Cabinet has approved the Protection of Personal Information Bill for tabling in Parliament.
The national executive gave the Bill the thumbs-up yesterday, Cabinet spokesman Themba Maseko said this morning.
The Bill was drafted by the South African Law Reform Commission (SALRC) and seeks to protect the constitutional right to privacy as far as the processing of personal information is concerned.
Maseko says the law will help balance the right to privacy against other rights such as the right of access to information.
Once law, the legislation will help protect people from criminals or unscrupulous businesses by holding companies and individuals, who fail to take adequate steps to protect other people’s private information, legally liable.
In terms of the proposed law, companies, for example, will be required to notify all customers affected by security breaches that could result in identity theft. Offenders could face up to 10 years in prison, as well as fines and punitive damages.
The SALRC has been intermittently working on the Draft Bill since 2000. “I discussed the SALRC draft privacy Bill with the departmental officials in charge of legislation,” Democratic Alliance MP Sheila Camerer told ITWeb in early 2007.
Webber Wentzel Bowens (WWB) partner Dario Milo in February last year told ITWeb a discussion paper and draft Bill was published in 2005 and “nothing further has been heard since.”
Lance Michalson, senior partner at Michalsons, the specialist IT law firm, said at the same time public awareness about the issue has grown in recent years, but the absence of legislation has led to uncertainty. “There is a lot of confusion about what the law will mean for business. People are confused what it will practically translate into. They must hurry up now,” he says.
That has now clearly changed.
“Currently, no other law properly deals with the protection of personal data in electronic format,” said lawyer Reinhardt Buys. “In other words, the Bill should be enacted as soon as possible. The longer the Bill’s enactment is postponed, the longer the gross violation of data privacy in SA will continue.”
Buys says the Bill will end the current Wild West attitude towards electronic data privacy in SA, as well as the “wholesale commercialisation of personal information and databases”.
There is a “general lack of any rules or controls over the collection, use, disclosure and sale of digital personal data like e-mail addresses. The sale of databases containing personal details is rife in SA and leads to numerous abuses like SMS spam, cross-selling and the like.”
There are no rules requiring the secure storage of personal data “and if such data is stolen by hackers or rogue employees the victims are left without any legal recourse”.
“You can sell your information to the highest bidder as the law now stands,” says Michalson. He adds the Electronic Communications and Transactions Act contains interim data privacy provisions, but these are voluntary and are mostly ignored.