Careful where you list your ID
With the longawaited Protection of Personal Information Act likely to come into effect on April 1 2020, Ridwaan Boda, director of technology, media & telecommunications at law firm ENSafrica, spoke to Business Day about the meaning of the act for business and consumers when it comes into effect.
We’ve been talking about the act for a decade now. Is it really happening this year?
The regulator has gone on record publicly to state that she has asked the president to ensure that the Protection of Personal Information Act is put into effect from April 1. I don’t think she would have done so without some degree of certainty. So as things stand, it’s still in the hands of the president, but from the regulator’s perspective April 1 is the likely date.
Are companies actually worried or concerned about the act?
A big part of our job is education at the moment. Everybody’s been speaking about the act forever. Since 2009 we’ve been speaking about privacy legislation for SA and every year we go to our clients with the same message: “get ready, get ready” and “it’s coming, it’s coming”. Then our clients think we’re crying wolf and say “come speak to us when it becomes law”.
That said, all of the banks, the telcos now have trained privacy and information officers.
Where we’re seeing a lot of apathy about compliance is in the public sector. It doesn’t seem to be an issue for them at the moment. But now that the information regulator has gone on record about April 1 a lot more inquiries are coming, asking: “What do we need to do to get ready for [the act]?”
Should consumers be concerned about [the act]?
Yes. Consumers must be aware of the information they put out. From social media to what information you make available to a company asking for it.
For example, I’m a member of the gym. On the membership, my wife comes along with me and every time she does, she has to sign a register with personal information on it at the reception, and anybody can see it. It has names, phone numbers, ID numbers. Also, there’ sa register of hotel guests: name, passport number, which hotel you are staying in, which room number? Those are real risks for consumers.
For personal safety and security risk, consumers need to be aware of their rights as data subjects, not just as individuals.
A big part of the education, and I think that’s where the regulator has a big role to play, is educating the public on what to be aware of and what they should be posting — or the effects. Some people put silly things on social media ... they set themselves up for fraud.
Will this legislation not affect direct marketing services significantly?
Direct marketing is an area which will be significantly affected by the Protection of Personal Information Act, especially because the regulators introduced a standard form consent.
If the regulator adopts a pragmatic view I think companies should be fine, provided they bear responsibility when they obtain consent. If the regulator adopts a very lateral approach to the wording of the regulations then direct marketing companies or marketers are going to be ... not in trouble ... but they need to pay a lot more attention to those regulations.
Does [the act] have provisions to make details of data breaches open to the public?
Yes. The regulator is actually empowered to instruct an infringing responsible party to put details of a breach in the media. If you look at the French regulator, for example, one of the banks had a data breach and they forced the company to take out an advert in several newspapers notifying data subjects of the breach.
Also, the act has got safeguards built into it. Responsible parties have to take proactive measures to notify affected data subjects of a breach. There’s various ways in which you can notify … it can be by letter, it can be a notice on the website to say there has been a data breach or information may have been compromised.