The Protection of Personal Information Bill 2009 (POPI) aims to
bring South Africa in line with international data protection laws.
Currently in its seventh and final working draft, it has been
forwarded to the Portfolio Committee for final consideration and is
widely anticipated to become law within the next three to six
months.
The impact of this legislation will be far-reaching and will
significantly affect the way companies collect, store and
disseminate personal information.
In this bi-weekly series, members of our Information Law Group
provide some insight into the implications of POPI to assist you in
your preparations for the new legislative regime*.
This edition investigates the consequences of a breach such as an
employee misplacing his Blackberry.
At common law a breach of privacy is established by an unlawful
and intentional acquaintance with private facts by outsiders as a
result of an intrusion or by disclosure. Significantly, clause 102
of the Bill introduces strict liability.
A data subject (defined as "a person to whom personal
information relates") may institute an action for damages
against a responsible party (defined as "a public or private
body or any other person which, alone or in conjunction with
others, determines the purpose of and means for processing personal
information").
This can be done whether or not there is intent or negligence on
the part of the responsible party, provided that there is a breach
of certain principles relating to the lawful processing of personal
information (defined as "information …
relating to an identifiable, living, natural person, and where it
is applicable, an identifiable, existing juristic
person").
One of these principles is that a responsible party must implement
appropriate technical and organisational measures to protect
personal data against accidental destruction, loss, alteration,
unauthorised disclosure or access.
An example of a breach:
An accountant leaves his Blackberry on the Gautrain as he departs.
The Blackberry contains a client's personal information and is
accessed, without the need of a security key, by another
passenger.
The client is able to institute a civil action for damages against
the accounting firm at which the accountant works. This is done on
the basis of its failure to secure the integrity of personal
information under its control by taking appropriate, reasonable
technical measures to prevent unauthorised access to that personal
information.
It is not necessary to show that the loss of the Blackberry was
due to negligence on the part of the accountant or accounting firm
in order for the client to establish a breach of the condition in
the Bill relating to safeguarding the security of data. It may be
sufficient to show that the accounting firm failed to ensure that
the accountant's Blackberry device was secured with a security
key.
In the absence of a valid defence for the accounting firm (which
would be limited to such defences as consent or fault on the part
of the client), the firm may be ordered by a court to pay damages
for patrimonial and non-patrimonial loss suffered by the
client.
Where a complaint has been referred to, and investigated by, the
Information Regulator (a new office established in terms of POPI to
promote compliance with the Bill), the accounting firm might (in
addition to the aforementioned civil liability) face an enforcement
notice requiring it to take specific steps relating to the manner
in which it processes personal information. Failure to comply with
an enforcement notice is an offence in the Bill.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.