In 1948, the United Nations defined 30 articles of human rights which at their core were based on humanity, freedom, justice, and peace. This became a roadmap for how a lot of legislation was drafted, promulgated, and implemented the world over for years to come. As technology and society have developed, so too has the legislation developed to support, control, and protect the rights of individuals and organisations and the information concerned. We now find ourselves in a world where data protection rights and data privacy are at the forefront of legislative compliance. However, while data protection in South Africa is seemingly new legislation, its inception has been long coming.
As far back as the 1980s, the South African legislature received recommendations in respect of data protection and information usage rights by way of charters and codes. The early 2000s saw the promulgation of Electronic Communications and Transactions Act (ECTA), Regulation of Interception of Communication and Provision of Communication Related Information Act (RICA) and the Consumer Protection Act (CPA) – legislation all aimed at promoting and protecting individuals in respect of electronic communication, activity, information usage and sharing. All of this has since culminated in the Protection of Personal Information Act and most recently the Cybercrimes Act. POPIA and the Cybercrimes Act are undoubtedly the foremost pieces of legislation in South Africa which speak to the protection of the rights of individuals in respect of their personal and other data.
LabourNet offers comprehensive POPI, PAIA, and CPA compliance solutions in South Africa.
POPIA very explicitly defines the rights of data subjects in section 5. Data subjects have the right to notification, objection, requests, and submissions. They are also sheltered against harm and abuse which may result from direct marketing or automated decision making.
The right to notification grants the data subject the right to be notified when a responsible party is processing their information. The responsible party is also due to notify the data subjects in the event their information has been the subject of a security breach.
In terms of objections, the data subject may object on reasonable grounds to the processing of their information. The reference made to “reasonable grounds” is a measure intended to allow the responsible party the powers to continue processing despite objection only where special circumstances exist such as where the responsible party is bound by law to process the data subject’s personal information.
The right to request grants the data subject an opportunity to request for the correction, deletion, or destruction of the personal information which a responsible party may hold.
Lastly, the legislature has empowered data subjects to be able to submit complaints to the Information Regulator in the case where they feel a responsible party has processed their information in a manner which is not in line with the Act. Moreover, data subjects may institute civil proceedings and have a court adjudicate a matter which relates to their personal information and the processing thereof.
The provisions on direct marketing mirror those found in the Consumer Protection Act where data subjects are empowered to object to marketing and must give consent if they wish to be marketed
to. Automated decision-making is particularly harmful in instances relating to employment or any legitimate interest which a data subject may need to protect and as such the legislature has catered to ensuring their protection in this respect.
While the above rights may seem extensive, the legislature has designed and drafted POPIA in a manner where the data subject’s rights are sometimes observed, protected and promoted through responsibilities created for responsible parties to adhere to. As we know, one of the conditions of POPIA is data subject notification – if a responsible party carries this out, they not only comply with this condition but also realise the data subject’s right to notification. Similarly, where a responsible party compiles a PAIA manual, they ensure adherence to PAIA and in turn facilitate the rights of the data subject to request access to, correction or deletion of their personal information.
Where organisations may run into some trouble is where data subjects object to the processing of their personal information and most notably where they do not partake in ethical practices in respect of direct marketing. These businesses need our POPI, PAIA, and CPA compliance solutions in South Africa.
POPIA empowers data subjects by creating rights and remedies for them to access while also placing obligations on responsible parties to ensure these rights are not infringed upon while the Cybercrimes Act takes data and information protection a step further by criminalising offences related to the infractions which may be committed in relation to it.
It is important that all organisations consider the provisions of both POPIA and the Cybercrimes Act when assessing their information processing activities. The Cybercrimes Act introduces a multitude of offences related to malicious communications; unlawful access, interception or interference of data; fraud and the theft of incorporeal property. It goes without saying that an organisation who does not ensure adequate compliance with POPIA leaves themselves vulnerable to committing several of these offences. These offences would in most cases involve data subjects thus resulting in an infringement of their data protection rights. For this reason, these two Acts must be read side by side and considered equally.
The implementation of data protection legislation in South Africa is at its inception. However, both POPIA and the Cybercrimes Act provide clear guidelines to aid along this journey of inception. This is done in a way which gives effect to the Bill of Rights which entrenches the right to privacy, freedom and human dignity. Organisations would do well to ensure they refer to both of these acts when considering their information processing activities.
For more information about POPI, PAIA, and CPA compliance solutions in South Africa, please contact the LabourNet Helpdesk at 0861 LABNET (0861 522 638).
Not yet a LabourNet client, but would like to know more about our service and products?
Email us: email@example.com