The massive personal data breach last week, attributed to estate agency – Aida – is confirmation that South Africa is in desperate need for the Protection of Personal Information Act (POPIA) to be fully implemented. For those of you who don’t know, only a few sections of POPIA have been signed into law already. These sections only deal with the formation of the Information Regulator. The real “meaty” bits, which provide you and I with protection, are not in force yet.
POPIA not being fully effective is why some organizations are able to collect and process your and my personal information, with almost impunity. They are astute because they have managed to navigate laws which would otherwise restrict how they deal with personal information.
Take Dracore Data Sciences (Dracore), for example. It was the company which supplied Aida with the database that had the personal information of millions of South Africans. It has applied for but has not yet been granted, registration as a credit bureau under the National Credit Act. Although it has not been shown to have been the source of the breach, if it was registered as a credit bureau, the National Credit Act imposes serious confidentiality requirements on credit bureaux. So, if Dracore had been the source of the breach and if it had been registered as a credit bureau, it would have been in trouble under the National Credit Act. But if it had been the source of the breach, was not a credit bureau and had simply been engaging in “data enrichment” there is not much any regulatory agency could do.
"Protection of Personal Information Act (POPIA) not being fully effective is why some organizations are able to collect and process your and my personal information, with almost impunity."Lucien Pierce, Phukubje Pierce Masithela Attorneys
I reiterate, as far as we know, Dracore is not responsible for the breach, but let’s use it as an example in the context of other legislation which does provide some privacy protection. The Consumer Protection Act (CPA) has privacy protections, but this is only in the context of direct marketing: Dracore does not engage in direct marketing so it does not infringe the CPA. The Electronic Communications and Transactions Act has privacy provisions, but these are voluntary and apply in the context of electronic transaction. Dracore does not engage in the type of electronic communications that ECTA contemplates, so it is on the right side of the law. Section 14 of the Constitution provides for the right to privacy, but as we know, it wasn’t Dracore that was the cause of the breach, so it hasn’t contravened this section.
So what would have happened if POPIA was fully effective?
Well, Aida would certainly have the entire book thrown at it.
It would have breached the requirements of minimality i.e. that you should only process information if it is adequate, relevant and not excessive. According to Troy Hunt, who revealed the breach, children’s records are also included in the database. Their records are definitely not relevant to an estate agency and processing them certainly is excessive.
It would have breached the requirements for consent. If I’m on the database, I certainly didn’t give consent. President Zuma apparently is and I’m sure he didn’t.
It would have breached the requirement to collect personal information directly from the data subject. They certainly didn’t ask me for my personal information.
It would have breached the requirements of having appropriate security safeguards. Whoever gave the database to Troy Hunt simply accessed Aida’s server and downloaded the database.
I could go on with five or six more contraventions, but highlight one of the most serious ones i.e. the prohibition on the processing of the personal information of children.
So, if POPIA was in place, would Dracore still be off the hook?
In my opinion, it would, for at least two reasons, be in a spot of bother.
It claims that that the breach was Aida’s fault. It says that it obtained written security undertakings from Aida, that they would handle the personal information in accordance with POPIA. Dracore did indeed do so. But in my view, that is not enough. My interpretation of POPIA’s requirements is that you should obtain the written security undertakings and ensure that the security undertakings are in fact implemented. In other words, you need to go and verify whether the personal information you have handed over, is actually being handled in a secure way. My view is that if it didn’t, then Dracore fell short on this aspect and, if POPIA was fully effective, could well also have been prosecuted.
My understanding of “data enrichment” is that it entails collecting data from different sources and creating a profile. To do this, POPIA requires anyone doing so to obtain prior authorization from the Information Regulator or to be subjected to an approved sector code of conduct. Anyone doing so without prior authorization or being subject to a sector code of conduct would be subject to prosecution.
Of course, we know that POPIA is not in place and the above arguments are all hypothetical. Once POPIA is fully effective, we will have a lot more certainty and a lot more control over who does what with our personal information.
I can’t wait: especially since I get those cold calls at 17h30 on a Saturday afternoon from some or other estate agent, wanting to know if I want to sell my house!
18 October 2017: What We Know So Far About South Africa's Largest Ever Data Breach
Cover Image Credit: Phukubje Pierce Masithela Attorneys.