Nompumelelo Magwaza
THE PROTECTION of Personal Information Bill will not only require businesses and government departments to protect the personal information of ordinary citizens, but it will also seek to guard the information of companies and other entities they work with, according to auditing firm PwC.
The bill, which seeks to strengthen the constitutional right of citizens to privacy, will bring a significant level of protection to businesses and individuals as to how their personal information is handled.
Russel Opland, an associate director at PwC’s advisory division, said companies assumed that the bill only related to information about people, but this was not the case.
“One of the aspects of the Protection of Personal Information Bil is that it may catch some organisations unaware in that it also applies to information about ‘juristic’ persons,” Opland said.
According to the bill, a juristic person was defined as a company, an entity, a community or other legally recognised organisation, Opland said.
“The bill is currently the most comprehensive piece of privacy legislation in the world and the burden of complying with it is going to be a difficult one, in part because of the extremely broad definition of ‘personal information’,” he explained.
This meant that in addition to protecting the information businesses held about customers and staff, they would also have to safeguard the information they held about customers that were firms, business partners, vendors, suppliers and organisations.
Non-compliance by companies can result in hefty fines of up to R10 million, possible jail sentences and potential civil lawsuits.
After the launch of the discussion paper on the bill last year, PwC said that the bill was needed because of the poor protection of personal information, which had led to a rising level of identity theft and associated fraud and intrusions on the privacy of individuals.
The bill applies to all companies that collect, store or process personal information.
These include banks, insurance companies, medical and health-care organisations, retail stores and government departments, whose information in return will also need to be protected by their business partners.
Opland said this bill would add to complexity of operating legally, considering the requirements of other legislation relating to privacy such as the Consumer Protection Act, the Promotion of Access to Information Act, and the National Credit Act. Therefore he urged business to start preparing for its implementation.
Once the bill has been passed, businesses are expected to be fully compliant with the law within a year.
“The experience in other countries shows that, given the extent of the changes required not only to systems and processes, but particularly to the conduct of employees, it is unlikely that companies in South Africa will become compliant in just one year,” Opland said.
According to a white paper issued by PwC’s privacy team last year, based on the research conducted with its larger clients, 74 percent of companies believed that it would take more than one year to become compliant.
The opinion throughout the survey was that the bill was the most complex piece of privacy legislation at the moment, and the burden of complying with it would be extremely difficult, particularly for small to medium-sized businesses.
At present the technical committee has had a final meeting on the bill and it will make submissions to the portfolio committee on justice and constitutional development after the parliamentary recess.