Regulator ‘flooded’ with queries on private info act
● Companies and state institutions that fail to protect the personal information of clients, such as phone and ID numbers, could be fined up to R10m, while the individuals involved face sentences of up to 10 years in jail.
And the statutory body tasked with the enforcement of the Protection of Personal Information Act (Popia), which came into effect in July, has now received “a flood” of requests from companies and government institutions seeking assistance on how to comply with the new law.
This is according to advocate Pansy Tlakula, chair of the Information Regulator of SA, which was established in 2016 to ensure that the private information of citizens is kept safe by institutions and not abused.
The Popia requires institutions to have reasonable technical and organisational measures in place to secure personal data. The act also gives the information regulator extensive powers to impose administrative fines of up to R10m for non-compliance while imprisonment penalties are capped at 10 years.
The act is binding on anyone “collecting, receiving, recording, storing, retrieving, using, disseminating, linking, merging, erasing and destroying information”.
The information regulator’s decisions, in terms of the act, are binding but can be reviewed by the high court.
Tlakula’s office is drafting which are soon to be gazetted.
Business establishments and government institutions have until June next year to get their houses in order, including adopting a code of conduct to ensure they are all held accountable to the same standards.
Tlakula said that in addition to a “flood” of requests for guidance, her office also receives “complaints and requests for training, guidelines and in our environment you can’t say I am not a trainer, you have to do everything”.
Personal information safety has been thrust into the spotlight following a data breach by consumer information management agency Experian, which exposed sensitive personal information on 24-million South Africans to a suspected fraudster a fortnight ago.
Tlakula said that since then, a lot of companies that had similar breaches that had gone unnoticed by the media have come forward, seeking assistance on complying with the Popia. Between May and August there had been 25 data breaches, and 19 were selfreported.
“Everyone is saying, ‘Is there a particular format that we must use to notify you?’,” said Tlakula, adding that this was part of the guidelines that were being drafted.