subscribe: Daily Newsletter

 

POPI to protect children’s privacy rights

0 comments
New privacy laws in South Africa will regulate the way in which children’s personal information is processed without infringing their privacy. The Protection of Personal Information Bill (POPI) will prohibit companies and other organisations from collecting and processing information relating to children without parental consent, unless specifically approved by the office of the new Information Regulator or required by law.
One of the few remaining decisions regarding the Bill’s language is the definition of a “child”. The two options under consideration are a person under the age of 18 or under the age of 13.
“The proposed law is intended to give parents control over sensitive and private information collected from their children and how that is used and shared,” says Russell Opland, leader of PwC’s National Privacy Team.
Opland points out that there is a particular category of personal information called “special personal information” under the proposed legislation which cannot be processed at all without specific authorisation as granted in the Bill or by the Regulator. An example of special personal information that cannot be processed relates to children’s information, subject to certain conditions.
“The provision dealing with children’s privacy is in line with US and European legislation arising from concerns about social media and Internet sites which may encourage children to submit personal and sensitive information without their parents’ knowledge,” says Opland.
The office of the new Information Regulator, which will be set up once the Bill is passed into law, will actively monitor and enforce the legislation.
However, he says that there will still be some loopholes which will be difficult to monitor and enforce. For instance, there is no way to prevent children from lying and falsifying information regarding their age. In the US, some Web sites require the entry of a credit card number to gain access as an attempt to screen out children, however, this can obviously also be circumvented.
Currently South Africa does not have comprehensive privacy or data protection laws in place. However, some aspects are covered in various other laws, such as the Consumer Protection Act, the National Credit Act, and the Electronic Communications and Transactions Act.
The purpose of POPI is to give effect to the constitutional right to privacy and to regulate the manner in which personal information is processed.
The Bill, which is in its seventh and final draft, has been shepherded through its various incarnations over the past three years by a three-person technical sub-committee of Parliament’s Portfolio Committee on Justice and Constitutional Development, which is reviewing the final version.
It will then be circulated to the two houses of parliament for approval, before submission to the president for signature, which is anticipated in the second half of the year.
The Bill defines “personal information” in the broadest possible terms, and includes both natural and juristic persons in its definition. Both public and private bodies are subject to its provisions, and it applies when the information is processed within South Africa (but not when it is only transmitted through the Republic).
Limited exceptions include information in the public domain, “purely personal or household activity”, de-identified information, and very limited government functions.
Some information is defined as “special personal information”, including religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sexual life, and criminal behaviour, which are subject to additional restrictions.
The Bill provides rights for individuals to know the reasons why their information is collected, the purposes for which it will be used, and provides for the rights to object, on reasonable grounds, to uses of their information, to inquire whether an organisation holds information about the individual, to view and correct that information, and to ask that it be deleted.
Organisations are obliged to only collect and use the minimum information necessary to accomplish their objectives, to maintain such information accurately, to safeguard personal information and to delete or destroy information when it is no longer needed. Opland says that organisations will be required to notify the individual(s) and the new Information Regulator of any compromises of their personal information.
This includes loss, theft, unauthorised access or disclosure, and any incidents relating to hacking.
Revisions in the latest draft of the Bill include:
* Alignment of the definition of “biometric” with the European Union (EU) definition to include physical, physiological, and behavioural characteristics, and blood type. “Privacy legislation needs to ensure that there is a high degree of protection regarding peoples’ personal data,” says Opland.
* Introduction of the term “blocked” information, referring to personal information that is no longer used, but not deleted or destroyed, the effect of which would be to exclude the “collection, storage or updating of blocked information” from the provisions of the Bill.
* Inclusion of an “online identifier” (such as IP address) in the definition of personal information.
* The definition of a “filing system” was amended to include “‘whether centralised, decentralised or dispersed on a functional or geographical basis”.
* Inclusion of language, which is currently being drafted, to clarify the applicability of the Bill to cloud computing activities.
* Inclusion of three different options for language to exclude the processing of personal information for literary or artistic expression from the provisions of the Bill.
* Inclusion of the “Privacy By Design” concept into the Accountability condition (principle).
* Requirements under the openness condition (principle) to notify the data subject of the right to complain to the Regulator, and the contact information of the Regulator; if applicable, notification to the data subject that their information will be passed to a third country or international organisation, and the level of protection thereof by reference to any relevant adequacy decisions by the Regulator; and, when information is not collected directly from the data subject, identification of the source of that information.
* Requirement to notify the Regulator “immediately” of data breaches.
* In prior drafts, the term “sexual life” had been deleted from the definition of special personal information dealing with health information, but it has now been re-included.
* An increase in maximum financial penalties for non-compliance with or violation of the Bill to R10-million (from R1-million).