New privacy laws in South Africa will regulate the way in which children’s personal information is processed without infringing their privacy.
The Protection of Personal Information Bill (PoPI) will prohibit companies and other organisations from collecting and processing information relating to children without parental consent, unless specifically approved by the office of the new Information Regulator or required by law. One of the few remaining decisions regarding the Bill’s language is the definition of a ‘child’. The two options under consideration are a person under the age of 18 or under the age of 13.
“The proposed law is intended to give parents control over sensitive and private information collected from their children and how that is used and shared”, says Russell Opland, Leader of PwC’s National Privacy Team. Opland points out that there is a particular category of personal information called ‘special personal information’ under the proposed legislation which cannot be processed at all without specific authorisation as granted in the Bill or by the Regulator. An example of special personal information that cannot be processed relates to children’s information, subject to certain conditions. “The provision dealing with children’s privacy is in line with US and European legislation arising from concerns about social media and internet sites which may encourage children to submit personal and sensitive information without their parents’ knowledge,” says Opland.
The office of the new Information Regulator, which will be set up once the Bill is passed into law, will actively monitor and enforce the legislation.
However, he says that there will still be some loopholes which will be difficult to monitor and enforce. For instance, there is no way to prevent children from lying and falsifying information regarding their age. In the US, some websites require the entry of a credit card number to gain access as an attempt to screen out children, however, this can obviously also be circumvented.
Currently South Africa does not have comprehensive privacy or data protection laws in place. However, some aspects are covered in various other laws, such as the Consumer Protection Act, the National Credit Act, and the Electronic Communications and Transactions Act.
The purpose of PoPI is to give effect to the constitutional right to privacy and to regulate the manner in which personal information is processed.
The Bill, which is in its seventh and final draft, has been shepherded through its various incarnations over the past 3 years by a three-person technical sub-committee of Parliament’s Portfolio Committee on Justice and Constitutional Development, which is reviewing the final version.It will then be circulated to the two houses of Parliament for approval, before submission to the President for signature, which is anticipated in the second half of the year.
The Bill defines “personal information” in the broadest possible terms, and includes both natural and juristic persons in its definition. Both public and private bodies are subject to its provisions, and it applies when the information is processed within South Africa (but not when it is only transmitted through the Republic). Limited exceptions include information in the public domain, “purely personal or household activity”, de-identified information, and very limited government functions. Some information is defined as ‘special personal information’, including religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sexual life, and criminal behaviour, which are subject to additional restrictions.
The Bill provides rights for individuals to know the reasons why their information is collected, the purposes for which it will be used, and provides for the rights to object, on reasonable grounds, to uses of their information, to inquire whether an organisation holds information about the individual, to view and correct that information, and to ask that it be deleted.
Organisations are obliged to only collect and use the minimum information necessary to accomplish their objectives, to maintain such information accurately, to safeguard personal information, and to delete or destroy information when it is no longer needed. Opland says that organisations will be required to notify the individual(s) and the new Information Regulator of any compromises of their personal information. This includes loss, theft, unauthorised access or disclosure, and any incidents relating to hacking.
Revisions in the latest draft of the Bill include: