South Africa: consultation on Protection of Personal Information Bill

This came to my attention through a press release by Privacy Laws and Business, but the main recommendations (taken from the press release) are as follows:

a) Privacy and information protection should be regulated by a general information protection statute, with or without sector specific statutes, which will be supplemented by codes of conduct for the various sectors and will be applicable to both the public and private sector. Automatic and manual processing will be covered and identifiable natural and juristic persons will be protected [Chapter 2, clauses 3-6].

b) General principles of information protection should be developed and incorporated in the legislation. The proposed Bill gives effect to eight core information protection principles, namely processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, individual participation and accountability. Provision is made for exceptions to the information protection principles [Chapter 3, Part A, clauses 7-23]. Exemptions are furthermore possible for specific sectors in applicable circumstances [Chapter 4, clauses 32-33]. Special provision has furthermore been made for the protection of special (sensitive) personal information [Chapter 3, Part B, clauses 24-31].

c) A statutory regulatory agency should be established. Provision has been made for an independent Information Protection Commission with a full-time Information Commissioner to direct the work of the Commission [ Chapter 5, Part A, clauses 34-46]. The Commission will be responsible for the implementation of both the Protection of Personal Information Act and the Promotion of Access to Information Act, 2000. Responsible parties will be under an obligation to notify the Commission of any processing of personal information before they undertake such processing [Chapter 6, Part A, clauses 47-51] and provision has also been made for prior investigations to be conducted where the information being collected warrants a stricter regime [Chapter 6, Part B, clauses 52-53].

d) Enforcement of the Bill will be through the Commission using as a first step a system of notices where conciliation or mediation has not been successful. Failure to comply with the notices will be a criminal offence. The Commission may furthermore assist a data subject in claiming compensation from a responsible party for any damage suffered. Obstruction of the Commission’s work is regarded in a very serious light and constitutes a criminal offence [Chapter 8, clauses 63-87 and Chapter 9, clauses 88-92].
e) A flexible approach should be followed in which industries will develop their own codes of conduct (in accordance with the principles set out in the legislation) which will be overseen by the regulatory agency. Codes of conduct for individual sectors may be drawn up for specific sectors on the initiative of the specific sector or of the Commission itself. This will include the possibility of making provision for an adjudicator to be responsible for the supervision of information protection activities in the sector. The Commission will, however, retain oversight authority. Although the codes will accurately reflect the information protection principles as set out in the Act, it should furthermore assist in the practical application of the rules in a specific sector [Chapter 7, clauses 54-62].

f) It is the Law Commission’s objective to ensure that the legislation provides an adequate level of information protection in terms of the EU Directive. In this regard a provision has been included that prohibits the transfer of personal information to countries that do not, themselves, ensure an adequate level of information protection [ Chapter 10, clause 94].

Although this is in its early stages, it will be interesting to see what developments arise from this consultation, taking into account that the European Commission is considering of reviewing data protection within the European Union in the next year. In any event, the consultation should be welcomed as a further step towards the recognition of the need to protect an individual's personal data.