The Protection of Personal Information Bill 2009 (POPI) aims to bring South Africa in line with international data protection laws. Currently in its seventh and final working draft, it has been forwarded to the Portfolio Committee for final consideration and is widely anticipated to become law within the next three to six months.

The impact of this legislation will be far-reaching and will significantly affect the way companies collect, store and disseminate personal information.

In this bi-weekly series, members of our Information Law Group provide some insight into the implications of POPI to assist you in your preparations for the new legislative regime*.

This edition investigates the consequences of a breach such as an employee misplacing his Blackberry.

At common law a breach of privacy is established by an unlawful and intentional acquaintance with private facts by outsiders as a result of an intrusion or by disclosure. Significantly, clause 102 of the Bill introduces strict liability.

A data subject (defined as "a person to whom personal information relates") may institute an action for damages against a responsible party (defined as "a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information").

This can be done whether or not there is intent or negligence on the part of the responsible party, provided that there is a breach of certain principles relating to the lawful processing of personal information (defined as "information … relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person").

One of these principles is that a responsible party must implement appropriate technical and organisational measures to protect personal data against accidental destruction, loss, alteration, unauthorised disclosure or access.

An example of a breach:

An accountant leaves his Blackberry on the Gautrain as he departs. The Blackberry contains a client's personal information and is accessed, without the need of a security key, by another passenger.

The client is able to institute a civil action for damages against the accounting firm at which the accountant works. This is done on the basis of its failure to secure the integrity of personal information under its control by taking appropriate, reasonable technical measures to prevent unauthorised access to that personal information.

It is not necessary to show that the loss of the Blackberry was due to negligence on the part of the accountant or accounting firm in order for the client to establish a breach of the condition in the Bill relating to safeguarding the security of data. It may be sufficient to show that the accounting firm failed to ensure that the accountant's Blackberry device was secured with a security key.

In the absence of a valid defence for the accounting firm (which would be limited to such defences as consent or fault on the part of the client), the firm may be ordered by a court to pay damages for patrimonial and non-patrimonial loss suffered by the client.

Where a complaint has been referred to, and investigated by, the Information Regulator (a new office established in terms of POPI to promote compliance with the Bill), the accounting firm might (in addition to the aforementioned civil liability) face an enforcement notice requiring it to take specific steps relating to the manner in which it processes personal information. Failure to comply with an enforcement notice is an offence in the Bill.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.