The ‘download’ on personal information: The Protection of Personal Information Act and Municipalities

In an age of information warfare, identity theft and the mismanagement and commercialisation of personal information in the digital world, the right to privacy in the Constitution and the Protection of Personal Information Act 4 of 2013 (POPIA) are vital tools that must be used to mitigate the risks that ordinary citizens face when sharing personal information. This article reflects on the question of whether municipalities, which are often the primary interface between citizens and government, are ready to implement and fulfil the requirements of POPIA and more specifically, it examines the obligations which municipalities now bear to lawfully process personal information.

Constitutional framing of POPIA

POPIA gives effect to the constitutional right to privacy, contained in section 14 of the Bill of Rights and ensures that both public and private bodies do not process (which means to collect, use, share, store or destroy) any individual’s personal information unless the processing thereof is permitted by law. The Act applies to all levels of government so municipalities must adhere to the Act. Furthermore, South Africa is a signatory to a number of international instruments containing privacy protections. This means that there is a broad normative framework which informs how municipalities must approach and strive towards fulfilling this duty to protect the right to privacy. These obligations are, however,  not clear-cut. Municipalities like all organs of state and non-state actors must strike the right balance between ‘the right to privacy’ and ‘the right of access to information’ provided for in section 32 of the Constitution. The Promotion of Access to Information Act 3, of 2000 (PAIA) was enacted to give effect to this right and municipalities are thus required to implement both acts harmoniously.

What does the POPIA provide and what are the implications for municipalities? 

The purpose of POPIA as set out in section 2 of the Act, is to give effect to the constitutional right to privacy, by safeguarding personal information when processed by any ‘responsible party.’ The ‘responsible party’ determines the legitimate purpose for processing personal information which is subject to justifiable limitations. The Act further aims to regulate the manner in which personal information may be processed through the establishment of minimum threshold conditions that are in line with international standards. In addition, it provides persons with rights and remedies to protect their personal information from unlawful processing. Lastly, it establishes voluntary and compulsory measures, including the establishment of an Information Regulator to enforce the provisions of the Act. POPIA prescribes eight principles for the proper implementation of the Act.

Principle one deals with accountability. Municipalities must take responsibility for personal information and compliance with the Act. This involves ensuring that both technical and organisational measures,  including appropriate policies,  procedures mechanisms and other initiatives exist to ensure personal information is protected. Ownership of personal information must reside with individuals at all points of the personal information life-cycle, from collection to destruction of personal information. Lastly, municipalities must have evidence of formal (e.g. policies, procedures and reports) and informal processes (e.g. emails, meeting agendas and system logs) that are in place for privacy management.

Principle two involves a processing limitation of personal information. This principle requires that the processing of personal information must be lawful and done in a reasonable manner that does not infringe the privacy rights of the ‘data subjects’ (a person to whom personal information relates). As discussed under Principle 3, the processing of personal information must be limited to a clearly identified objective. For example, the use of personal information by municipalities is permissible to implement credit control and debt collection for services rendered. Further processing of personal information is only permitted if the purpose thereof is justified insofar as it is adequate, relevant and not excessive (there are certain exclusions that apply, for example, if there is a legal obligation mandated in legislation).

Principle three concerns ‘purpose-specification’ which prescribes that the collection of personal information must be for a specific purpose and there must be retention and restriction of records. Thus, municipalities need to be transparent about the reason for collecting personal information and put in place a record thereof.

Principle four deals with a further processing limitation. Municipalities need to check that if personal information is collected for one purpose it may be used only for another purpose in limited circumstances. For example, when there is a direct relationship between the primary and secondary purpose when consent is obtained, or there is a clear obligation or function set out in law.

Principle five deals with the quality of information. Municipalities must take reasonable steps to ensure the personal information held is not incorrect or misleading, including, amongst other things, to ensure that the source and status of personal data is clear, considering whether it is necessary to periodically update information.

Principle six is about ‘openness’ which deals with two aspects, namely, the documentation and notification to data-subjects when collecting personal information. Municipalities will have to check that the documentation of all processing operations under their responsibility is maintained as required in terms of the PAIA. Further, data subjects have the right to access their personal information.

Principle seven requires ‘security safeguards’; municipalities must ensure that appropriate security measures (technical and organisational) are in place to protect personal information. For example, there must be regard for the generally accepted information security practices (e.g. ISO 27001) which is widely known for providing the requirements for an information security management system. Reasonable measures must be taken to:

  • identify internal and external risks,
  • establish and maintain safeguards against identified risks that require controls to be in place; and
  • regularly verify if safeguards are effective and continuously update them to respond to new risks.

Principle eight on ‘Data Subject Participation’ concerns an individual’s right to confirm if their personal information is held by a municipality. They may request this information free of charge. A record must be maintained detailing the historical information as to whom the personal information was disclosed. Furthermore, erroneous personal information must be corrected. This principle requires that municipalities review their PAIA standard operating procedures to include the new POPIA rights afforded to data subjects. Particular consideration must be given to the right to object to the processing and updating of personal information.  

The abovementioned principles demand municipalities to take action in several respects. For instance, they must carry out a personal information impact assessment to establish whether adequate internal measures and systems are in place to ensure the lawful processing of personal information. Municipalities need to develop a POPIA policy manual that sets out how the municipality intends to use, store, process and share personal information. Moreover, internal awareness sessions should be held with all the different departments within the municipality to ensure that all officials are fully aware of the requirements of POPIA. In addition, municipalities must use effective security and access controls on all staff devices. For instance, they should install data- encryption, authentication measures as well as provide for effective anti-virus and anti-malware software. Lastly, municipalities need to implement internal auditing and reporting solutions as it pertains to personal information. 

The looming deadline and consequences for non-compliance

The looming date of 21 July 2021 signifies when all municipalities will have no option but to be fully compliant with POPIA. They need to establish the correct governance structures to give effect to the Act and its objectives. The latter serves to avoid data sensitivity breaches and to prevent incurring penalties in terms of the Act. The penalties are significant and include administrative fines which may not exceed 10 million Rands or imprisonment for a period not exceeding 10 years. Given the severity of non-compliance, it is crucial to consider the obstacles that municipalities still need to overcome. 

Implementing POPIA

There are several challenges that are likely to confront municipalities in the implementation of POPIA. The discussion in this section is limited to the lack of appropriate infrastructure and organisational incapacity in many municipalities. There are evident weaknesses in the implementation and governance of Information Technology (IT) in South African municipalities. Many local authorities are still lagging behind on Information Communications Technology (ICT) infrastructure, particularly in smaller municipalities that are still largely reliant on paper-based processes. Constraining bureaucratic processes, limited technical skills and limited IT knowledge at political levels present additional challenges. If one takes this into consideration it is difficult to comprehend how municipalities will be able to successfully implement sound electronic management systems that support optimal compliance and efficiency. The infrastructure divide is likely going to be a major constraining factor. Infrastructure tends to be inferior in rural municipalities compared to metropolitan municipalities and other high-capacity urban municipalities.

In addition, 'enormous amounts' of sensitive personal data are held by municipalities which makes it a difficult task for municipalities to collect, catalogue, digitise and safeguard vast amounts of data. The implementation of POPIA will strain municipal resources since municipalities must now ensure that the sensitive personal data is lawfully processed. This means that consent must be obtained and privacy conditions need to be embedded throughout the municipal processes.  

POPIA also requires the verification of the quality of personal information as a condition to lawfully processing personal information. At a strategic planning level, this means that administrators must rely on the quality of information to inform the political leadership on the best possible solutions for service delivery outcomes. However, across municipalities, there is a challenge in respect of the quality of data available including inconsistencies in the data held across different departments. The fact that municipal departments often work in silos aggravates this problem. As such, it is essential that there is integration and data-sharing while at all times complying with POPIA requirements.

Conclusion

While POPIA is a necessary and vital tool to protect personal information in the age that we live in, there are many challenges which lay ahead in implementation. A change management process is required for good personal information governance to be facilitated in municipalities which not only targets the understanding of municipal functionaries but also facilitates an appreciation of the objectives of the Act rather than merely focussing on IT systems to meet the compliance standards set out in POPIA. The problem, however, is that many officials working within municipalities lack the requisite skills and are not professionally qualified to carry out this function. As a result, municipalities lack essential human and financial resources to properly implement POPIA. In terms of the intergovernmental framework for support which exists this places a duty on the national and provincial governments to capacitate municipalities. In practice, this may include training on the legal implications of the Act as well as support with IT governance and ICT tools. While the task seems daunting and will certainly extend beyond the July 2021 cut-off date, if incremental steps are taken to achieve these goals, the implementation of POPIA will be institutionalised and inculcated in the governance culture of municipalities.

 

By Shehaam Johnstone, Post-doctoral Researcher