Portfolio Committee on Justice and Constitutional Development
Most submissions on proposed personal information legislation have called for a long-term implementation timeframe to ensure adequate levels of compliance and ease cost implications. The portfolio committee on justice and constitutional development has conducted public hearings on the Protection of Personal Information Bill in Parliament.
A number of important submissions were received from key stakeholders in different sectors.
The Banking Association of South Africa (BASA) noted that the proposed legislation would grant the intended information regulator “wide and potentially conflicting roles”. The regulator would, in addition to the normal regulatory functions, also contain a consumer complaints investigation bureau and a review mechanism. The later two functions would have to be carried out in an impartial manner so that the regulator maintained credibility with all stakeholders.
BASA acknowledged that the bill was necessary to ensure that South Africa’s personal privacy legislation complied with minimum international standards. Such a development would lessen the concerns of potential international investors and those seeking to conduct business in South Africa.
The legislation was also important for local citizens in clearly spelling out personal privacy rights. The association recommended that the bill clearly set out implementation phases. For example, regulatory infrastructure, codes of conduct and ombuds facilities should be implemented within 18 months of the promulgation of the act. A further 18 months should be allocated for implementation by the relevant institutions.
According to BASA, the proposed legislation had to be properly drafted in order to avoid high compliance costs or potential litigation. The legislation had to balance the constitutional right to privacy with the rights of parties to access and process information.
Business Unity South Africa (BUSA) declared that the proposed legislation would improve competitiveness in the local economy by facilitating data exchange with countries that have similar data protection legislation. Levels of trade would be enhanced.
BUSA voiced concern that the bill had not been tabled at Nedlac prior to tabling in Parliament. Another concern is that the ‘full implementation of the provisions of the draft bill will employ time, money and scarce technical resources”. For example, a major bank has estimated implementation costs at R200 million.
A transitional period of up to five years was proposed to allow for the development of codes of conduct in the various sectors. Each sector will have its own independent adjudicators.
BUSA asserted that businesses should be allowed to retain historical information as long as the need to keep such information was reasonable. For example, to assess the payment history of customers.
More clarity was needed on the separation of roles for the regulator. Any possible conflicts of interest had to be minimised.
Implementation of the bill had to be carefully managed to avoid excessive costs to business, particularly at the micro-level. BUSA estimated that the total cost to business could exceed R2 billion. More time for implementation was needed to ease the cost burden.
The South African Law Reform Commission stated that more clarity was needed on the provision specifying on what grounds an individual could object to the processing of personal information. The bill provides that the objection must be “reasonable”.
The South African National Editors Forum (SANEF) voiced concern at the constitutionality of the bill in terms of the “balancing of rights when measured against the freedom of expression clause”.
The bill is also littered with an excessive amount of exemptions and exclusions that will give many different individuals and institutions access to personal information.
According to SANEF, concepts contained within the proposed legislation seem to point to the likelihood of increased levels of censorship due to unintended consequences.
An important concern was that the bill would place journalists in a special category due to exemptions. This would mean that journalists would not be liable for certain actions that an ordinary citizen would be. This was perceived to be problematic as journalists did not want to have powers greater or lesser than an ordinary individual. The possibility of a register for journalists was also seen as controversial.
The bill also accords the security sector, including the police, with additional powers to gain access to private property and retain personal information seized. The power of the regulator to authorise a “responsible party” to process personal information is unsatisfactory as the consent of the data subject should also be obtained. The regulator should not have the power to determine what is beneficial to the subject.
The South African Insurance Association (SAIA) emphasised that information management policies and procedures would have to be reviewed and updated to ensure compliance. Staff members would have to be trained in the new procedure. Therefore, sufficient time should be allocated for this.
The proposed legislation, once enacted, would necessitate a review of or introduction of a number of information technology (IT) policies within insurance companies in order to ensure compliance. SAIA stressed that compliance would be difficult without the necessary changes to the IT systems.
The bill’s proposed implementation timeframe of one to three years was also perceived to be unrealistic.
Sabinet Cape Town Office
Post new comment