Organisations to be liable for protecting personal data if Info Bill becomes law
The pending Protection of Personal Information (PoPI) Bill will regulate the access to and processing of personal data of individuals and juristic persons and will result in public and private institutions being responsible for protecting personal data, even from cybercrime attacks, says law firm Webber Wentzel partner Dario Milo.
Public and private organisations will have to ensure the integrity of personal data that they store and must take all reasonable and professional measures to prevent unlawful and unauthorised access to the data, even from their own employees, explains Webber Wentzel associate Greg Palmer.
“Organisations will have to identify internal and external risks and maintain appropriate safeguards, which must be regularly verified. Organi-sations must update processes and systems to mitigate new and foreseeable risks to the integrity of personal data security,” Palmer says.
All organisations will have to inform the data subject – the individual or the legal entity concerned – within a reasonable time when a data breach has occurred. The Bill allows for fines and imprisonment penalties for transgressors.
This will, for example, mean that a hacking breach exposing personal data, such as the hacking of the South African Police Service (SAPS) system, in May, in which thousands of whistle-blowers’ information was published, can make the holder of the personal data, in this case the SAPS, liable for the data breach and the organisation must also inform those affected.
“When we analyse UK personal data privacy and security laws, we find that the most common fines imposed are for data security breaches. The regulator then assesses the rigour of the data protection systems and processes of an organisation – which means that organisations must keep a careful record of their updates and changes to data pro- tection systems and processes to demonstrate that responsible and appropriate action was taken,” highlights Palmer.
Further, the Bill will regulate the extra- territorial exposure of personal data and prohibits the transfer of personal data to territories where the data is not adequately protected. Therefore, companies disseminating data from South Africa, or regarding South African legal persons, will have to ensure sufficient protection of the data in the other countries where they use or store the data, says Milo.
“The Bill also has extraterritorial jurisdiction, which entails that cases of personal data exposure in other countries regarding South African legal persons can be pursued in South Africa,” he explains.
The PoPI Bill regulates any and all information that can be used to identify a legal person, including curricula vitae of employees, closed- circuit television records, paper records and supplier information, among others. Any personal data that is hosted by a third party must also be protected.
Further, the Bill will also regulate direct marketing, which extends to potential and existing customers of companies. Organ-isations will have a one-year grace period to ensure personal data that they have stored is secure or they must expunge the data in any and all formats.
The PoPI Bill will also result in the establishment of an independent Information Regulator that will police and investigate personal data security and breaches, with the power to issue search and seizure orders and enforcement notices, as well as subpoena persons or companies during the course of its investigations, concludes Milo.
Comments
Announcements
What's On
Subscribe to improve your user experience...
Option 1 (equivalent of R125 a month):
Receive a weekly copy of Creamer Media's Engineering News & Mining Weekly magazine
(print copy for those in South Africa and e-magazine for those outside of South Africa)
Receive daily email newsletters
Access to full search results
Access archive of magazine back copies
Access to Projects in Progress
Access to ONE Research Report of your choice in PDF format
Option 2 (equivalent of R375 a month):
All benefits from Option 1
PLUS
Access to Creamer Media's Research Channel Africa for ALL Research Reports, in PDF format, on various industrial and mining sectors
including Electricity; Water; Energy Transition; Hydrogen; Roads, Rail and Ports; Coal; Gold; Platinum; Battery Metals; etc.
Already a subscriber?
Forgotten your password?
Receive weekly copy of Creamer Media's Engineering News & Mining Weekly magazine (print copy for those in South Africa and e-magazine for those outside of South Africa)
➕
Recieve daily email newsletters
➕
Access to full search results
➕
Access archive of magazine back copies
➕
Access to Projects in Progress
➕
Access to ONE Research Report of your choice in PDF format
RESEARCH CHANNEL AFRICA
R4500 (equivalent of R375 a month)
SUBSCRIBEAll benefits from Option 1
➕
Access to Creamer Media's Research Channel Africa for ALL Research Reports on various industrial and mining sectors, in PDF format, including on:
Electricity
➕
Water
➕
Energy Transition
➕
Hydrogen
➕
Roads, Rail and Ports
➕
Coal
➕
Gold
➕
Platinum
➕
Battery Metals
➕
etc.
Receive all benefits from Option 1 or Option 2 delivered to numerous people at your company
➕
Multiple User names and Passwords for simultaneous log-ins
➕
Intranet integration access to all in your organisation