/ 3 September 2013

Crib notes: Popi is here for you

Crib Notes: Popi Is Here For You

The Protection of Personal Information Bill (Popi) on Tuesday received the stamp from Parliament's and the president. Now financial institutions around the country will be scrambling to protect themselves and your data. But what does the Bill mean for you and me?

Is this the Bill that lets dodgy characters get away with splurging taxpayers' money any way they like, and then claiming it’s a state secret?
No, you’re confusing it with the Protection of State Information Bill, the one they call the Secrecy Bill. Can’t blame you for that. While the state was doing its public consultations on the Secrecy Bill, some people were peddling the idea that it was set up to protect people’s personal information from scammers. But these are very different pieces of legislation.

How so?
Well for starters, the Protection of Personal Information Bill goes by the less menacing and much more endearing nickname "Popi".

And is Popi any good?
Very. Sometimes South Africa gets its lawmaking very wrong (see above re: Secrecy Bill) and sometimes we get it very right. Popi is one of those Bills that has everyone, from the ruling party to the opposition, and from businesses to nongovernmental organisations (NGOs) pleased. Even usually sceptical NGOs have deemed it "well considered" and "finely crafted". And it should be, given that it’s been 10 years in the making and is based on the well-honed European Union legislation for protecting personal information.

What’s it for?
In technical terms, it’s a "general information protection statute" designed to prevent the negligent disclosure of personal information.

What this means is that an organisation or "responsible party" can only capture, use and store your personal information with your express consent.

And the definition of personal information is really broad. It includes pretty much anything that can be used to identify you in any way; be it your name, ID number and address, or your religious affiliation, sexual orientation, medical history, criminal record, educational and financial history and even your biometric data, online identifiers (like say, a Twitter handle) and location services.

It also includes things like your personal opinions, any private correspondence and other people’s views about you.

Organisations that ask for your information will be responsible for ensuring that it's kept up to date. So those financial institutions that keep sending your statements to your parents' house, where you haven’t lived in 20 years, will actually have to check that your details are up to date from time to time.

They also have a responsibility to take reasonable security measures, in line with recent industry standards, to secure that information from the moment it’s been captured until it's been destroyed. And the minute they no longer need the information, it has to be destroyed in line with industry standards. So that could be shredding for a small business, or getting specialist IT in to annihilate digital records.

And that means …
No more spammers!

Really. Not right away of course. But once Popi is signed into law, companies will have about a year to get their ducks in a row. That means setting up adequate security protocols and hiring staff to oversee the gathering, securing and appropriate use of personal information.

If a company already has a relationship with you, it needs to make sure you know why they need your personal information and what it will be used for, and you have to consent to them having it.

If there’s no existing relationship between you and a company, for example in the case of direct marketing, they will have just one opportunity to ask you whether you’d like to opt in to receive marketing information. If they don’t respect your wishes, you’ll be able to report them to the regulator.

There’s a regulator?
There will be in the future. The Information Regulator will deal with consumers' complaints and with appeals concerning breaches of the law. And it won’t just be one of those Mickey Mouse organisations, it will have teeth.

What kind of teeth?
The kind that issues R10-million fines or imprisons people for up to 10 years if they don’t respect your information and handle it with utmost care. This should be a huge deterrent, not just for spammers and scammers but for those who peddle personal information and take part in identity theft or credit card fraud.

Remember when the City of Johannesburg had a security flaw so huge it allowed anyone to read its customer’s billing information, including their name, account numbers and contact details? Well, if that happened to you, you’d be able to drag the City before the regulator and lodge a civil claim. People could go to jail.

And if someone clones your identity and uses it to commit fraud, it’s the organisation that they got your data from that will be held liable.

Who does it apply to?
Basically everyone. All public and private organisations will have to put systems in place to protect your personal information.

Certain groups however have been excluded, such as journalists using the information in the public interest, writers or artists using the information for literary or artistic purposes, judges carrying out their official duties; personal households and; to some extent, the state. State bodies involved in crime prevention – like the police or the National Intelligence Agency – will be exempt, as will things like Cabinet meetings.

So no more dumping old office records in the bin or by the side of the road.

Even those security guards who stop you at the entrance to a building and ask you to fill out a form with your name, ID number and contact details will have to explain why they need the information and what they’re going to do with it.

But there’s always a downside to these things. So what’s the downside?
As with most of our laws, it comes down to implementation. Popi itself is state of the art, and in light with the latest trends from the EU. It looks great on paper. But the real question is enforceability and how well equipped the regulator will be to deal with customer complaints.

The office of the Information Regulator has yet to be set up and only time will tell whether it will be adequately resourced and its staff sufficiently skilled to carry out its mandate to investigate breaches of the law and ensure compliance.

So when do we see this law in action?
Probably not for a long while yet. The Bill has yet to be signed off by the president and that could take anywhere from a few days to a few months. Then there’ll be the year’s grace period to allow organisations to make changes to their operations, and even that grace period could be extended if the justice minister thinks organisations need more time to align themselves with the law. And of course the office of the regulator still has to be set up and staffed.

So don’t hold your breath. But don’t be despondent either. It’ll likely come into play some time in 2015.

Meanwhile, most large companies are already making changes to the way they handle information and do their marketing. You’ve probably already come across requests for information with terms and conditions attached explaining what the information is for, and asking you to agree to them.

The only question now is whether the state will go to bat for you if America's National Security Agency gets hold of your emails.

With thanks to Pamela Stein, partner at Webber Wentzel law firm.
This article was edited on November 27 2013