POPIA, the Protection of Personal Information Act, is to come into full effect this year, on 1 April 2020.
The Protection of Personal Information Bill was first tabled 12 years ago, in 2009. It was signed into law in 2013, but very few provisions in POPIA are in operation. Still, a high level of awareness of POPIA is present in the South African society. Many a time it is put forward as a justification for the non-disclosure of certain information relating to specific individuals.
The latest example of this relates to the appointed of special advisers by Human Settlements, Water and Sanitation Minister Lindiwe Sisulu. In her response to a parliamentary question, she stated that ‘Conditions of employment, such as salaries and qualifications of staff, are confidential. Laws such as the Protection of Personal Information Act and Basic Conditions of Employment, among others, protect the confidentiality of such information,’.
One problem with the statement is that POPIA is still not fully operational. In fact none of the provisions of POPIA that deals with the protection of rights have been promulgated as yet. Therefore, as much as anyone would wish to call upon POPIA to defend the non-disclosure of information, it does not change the fact that the road to promulgation has been long but finally a date is available for when the South African society will be able to claim the protection afforded by POPIA.
To date the Information Regulator has published Regulations, a number of Policy and Guidance Notes and for comment, draft guidelines for sector-specific codes. Also the Information Regulator has appointed a chief executive and five executive managers with only the positions as chief of training and communications remaining vacant.
From a commercial perspective however, it is important to clearly understand the duties and responsibilities that companies are confronted with, but even more important to clearly understand the fact that the protection of personal information is never absolute. POPIA cannot be put forward in all instances to refuse access or disclosure of personal information.
POPIA recognises in its preamble that section 14 of the Constitution provides that everyone has the right to privacy. In section 2 of POPIA it is recorded that the purpose of POPIA is to give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at –
- balancing the right to privacy against other rights, particularly the right of access to information; and
- protecting important interests, including the free flow of information within the Republic and across international borders.
It is submitted that irrespective of the fact that Minister Sisulu and her department owes a duty of confidentiality towards special advisors, this duty is not absolute as certain circumstances may justify disclosing confidential information and POPIA provides for that.
Under certain circumstances, personal information can be treated not in strict confidentiality, but in fact the information can be disclosed.
Section 11 of POPIA provides for consent, justification and objection and provides that personal information may be processed if -
- the data subject (the customer or employee) consents to the processing;
- processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- processing complies with an obligation imposed by law on the responsible party;
- processing protects a legitimate interest of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
Therefore, taking into consideration the above -
- POPIA does permit the disclosure and processing of the confidential information of an employee or advisor (data subject) in certain circumstances and it is not absolutely confidential; and
- this does require that one of the circumstances contemplated by section 11 of POPIA is present.
Understanding the full application and impact of POPIA will definitely take time. Understanding what legitimate interest entails will assist companies to deal with POPIA matters and compliance with POPIA in a robust manner.
The road has been long to get to this point. The problem is the road to full compliance will be very short once POPIA is fully effective. Companies will be required to be in full compliance with POPIA within 12 months after POPIA comes into effect.
Written by Ahmore Burger-Smidt, Director, Head of the Data Privacy Practice Group at Werksmans Attorneys
EMAIL THIS ARTICLE SAVE THIS ARTICLE ARTICLE ENQUIRY
To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here