Business has its work cut out on privacy law
Experts warn that companies have a significant amount of work to do to ensure their business practices are in line with the basic principles of data processing once the act comes into force.
The introduction of the legislation brings South Africa in line with international best practice in terms of the protection of personal information. The act gives effect to an individual's constitutional right to privacy by safeguarding personal information when processed by public or private bodies‚ subject to justifiable limitations.
Mark Craddock‚ KPMG's specialist on this legislation‚ says globally there have been several cases of breaches of personal information regulations‚ with financial institutions being most heavily affected.
He says it will be in the interest of companies involved in processing personal data to test their level of compliance with the act sooner rather than later.
Personal data and information protected
Cliffe Dekker Hofmeyr director Nick Altini says companies will have to be a lot clearer on why they require certain personal data and what they intend doing with it. They will have to get consent from the individual to be able to use the information in the manner they have indicated.
Personal information includes a person's race‚ gender‚ sex‚ marital status‚ sexual orientation‚ age‚ physical or mental health‚ well-being‚ disability‚ religion‚ conscience‚ belief‚ culture‚ language and birth.
"It will require behavioural changes from companies‚ as well as internal structural changes such as information technology upgrades‚ assurances that a database could not be accessed‚ and physical fire-walls and safety measures to ensure employee records are kept safe. These records include their medical‚ educational and disciplinary records‚" Altini says.
Companies will have to ensure that their own internal structures actually flag individuals who have not given these companies the right to use their personal information.
"It is going to be difficult for smaller companies to create the necessary computerised structures‚ but that's the way of the world now. It costs money to be compliant," Altini says.
Companies under-estimate the complexities
According to Deloitte's experts on the act‚ Daniella Kafouris and Dean Chivers‚ many companies under-estimate the gravity and complexity involved in becoming compliant. For instance‚ companies doing business in several jurisdictions will no longer be able to outsource data-storage functions to service providers in countries that do not have similar legislation, without implementing contractual and risk mitigating measures.
They say the rules governing the handling of data will affect nearly every aspect of business. It will require changes to legal documents‚ analyses of subcontracting practices and gaining control over cross-border data flows.
"However‚ the success of the legislation will depend on the strength of the regulator‚" Altini says. In instances of abuse‚ individuals will have the right to complain to the regulator.
Once there has been a transgression of the act‚ the regulator will be able to issue a compliance notice and a penalty against the non-compliant companies. "The individual can also sue for damages‚ irrespective of the intention of negligence‚" Altini says.
Information is often in the public domain
"It will be very difficult to prove‚ and our courts are so conservative when it comes to non-monetary losses. I think it is quite unlikely that we will have people winning the equivalent of a lottery because their information has been made public," he adds.
Altini says there are certain transgressions‚ such as obstructing the regulator's ability to perform his duties or giving false evidence‚ that carry criminal sanctions.
He says that because of this any company will have to ask itself some pertinent questions about its business practices‚ such as why it wants the identity number of a person entering the premises‚ what it will use the identity number for for‚ how long it will keep it and who else will have access to it.
"There is a general rule that if information is already in the public domain‚ then it is not worth protecting. People do not realise they themselves are responsible for putting information in the public domain and have only themselves to blame‚" Altini says.
Craddock says the act adds further complexity to what is already a convoluted legislative and regulatory business environment. Unless a company has a cohesive practical implementation plan that is line with its legal obligations‚ it remains at risk.
"Global trends show that getting privacy right is important to ensure customers trust organisations," Craddock says.
Source: I-Net Bridge
For more than two decades, I-Net Bridge has been one of South Africa’s preferred electronic providers of innovative solutions, data of the highest calibre, reliable platforms and excellent supporting systems. Our products include workstations, web applications and data feeds packaged with in-depth news and powerful analytical tools empowering clients to make meaningful decisions.
We pride ourselves on our wide variety of in-house skills, encompassing multiple platforms and applications. These skills enable us to not only function as a first class facility, but also design, implement and support all our client needs at a level that confirms I-Net Bridge a leader in its field.
Go to: http://www.inet.co.za