Your name, identity number, phone number, gender, age, race, religion, sexual orientation, criminal record, medical history, blood type, fingerprints and photograph are all classified as “personal information” in terms of the Protection of Personal Information Act – also known as POPI.
And that’s not the exhaustive list. Even your opinions, views and preferences are considered personal and you have the right to keep these private.
The purpose of POPI is to give effect to your constitutional right to privacy by safeguarding personal information when processed by what the Act refers to as a “responsible party”, attorney Vasco de Oliveira explains. “POPI seeks further to regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe minimum threshold requirements for the lawful processing of personal information.”
Since POPI is not yet fully effective, what happens to that information that you give to the security desk on entering a building?
Very often it gets misused, says a source in IT governance and data privacy, who asked not to be named. “In addition to the unnecessary collection of personal information, such information is not securely stored and is used for unlawful surveillance and profiling, which he says are blatant breaches of the Constitution and will be unlawful once POPI is in force.
“Recently, a client of mine was denied access to a financial institution’s building in Sandton, where she was due to have a meeting, because she wouldn’t let the security personnel scan her ID. Unbelievably, while I was on the phone to this client, another client was forced by her bank to hand over her electronic ID card, also for scanning, capturing sensitive personal information that is unlawful in terms of POPI. Had she refused, the bank would not have provided her with services. She has a new ID card, which carries her fingerprint info on it. Half an hour later, another client, who lives in a gated estate, was served with a letter from his body corporate, notifying him that he was in breach of the estates rules for failing to produce copies of the IDs of his staff – sensitive personal information belonging to third parties.”
De Oliveira, who practises in commercial litigation, says that access to a private building is generally regulated by the landlord’s terms and conditions which form the basis of a contract between the landlord and anyone seeking access to the premises. If a term of the agreement is that you must identify yourself, you must submit or face being denied access. However, he says the scanning of identity cards, driver’s licences and vehicle licenses “amounts to the collection and storage of very personal information”. Although landlords will argue that this is required to enhance or ensure security on the premises, they are not absolved from their responsibilities in terms of POPI, he says.
If you are subjected to this form of “data expropriation”, you are within your rights to demand where that information is being stored, what is being done with it and whether it will be deleted upon exit, De Oliveira says. “To the extent that the collecting party fails to answer those questions, one is entitled to refuse to hand over any details whatsoever, however simultaneously at the risk of not being allowed access to the premises.”
Similarly, an owner of a sectional title property is subject to a contractual relationship with the body corporate of the development. The body corporate rules may demand the disclosure of details of employees who access the site. De Oliveira says such employees are entitled to demand to be told what is done with their information and whether it will be safely stored. Yet they also risk being denied access to the premises for lack of compliance, and the owner or tenant risks being penalised by the body corporate for not adhering to the rules.
He says the sale of personal information is indeed a problem. The receiver of information will generally have no competence in line with POPI to deal with this information, and seek to justify the collection of data on the basis of providing enhanced security. “What is often found in practice is that databases are collated from these kinds of haphazard collection points and in themselves become sellable assets into the public domain.”
Biometrics is authentication by means of your fingerprint, voice or retina – all of which is considered a more reliable way to verify your identity than a traditional form of identification, such as an identity document.
Identity theft is on the decline thanks to the use of biometrics. This is according to Manie van Schalkwyk, the executive director of Southern African Fraud Prevention Services, who says the banks attribute the 25 percent decline in identity theft over the past year to the use of biometrics.
Banks are among the most “focused upon institutions” where POPI is concerned, De Oliveira says.
He says that out of necessity, they collate and process personal information relevant to their clients on an ongoing basis, therefore you must accept that your bank has and will continue to have “vast swathes of your personal information”
both for its own systemic requirements, as well as in terms of various laws including the Financial Intelligence Centre Act (FICA).
With the move from the green identity document to the more modern identity card, he says banks are compelled to continually update their records, including whether or not a newly issued card will henceforth be the customer’s primary identification method. What you should bear in mind is that your bank’s verification processes are designed to protect you and your money and this requires a trade-off to some extent, he says.
IMPLEMENTATION OF POPI
Enacted in November 2013, POPI has yet to become fully effective. With the appointment of an Information Regulator, a one-year grace period will commence.
Vasco de Oliviera says the fact that POPI has not been fully implemented does not mean that no protections exist at all. “Measures to safeguard personal information did not magically appear at the dawn of POPI. A large part of them have existed for years as best practices incorporated into corporate and other systems and procedures. What, however, needs to happen is that consumers need to push their service providers to prove their compliance and force corporate South Africa to see POPI compliance as a must,” he says.
“The problem with the cogent application of POPI and the principles underpinning it, is generally to be found at management level of corporate entities, where a mix of lack of appetite and, worse still, a failure to keep up with the times in the encryption and protection of important data, has the effect of reducing the compliance train to the speed of an ox cart.”
He says that South Africa has, in world terms, moved fairly slowly towards the digital age. “Many systems and procedures adopted by previous-generation corporates that still rely on retaining hard copies of documents mean that companies will continue to contravene basic POPI principles moving forward.”
Similarly, he says that crooks who have embraced the digital age have found it easier to infiltrate and take advantage of traditional data repositories that fail to keep their data collection, storage and processing within modern best practice.
Parliament has shortlisted candidates for the Information Regulator. John Giles, the managing attorney at Michalsons in Cape Town says this suggests that the Information Regulator will be established this year and that POPI will commence later this year. “Who the members of the Information Regulator are is very important. South Africa (both responsible parties and data subjects) needs an efficient and well functioning regulator. Candidates include Pansy Tlakula, the former Chief Electoral Officer of the Independent Electoral Commission, and Tana Pistorius, professor of law at the University of South Africa.