Although the newly established Information Regulator is not yet fully operational, it has to date received 107 complaints relating to the unlawful processing of personal information and access to information.
An analysis of these complaints revealed that a majority of the complaints relate to banking, insurance, and telecommunications, Chairperson of the Regulator, Advocate Pansy Tlakula, told the media on Wednesday.
“It should be noted that most of these complaints relate to direct marketing through unsolicited electronic communications. Citizens are bombarded by emails and phoned by marketers but the question is where they get your personal information,” Tlakula said.
Regulator member Tana Pistorius said at the moment not all sections of the regulator are active such as the ability to investigate.
“But we accept and deal with the complaints in the best of our ability. We forward complaints to responsible parties and request protective control.”
Of the reported complaints, Pistorius said they are engaging with relevant sectors to indicate where problems are at, while some of the cases have been resolved.
Protection of Personal Information Act
The regulator is empowered to monitor and enforce compliance by the public and private bodies in line with the provisions of the Promotion of Access to Information Act No 2 of 2000 and POPIA.
The Protection of Personal Information Act promotes the protection of personal information by public and private bodies. In terms of POPIA, all public and private bodies will be expected to be compliant with its provisions within one year of its commencement. It is also the responsibility of the regulator to issue codes of conduct for different sectors and is responsible for education, monitoring and enforcing compliance, handling of complaints, performing research and facilitation of cross-border cooperation.
Last year, President Jacob Zuma appointed Tlakula as chairperson, Lebogang Stroom-Nzama, and Collen Weapond as full-time members of the regulator, while professor Tana Pistorius and Sizwe Snail Ka Mtuze would serve as part-time members. Having being appointed in December 2016 – the members will all serve a term of office of five years.
With a budget of R19 million for the 2017/18 financial year – the members endeavour to fully operationalise the Regulator in 2018.
According to Tlakula, since taking office the members have embarked on a number of activities such as finalization of the organizational structure.
“The organizational structure has been finalized and has been submitted to the department of Public Services and Administration for processing.”
The regulator has also adopted the 2017- 2020 Strategic Plan and 2017-2018 Annual Performance Plan, as well as litigation.
“The processes are not moving as fast as we would have wanted to. We have set ourselves a date of 2018 for the establishment and full operationalization of the unit. I would not say they are blockages but the processes are moving slowly as it is the nature of government processes,” said Tlakula.
Personal information of grant beneficiaries
The regulator was also cited as the seventh respondent in the Constitutional Court Case of the Black Sash Trust vs Minister of Social Development and Others.
In this case, the Black Sash Trust had sought relief with reference to the contract between the South African Social Security Agency (SASSA) and Cash Paymaster Services (Pty) Ltd (CPS) including that the personal information of grant beneficiaries be declared the property of SASSA.
The regulator said the manner in which the grant beneficiaries’ personal information was being used by CPS was unlawful.
“The regulator filed an explanatory affidavit to the effect that the personal information of grant beneficiaries belongs to them and could never vest in a third party.”
Regulator interacting with national stakeholders
The regulator has also gone on to interact with national stakeholders such as the South African Human Rights Commission (SAHRC); the National Consumer Commission (NCC); the Banking Association of South Africa (BASA); and the Electoral Commission (IEC) to discuss areas of mutual interest.
This, in addition to the interaction with international stakeholders Vice President of Google responsible for Global Public Policy; the Right to Information Commission of Sri Lanka; The Personal Data Protection Commission of Singapore; and The Office of the Privacy Commissioner of New Zealand.
The regulator is in the process of applying for membership with the Network of African Data Protection Authorities. Already the regulator is an accredited member of the International Conference on Data Protection and Privacy Commissioners.
With regards to its outstanding Section 112(2) of POPIA, Tlakula said the draft regulations were published for public comments on the 8th of September 2017 with the closing date for public comments is the 7th of November 2017.
The regulator has not made provision for regulations relating to section 112(2)(c) of POPIA which provides for the processing of health information by certain responsible parties such as insurance companies, medical schemes and pension funds as provided for in section 32(6) of POPIA.
In this light, Tlakula was of the view that interested parties should make submissions in this regard.
The regulator will conduct public hearings in all nine provinces with the draft regulations expected to be submitted to Parliament for tabling in February 2018