Organisations to be liable for protecting personal data if Info Bill becomes law

9th August 2013 By: Schalk Burger - Creamer Media Senior Deputy Editor

The pending Protection of Personal Information (PoPI) Bill will regulate the access to and processing of personal data of individuals and juristic persons and will result in public and private institutions being responsible for protecting personal data, even from cybercrime attacks, says law firm Webber Wentzel partner Dario Milo.

Public and private organisations will have to ensure the integrity of personal data that they store and must take all reasonable and professional measures to prevent unlawful and unauthorised access to the data, even from their own employees, explains Webber Wentzel associate Greg Palmer.

“Organisations will have to identify internal and external risks and maintain appropriate safeguards, which must be regularly verified. Organi-sations must update processes and systems to mitigate new and foreseeable risks to the integrity of personal data security,” Palmer says.

All organisations will have to inform the data subject – the individual or the legal entity concerned – within a reasonable time when a data breach has occurred. The Bill allows for fines and imprisonment penalties for transgressors.

This will, for example, mean that a hacking breach exposing personal data, such as the hacking of the South African Police Service (SAPS) system, in May, in which thousands of whistle-blowers’ information was published, can make the holder of the personal data, in this case the SAPS, liable for the data breach and the organisation must also inform those affected.

“When we analyse UK personal data privacy and security laws, we find that the most common fines imposed are for data security breaches. The regulator then assesses the rigour of the data protection systems and processes of an organisation – which means that organisations must keep a careful record of their updates and changes to data pro- tection systems and processes to demonstrate that responsible and appropriate action was taken,” highlights Palmer.

Further, the Bill will regulate the extra- territorial exposure of personal data and prohibits the transfer of personal data to territories where the data is not adequately protected. Therefore, companies disseminating data from South Africa, or regarding South African legal persons, will have to ensure sufficient protection of the data in the other countries where they use or store the data, says Milo.

“The Bill also has extraterritorial jurisdiction, which entails that cases of personal data exposure in other countries regarding South African legal persons can be pursued in South Africa,” he explains.

The PoPI Bill regulates any and all information that can be used to identify a legal person, including curricula vitae of employees, closed- circuit television records, paper records and supplier information, among others. Any personal data that is hosted by a third party must also be protected.

Further, the Bill will also regulate direct marketing, which extends to potential and existing customers of companies. Organ-isations will have a one-year grace period to ensure personal data that they have stored is secure or they must expunge the data in any and all formats.

The PoPI Bill will also result in the establishment of an independent Information Regulator that will police and investigate personal data security and breaches, with the power to issue search and seizure orders and enforcement notices, as well as subpoena persons or companies during the course of its investigations, concludes Milo.