New legislation on data protection and privacy is due to be promulgated in the near future, and is expected to impact the way in that may affect how many South African businesses conduct their affairs.
Advances in technology and the ease with which personal information can be transferred through the Internet, e-mail and cell phones, means that new legislation on data protection and personal privacy has become essential.
According to Wayne Benn, a partner in law firm Sonnenberg Hoffmann Galombik, the protection of an individual’s personal information is, by and large, covered by the common law in South Africa, except for certain limited statutory protection.
“The common law recognizes that the processing of personal information constitutes a threat to one’s right to privacy, and the right to protection of one’s identity.
“It is, however, generally recognized that common law principles are not enough to effectively guard the rights of individuals, and that there is a need for the promulgation of new data protection legislation,” says Benn.
The South African Law Reform Commission acknowledged this by publishing Issue Paper 24 towards the end of August last year.
The paper looks at how data protection and privacy has been dealt with in other jurisdictions, including the European Union, the U.K. and the U.S.
According to Benn, the commission indicated an acceptance of the seven principles of good information handling, as set out in the European Data Protection Directives, these being that personal information must be:
— obtained fairly and lawfully;
— used only for the specified purpose for which it was originally obtained;
— adequate, relevant and not excessive to the purpose;
— accurate and up to date;
— accessible to the individual involved;
— kept secure; and
— destroyed after the purpose for which the personal information was collected has been completed. Whilst the commission has not indicated which model or models would be most appropriate for South Africa, it has proposed that privacy and data protection should be regulated by legislation and general principles of data protection should be developed and incorporated in the legislation.
Additionally, a statutory regulatory agency should be established to enforce and monitor compliance with the legislation. A flexible approach has been advocated which will allow industries to develop their own codes of practice (in accordance with the principles set out in the legislation) which can then be overseen by a regulatory agency.
The commission has now collated all of the comments it received on the Issue Paper and has commenced the drafting of a Bill and a Discussion Paper. It is envisaged that this process will be completed by the end of 2004.
“Companies should bear in mind the seven principles of good information handling when looking at new ventures, and it would also be wise to start looking at ways to bring existing business models into line with the principles, and with international best practice,” concludes Benn.