With data a powerful tool, the new information regulator needs to be a watchdog, writes Janet Smith, but spend too little and it could be a lapdog
On Tuesday, the former chief electoral officer at the Independent Electoral Commission (IEC), advocate Pansy Tlakula, joins nine other shortlisted candidates as interviews start for the biggest new job in government: the information regulator.
Created by the Protection of Personal Information Act (Popi), the job, and the office of the regulator, is designed to play a critical role in terms of our privacy. Although not a Chapter Nine institution like the public protector, the information regulator has nonetheless been envisaged with extensive powers to investigate and punish where the law is broken on data sharing. And in a country where many people are less than careful with their cyber-security, this could see a further shifting of responsibilities to the state for protection.
Just last week, Kaspersky Lab – an international software security group based in Moscow – released the results of a study it did in South Africa, which shows that at least 32 percent of us have shared information by accident, while nearly 20 percent have willingly disclosed confidential private details online. Such information may include pictures (59 percent), contact details (66 percent), a picture of another person (39 percent), sensitive personal details (46 percent) and work-related data (37 percent).
Among those pieces of information are most likely to be financial details or offensive material related to relationships, and Kaspersky found that most of those who've shared, regret it, with 11 percent of those surveyed saying careless use of existing freedoms had had an adverse impact on their life.
In an interview with Independent Media on Monday, David Emm, principal security researcher at Kaspersky, said: “With so many devices and online channels at our fingertips, it has never been easier to post or accidentally share information.”
The information regulator, which will have a central office in Gauteng and five permanent office bearers, has however only been allocated about R50 million for set up. There is now a serious concern that, with such a small budget, it might not even be established this year. Yet the blueprint has offered some longer-term optimism.
It has been designed much like the information commissioner in Britain, an independent authority that upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
In South Africa's case, the information regulator will take the reins of both Popi, promulgated in late 2013, and the Promotion of Access to Information Act (Paia), and will report to Parliament.
The idea is that prior authorisation will be required from it before individuals or organisations can process personal information. It will be a criminal offence not to get authorisation when it is required, and transgressing that could result in a fine or a jail term. Every company will, for example, be expected to have an information officer to deal with overarching compliance.
Popi carries heavy punitive measures, including fines of up to R10m or 10 years’ imprisonment and can expose organisations to civil damages claims. The act covers all information relating to living people, and this includes basic details such as race and gender, as well as educational, financial and employment history, personal opinions, ID numbers and contact details and private or confidential correspondence.
Parliament asked for nominations for the information regulator positions last year, with the expectation that the office would open around July this year. But, the relatively paltry R50m notwithstanding, there are concerns about the government's ability to get it up and running against the backdrop of previous ineffectiveness around strong IT-related legislation.
Although the constitution is our primary protector when it comes to the right to privacy, in addition to Popi and Paia, there’s also the Electronic Communications and Transactions Act (Ecta), and the Regulation of Interception of Communications and Provision of Communication-related Act (Rica). Ecta, for instance, covers the prickly area of spam, as well as viruses, hacking and cyber-espionage, but still needs an army of cyber inspectors to police it, and more information to consumers who might not know their rights.
If you check at the end of most business-related e-mails you receive, you’ll clearly see the Ecta disclaimer. But while it is there, and we shouldn't ignore it, many South Africans don't even notice it or know what it is.
On Rica, it took about seven years to eventually start the process of registering cellphone SIM cards after the controversial act was promulgated back in 2002.
But Alison Tilley, head of advocacy at the Open Democracy Advice Centre in Cape Town, says there is also a certain confidence in what the information regulator could do: “It has, after all, come about because of various streams of policy development.”
She refers to the early days of our post-apartheid state, when Professor Kader Asmal spoke about information as being “the oxygen, the breathing space, of democracy”. Asmal, a highly qualified lawyer, was of course opposed to the controversial Protection of State Information Bill, popularly known as the Secrecy Bill, which has been widely criticised for its draconian impulse.
Asmal wanted it scrapped and, in 2011, the DA tried, with the support of other opposition parties and organisations such as Right2Know, to scupper it in the House while protesters took their distaste for it to the parliamentary precinct and cities around the country. That occasion has gone down in South African contemporary history as Black Tuesday.
However, as Tilley explains, the Law Reform Commission was then tasked with examining the issue of data protection, and a conflation of policy essentially led to the creation of the information regulator. She describes it as offering Popi and Paia “an institutional home”.
“One part of that job will be privacy, which involves the quite extensive processing of personal information and all the rules around that. The other half involves powers to audit the release of information. The regulator would have the powers of a Chapter Nine institution in terms of making the call on who has transgressed the data legislation.
“Basically, the regulator would be Paia on steroids, and this first group who get appointed will form the nucleus.
“Privacy hasn't been very fashionable but people like Edward Snowden have shown us it's a useful right, particularly as information gets more slippery as the digital age intensifies and we become much more conscious.”
As Tilley points out, though, access to information – particularly for journalists – remains the hot potato, and that's what worried Asmal, too. She says: “There's more secrecy now than ever, and we can put forward some glaring examples, such as the nuclear deal.
“There's always going to be a risk. You could see bad people appointed to the information regulator, and the government will have to be cautious about that, but if good, ethical people are appointed, the legislation is thorough and the regulator's office has got enough money, then we're looking at a potentially very significant structure.”
Right2Know is clear, though, that the information regulator must remain “a watchdog on privacy and access to information”.
“When ordinary people's data and personal information is misused by government or corporations, we need to be able to turn to this watchdog. When those same bodies refuse to give us information or lack transparency, we need to be able to turn to this watchdog.”
But its worries about under-funding segue into this: “We've seen before how underfunded watchdogs become lapdogs. R50m is really not enough.”
Still, the organisation has pinpointed what it thinks will be the regulator's two biggest issues: “communications surveillance and misuse of people's data, as well as the lack of any respect for Paia that has been shown by government and the private sector.”
'Upright' candidates needed for the job
Chairman of the National Assembly's justice and correctional services portfolio committee Dr Mathole Motshekga has confirmed that interviews start this week for five vacancies in the office of the information regulator, including for the job of regulator itself.
Motshekga told Janet Smith that for the protection of information, “you need ethically right people because this is about the lives of our people, and we also don't want to get the state into controversy about people's information”.
“So you need upright candidates, people who can do their work without fear or favour and who will not allow themselves to be influenced.”
The 10 shortlisted candidates are:
Advocate Pansy Tlakula, the former chief electoral officer at the IEC.
Johannes Weapond has a law degree and experience in government auditing.
David Taylor is a former professor of IT law.
Advocate Lebogang Stroom is a corporate representative at the Institute of Risk Management.
Lindelo Snail is an attorney and specialist in cyber law.
Siyakhula Simelane has been the chief financial officer at the Department of Rural Development and Land Reform.
Thav Reddy is head of compliance at the Motor Finance Corporation division of Nedbank.
Francois Cronjé is a specialist in corporate governance and ICT law.
Shamila Singh. There were no details available for her.
Tana Pistorius is a professor of intellectual property law and information.