Thursday, May 27, 2010

Business managers should closely study the provisions of the new Protection of Personal Information Bill. They must avoid the temptation to ignore it on account of its title.
That’s because in addition to the Bill affording important protection for South Africans who divulge their personal information to third parties, it will also have a direct impact on South African companies in a number of ways.
Up until now, South African companies have been able to collect and divulge consumers’ personal information on the basis that people often do not know what their rights are in relation to their personal information. This is understandable, considering that the protection of personal information has thus far been governed by the common law.
But the ability of companies to freely collect and divulge customers’ personal information, for example, is about to change. When the Protection of Personal Information Bill (PPI) is enacted, companies will, for example, be precluded from selling customer lists to marketers.  
At the same time though, companies will be obliged to provide the regulator, which will be established to enforce this legislation, with information about the types of personal information that they hold. This means if a company collects customers’ names and ID numbers, it will be obliged to divulge this to the regulator. The company will not be obliged to divulge the list itself, but simply the fact that it collects that sort of information.
Interestingly, the Bill also requires that companies advise the regulator when they contravene the provisions of the legislation. This firmly places the onus on companies to monitor how they collect and protect customer information.
The PPI also contains a provision dealing with security and places an obligation on companies to keep any personal information that they collect secure, though it fails to  define the nature of such security measures. Greater clarity will need to be provided in regulations to the Bill once it is enacted.
Luckily, legislation similar to the PPI has been in force in the UK and the EU for some years. The manner in which security provisions in the UK legislation have been enforced could have a massive impact on companies’ IT departments if the South African regulator adopts a similar approach.
The PPI will impact critically on a company’s IT assets that are under its control.
It regularly happens that laptops, for example, are either lost or stolen. Traditionally, the most important issue around the loss or theft of a laptop is that the company has lost an asset that needs to be replaced. The PPI will add another important dimension by inquiring as to any personal information that might have been contained on the laptop and as to whether this personal information was secured.
In the UK companies that have lost laptops with personal information have had to disclose that personal information has been lost; if so, was it secured?
Whilst these companies have not always been fined in such circumstances, they have had to work with the UK regulator to take the necessary steps to ensure that personal information will be secured on all company laptops moving forward. Invariably these mishaps have also been widely advertised in the UK media. Thus while there haven’t been financial penalties, there has been significant reputational damage.
As in the South African legislation, the exact measures that a company must take to secure personal information on company laptops are not spelt out in the UK legislation. Rather, UK companies are simply required to ensure that the personal information on any company laptop is encrypted, though the nature of the encryption mechanisms are not spelt out. 
Computer equipment has a limited lifespan, at the end of which it needs to be sold. The PPI provides that computer equipment must be sold in such a manner that no personal information can be obtained from it again.
In the UK, several companies have run into trouble with the UK regulator because they have not disposed of computer equipment in such a way that any personal information on that equipment cannot be subsequently accessed. Similar security provisions will probably be adopted in South Africa.
What of the effect on a company’s IT assets not under its control?
UK companies must disclose when contractors’ laptops that have personal information belonging to the company using the contractor go missing. In such instances UK companies have also had to disclose whether the personal information on a contractor’s laptop was encrypted or not.
It often happens that a company uses a contractor’s laptop to store personal information on its behalf. In these cases’ too, UK companies have been required to conduct physical audits of their contractors’ premises to ensure that any relevant personal information is secured.
Whilst the PPI has not yet been enacted, now is a good time for companies to assess what personal information they have under their control and understand where this information is stored. Where personal information is stored on company or contractor laptops or other IT equipment, then companies need to start proactively taking steps to secure that personal information.
Although infringing the provisions of the PPI may not always lead to a fine, it will result in reputational damage when news of the infringement leaks out.
As UK companies that have infringed the UK equivalent legislation have found out, reputational damage can be more problematic than financial fines.
Warren Weertman is a Director at Bowman Gilfillan.