Why privacy matters
Failure to implement privacy act means perpetrators of SA’S largest data leak will go unpunished
How could a property company put an estimated 60m South Africans’ personal information into an insecure database file and on an insecure Web server that has now been linked to the biggest data breach in SA history?
How did they manage to collate so much sensitive data about us without our permission? And how is it that they might get off scot-free for exposing potentially all of us to identity theft because legislation hasn’t yet been properly implemented?
The Protection of Personal Information (Popi) Act 4 of 2013 is an ideal framework to protect our identities in the digital age. It’s a good way to keep us safe from unscrupulous use of our personal details, and aims “to introduce certain conditions so as to establish minimum requirements for the processing of personal information”.
Pity it isn’t fully operational. Even then what happened last week — in what’s been named the “Masterdeeds” leaks by security researcher Troy
Hunt — its existence wouldn’t be a crime, but you wouldn’t be able to collect all of that data in the first place without permission.
The name is from the headings in the database that alerted Hunt that it might be property related. It was later confirmed when the leak was discovered to have been on servers run by Jigsaw Holdings, which owns Aida, ERA and Realty-1.
“Under existing common law, there are implications for companies that intentionally or negligently disseminate private information, but the process is arduous and the remedies are not significant,” says media law expert Dario Milo from Webber Wentzel. A maximum fine of R10m could have been imposed if Popi had been properly enacted but the regulatory body, the Information Regulator, was only established this year, despite the act being enacted four years ago.
After the story broke I was called by an astonished SA radio reporter working in London. Apart from the obvious “how did this happen” she wanted to know if the police would investigate such a huge data leak that in any other democracy would be swiftly and mercilessly prosecuted.
I had to explain that our national head of prosecutions is laughably incompetent. What chance does a data leak have?
“Under common law there are obligations to not disseminate personal information without consent or other justification,” Milo says, but the only way to take action would be through a common law breach of privacy claim. The chances of that happening are as likely as Presidunce Jacob Zuma paying back the money.
We are left with the terrible reality that our most sensitive details have been exposed online to any number of cyber criminals and identity theft could affect all of us. It is simply unbelievable that one company could create such a database without our consent and be so reckless with it.
As Milo says: “In a Popi world, things will be dramatically different.”
I had to explain that our national head of prosecutions is laughably incompetent