relevant personal data for set purposes. But this is balanced by its right to personal information to administer pensions, issue passports and identity books, and conduct censuses.
Any privacy law is likely to limit access to details in the interest of national security, as already contained in the Promotion of Access to Information Act.
Commission project leader Johann Neethling, professor of private law at Unisa, said the commission has asked two experts to brief it on the technical safety requirements in storing personal data.
The commission intends publishing an issue paper by year-end and calling for public submissions. A discussion paper and draft Bill for further discussion would follow, Neethling said
Any personal data privacy law would affect current statutes like the Promotion of Access to Information Act and the controversial, recently-approved Electronic Communications and Transactions Act.
That law already protects privacy through a ban on the disclosure of personal information to third parties and on trade in personal profiles.