The Protection of Personal Information Bill 2009 (POPI) aims to
bring South Africa in line with international data protection laws.
Currently in its seventh working draft, it has been forwarded to
the Portfolio Committee for final consideration and is widely
anticipated to become law within the next six months.
The impact of this legislation will be far-reaching and will
significantly affect the way companies collect, store and
disseminate personal information.
In this bi-weekly series, members of our Information Law Group
provide some insight into the implications of POPI to assist you in
your preparations for the new legislative regime*.
This edition focuses on penalties that may be imposed under POPI.
A responsible party may be imprisoned for a maximum of 10 years
and/or fined a maximum of ZAR10 million.
The UK insurance arm of Zurich Financial Services was fined a
record £2,275 million for losing the personal details of
46,000 customers, including bank account and credit card
information. The fine, the highest ever paid by a single UK company
for a data protection failing, stems from an August 2008 incident
in which an outsourcing company in South Africa lost an unencrypted
back-up data tape.
Similar to the UK jurisdiction, the current draft of POPI also
imposes harsh penalties where a person's personal financial
information is processed in an unlawful manner. POPI states that a
responsible party who processes a person's account number, in a
way that contravenes the conditions for lawful processing of
personal information, will be guilty of an offence if:
- the contravention is of a serious and persistent nature and likely to cause substantial damage or distress (in other words, it need not have actually caused actual damage or distress); and
- the responsible party knew or ought to have known that there was a risk that the contravention would occur and failed to take reasonable steps to prevent the contravention; or
- the responsible party, knew or ought to have known that such contravention would likely cause substantial damage or distress to the person and failed to take reasonable steps to prevent the contravention.
A responsible party convicted of such an offence is liable to
pay a fine or to be imprisoned for a period not exceeding 10 years,
or to both a fine and such imprisonment.
In addition, where a responsible party is suspected of committing
any offence in terms of POPI (and before any conviction is
achieved), an administrative fine can also be imposed by the
Regulator, which fine may not exceed ZAR10 million. When
determining an appropriate fine, the Regulator must consider the
following factors:
- The nature of the personal information involved;
- the duration and extent of the contravention;
- the number of data subjects affected or potentially affected by the contravention;
- whether or not the contravention raises an issue of public importance;
- the likelihood of substantial damage or distress, including injury to feelings or anxiety suffered by data subjects;
- whether the responsible party or a third party could have prevented the contravention from occurring;
- any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information; and
- whether the responsible party has previously contravened the provisions of POPI in this manner.
To avoid such a fine, the responsible party must defend the imposition of the fine in court.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.