Why pri­vacy mat­ters

Fail­ure to im­ple­ment pri­vacy act means per­pe­tra­tors of SA’S largest data leak will go un­pun­ished

Financial Mail - - PATTERN RECOGNITION - @shap­shak

How could a prop­erty com­pany put an es­ti­mated 60m South Africans’ per­sonal in­for­ma­tion into an in­se­cure data­base file and on an in­se­cure Web server that has now been linked to the big­gest data breach in SA his­tory?

How did they man­age to col­late so much sen­si­tive data about us with­out our per­mis­sion? And how is it that they might get off scot-free for ex­pos­ing po­ten­tially all of us to iden­tity theft be­cause leg­is­la­tion hasn’t yet been prop­erly im­ple­mented?

The Pro­tec­tion of Per­sonal In­for­ma­tion (Popi) Act 4 of 2013 is an ideal frame­work to pro­tect our iden­ti­ties in the digital age. It’s a good way to keep us safe from un­scrupu­lous use of our per­sonal de­tails, and aims “to in­tro­duce cer­tain con­di­tions so as to es­tab­lish min­i­mum re­quire­ments for the pro­cess­ing of per­sonal in­for­ma­tion”.

Pity it isn’t fully op­er­a­tional. Even then what hap­pened last week — in what’s been named the “Mas­ter­deeds” leaks by se­cu­rity re­searcher Troy

Hunt — its ex­is­tence wouldn’t be a crime, but you wouldn’t be able to col­lect all of that data in the first place with­out per­mis­sion.

The name is from the head­ings in the data­base that alerted Hunt that it might be prop­erty re­lated. It was later con­firmed when the leak was dis­cov­ered to have been on servers run by Jig­saw Hold­ings, which owns Aida, ERA and Realty-1.

“Un­der ex­ist­ing com­mon law, there are im­pli­ca­tions for com­pa­nies that in­ten­tion­ally or neg­li­gently dis­sem­i­nate pri­vate in­for­ma­tion, but the process is ar­du­ous and the reme­dies are not sig­nif­i­cant,” says me­dia law ex­pert Dario Milo from Web­ber Wentzel. A max­i­mum fine of R10m could have been im­posed if Popi had been prop­erly en­acted but the reg­u­la­tory body, the In­for­ma­tion Reg­u­la­tor, was only es­tab­lished this year, de­spite the act be­ing en­acted four years ago.

Af­ter the story broke I was called by an as­ton­ished SA ra­dio re­porter work­ing in Lon­don. Apart from the ob­vi­ous “how did this hap­pen” she wanted to know if the po­lice would in­ves­ti­gate such a huge data leak that in any other democ­racy would be swiftly and mer­ci­lessly pros­e­cuted.

I had to ex­plain that our na­tional head of pros­e­cu­tions is laugh­ably in­com­pe­tent. What chance does a data leak have?

“Un­der com­mon law there are obli­ga­tions to not dis­sem­i­nate per­sonal in­for­ma­tion with­out con­sent or other jus­ti­fi­ca­tion,” Milo says, but the only way to take ac­tion would be through a com­mon law breach of pri­vacy claim. The chances of that hap­pen­ing are as likely as Presidunce Ja­cob Zuma pay­ing back the money.

We are left with the ter­ri­ble re­al­ity that our most sen­si­tive de­tails have been ex­posed on­line to any num­ber of cy­ber crim­i­nals and iden­tity theft could af­fect all of us. It is sim­ply un­be­liev­able that one com­pany could cre­ate such a data­base with­out our con­sent and be so reck­less with it.

As Milo says: “In a Popi world, things will be dra­mat­i­cally dif­fer­ent.”

I had to ex­plain that our na­tional head of pros­e­cu­tions is laugh­ably in­com­pe­tent

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.