PROTECTION OF PERSONAL INFORMATION

If the Protection of Personal Information Bill ("the Bill"), currently being debated by Parliament, is passed into law, both the private and public sectors will have to change how they collect, record, organise, store, update, modify, use and disseminate an individual's personal information, such as names, identity numbers, physical and email addresses, phone numbers, medical or financial or criminal histories, religious information, and personal opinions and preferences.

Although the Bill applies (to a limited extent) to information relating to companies and other juristic bodies, its main purpose is to protect an individual's constitutional right to privacy, and to strike a balance between that right and the rights of others to access personal information for commercial and other purposes.

You will not have to comply with the Bill if you collect, store or use an individual's personal information for purely personal or household activities, or journalistic purposes.

However, if you collect, store and use personal information for other purposes, in future you will have to collect the information directly from the individual concerned and make certain disclosures to the individual before collecting the information, such as your name, address and the purpose for which you intend using the information.  You must then get the individual's specific and informed consent to your use of his or her information and you may not use it for any purpose other than that disclosed.

Personal information which you collect, store or use must be complete, accurate, not misleading in any respects and updated from time to time.  When you are no longer authorised to hold the information you must delete or destroy it in a way which prevents its reconstruction.

All personal information (in paper or electronic form) under your control must be protected against unauthorised access, damage or loss.  If your security measures are breached, you must notify the Information Protection Regulator (being the body responsible for enforcing the Bill) as well as the individual concerned.

In addition, you are required to appoint an Information Protection Officer to monitor your compliance with the Bill.  An existing employee can perform this role, although the size of your business and the extent to which you collect and store personal information will determine whether it is necessary to appoint a dedicated person for this purpose.  Regardless of how the responsibility is allocated, the employee must be registered as an Information Protection Officer with the Information Protection Regulator.

If you think the requirements of the Bill are too onerous, you can apply to the Information Protection Regulator for an exemption.  You will have to prove that an individual's right to privacy is outweighed by public interest or by a clear benefit to the individual arising from your use of his or her personal information.  This will not be easy to do.

A simpler and quicker way of avoiding any complications or disruptions to your business, which may arise when the Bill is passed into law, is to request a blanket consent from the individual concerned to the collection of his or her personal information from other sources, to the use of that information for all reasonable purposes and to the storage of that information for a fixed or indefinite period of time.

If the Bill is passed into law in its current form, businesses will have one year following the date on which the Bill comes into effect, to take the necessary steps to make sure that they comply with the law.  Although you cannot fully determine your compliance requirements until the Bill is settled in its final form, it may be a good idea to start assessing the extent to which you hold personal information without consent and to take steps to ensure that you obtain such consents going forward and that those consents are appropriately worded.

Cathryn Bode, Partner

Contact: 031 575 7407 and bode@wylie.co.za

Claire Cowan, Partner

Contact: 031 575 7404 and cowan@wylie.co.za