Posted on October 24, 2012
You're an archivist or records manager working your way systematically through a folder full of documents. You come across an email in which a prominent official shares confidential information about a colleague's illicit business dealing with a third party. How do you respond? Do you: leak this to the media knowing that it's going to cause a scandal? Do you mention it in passing at a social gathering, knowing that the story will spread quickly? Do you blow the whistle anonymously and let the law take its course? Do you accession or destroy the record?
The Protection of Personal Information Act (POPIA) approved by the National Assembly on 11 September 2012 has huge implications for all institutions or organisations which gather, retain, disseminate and dispose of personal information. While businesses will be hard pressed to review and amend their record keeping, employment and information technology policies and procedures in order to ensure compliance with POPIA, archival institutions face particular challenges specific to their mandates and will have to manage their holdings far more robustly in future. As citizens we should be asking if the very legislation that is intended to protect privacy will be used to block access to information, especially if it's needed to call those in power to account. POPIA will be referred to the National Council of Provinces for approval. The National Council of Provinces may require changes to the legislation. However, if it approves the bill in its current form, the legislation will be referred to the president for signature.
If you're ever faced with a dilemma like the one posed above you'd do well to consider how POPIA requires you to deal with this issue. The Act is intended essentially to give effect to the constitutional right to privacy by safeguarding personal information in a way that balances this right against others, particularly the right to access of information. The Act defines 'personal information', describes specific exclusions and sets in place mechanisms and processes to regulate and enforce the way in which personal information is processed and protected.
Personal information, as defined in the Act means information relating to an identifiable, living, natural person, or an identifiable, existing juristic person [1]. In broad terms, personal information relates to: race, gender, sexual orientation, marital status etc., medical, financial or criminal history; identifying numbers; contact details; biometric information; personal opinions; private or confidential communications; the views or opinions of others about the person; and the name of the person, in cases where the disclosure of this might reveal information about the person. In other words, the kind of information that many of us routinely make available when we respond to questions posed by market researchers, direct marketers, businesses with whom we engage, when we communicate with government officials, comment on websites or communicate with colleagues, friends and family or write in our personal journals.
POPIA does not apply to personal information used in a purely personal or household activity - although, we would argue that it would, if such information were to be transferred to an archival institution. Other exclusions from the Act include personal information: which has been de-identified, to the extent where it cannot be re-identified, for example anonymised oral testimonies; information which involves national security and which might, for example assist in identifying attacks on the state; information relating to unlawful activities such as money laundering; or information that is included as part of a public record already in the public domain, for example, court records, property transactions, etc. The bottom line is that if you are a law-abiding citizen, POPIA may be used to protect your personal information. If you are not, you should not be able to hide behind it!
Will POPIA impose limitations on freedom of expression? The provisions of the Act do not apply to personal information used solely for the purpose of journalistic, literary or artistic expression. In instances such as these, responsible parties are required to adhere to a code of conduct that provides adequate safeguards for the protection of personal information. It is yet to be seen what effect POPIA will have in practice. It's not unreasonable, given the current political climate, to fear that this legislation may reinforce or entrench an already alarming culture of secrecy. The stand-off around the Protection of State Information Act has left many fearful that the state is dealing with information with a heavy hand and it may be that responsible parties will err on the side of caution, rather than face censure or prosecution: beleaguered journalists may be less willing to argue the public benefit of disclosing information about an person's extravagant lifestyle to press for an investigation into the source of their wealth, and archivists may take unnecessary action to weed, redact or destroy records containing personal information that would otherwise be archived.
There's a tension at the heart of POPIA around the issue of public interest which poses a dilemma: when should the public interest in the free flow of information and the right to be informed be considered to be more important than the public interest in safeguarding the protection of personal information and protecting privacy? [2] According to the Act, responsible parties may be granted exemption, allowing them to process personal information, otherwise prohibited under POPIA, when: the public interest outweighs any interference with the privacy of the person; it involves a clear benefit to the person, or a third party that outweighs any interference with the privacy of the person and; if it is required for the purposes of discharging a relevant function such as protecting members of the public against dishonesty, malpractice or improper conduct.
This is a tricky judgement call, and one we're bound to see being argued vigorously in the future. Jane Duncan, in a measured consideration on the matter of information from the leaked medical records of former Health Minister Manto Tshabalala Msimang published by Sunday Times, argues that everyone has a right to privacy but, that 'if a public official is ill to the extent where it impacts on his or her ability to undertake public duty, then the public interest becomes more compelling'. Allegations that the Minister responsible for managing public health made poor judgements about her own and was granted preferential treatment and abused medical staff add weight to the public interest claim. Duncan concludes that, 'but when matters of public concern demand the telling of the individual's story to expose a wrongdoing, to inform a community of a disaster or to hold the medical system accountable, some use of individual information is necessary and justified, and should be protected by the Constitution.' Duncan argues that one of the problems with the Promotion Act (PAIA) is that it may not necessarily recognise the public interest in disclosure of personal information. This deficit to some extent remedied by POPIA.
POPIA imposes stringent conditions on the way in which personal information may be processed, the purposes for, and the conditions under which it may be collected, used, retained and disseminated. These include the following:
- Responsible parties are required to comply with the requirements set out in POPIA if they process personal information;
- Personal information must be collected directly from the data subject or under circumstances spelt out in the Act. This includes, for example, information contained in or derived from a public record;
- Data subjects should consent to the processing and made aware of the purpose for which the information is being processed;
- Personal Information may not be retained for longer than is necessary for the specified purpose;
- Personal Information should not be used for any other purpose than that for which it was collected;
- The responsible party must take reasonable care to ensure that information is complete and accurate, is not misleading and is updated where necessary;
- Responsible parties must maintain documentation of all processing operations;
- Measures must be put in place to secure personal information against loss, damage and unlawful access. If third parties are required to processes information a written contract must be entered into to establish and maintain confidentiality and security measures. The Information Regulator and the data subject must be notified if the security of information is compromised in any way;
- Data subjects have the right to obtain details of personal information from parties holding that information and to ask for information to be corrected if it is inaccurate or, deleted / destroyed if the responsible party is not longer authorised to retain it.
The Act details a number of other instances where prohibitions pn personal information do not apply. Information about a person's race or ethnic origin, for example, may be processed when it is required to comply with measures intended to protect or advance those disadvantaged by unfair discrimination. Similarly, information about a person's health or sex life may be processed by medical professionals, insurance and medical aid companies, etc., who are obliged by virtue of their office, profession, or legal provisions to maintain confidentiality. This has huge implications for the daily activity and practice of all those who work with or hold information in safekeeping.
As citizens, there are a couple of issues we should be worrying about. How can we be sure that POPIA offers adequate protection against abuse by those who wish to use its provisions to hide their nefarious deeds or cover up incidents of corruption? Isn't there a real danger that the very legislation that is intended to protect privacy will be used to block access to information, especially if it's needed to call those in power to account?
No matter how good legislation looks on paper, the true test of its strength lies in the extent to which it can be implemented and enforced. POPIA provides for the establishment of an Information Regulator, an office that is fully empowered to deal with complaints and disputes relating to the implementation of the Act and to issue, approve, amend, revoke, review or provide guidelines for codes of conduct and to grant additional exemptions.
Of great significance is the fact that the Information Regulator has also been given full ruling powers to deal with complaints and disputes in relation to PAIA, a move that is welcomed by those concerned with ironing out the impediments to the free flow of information. The acts have complementary purposes: PAIA does not apply to information processing, or impose any requirements to create or keep records. It aims instead to give substance to the constitutional commitment to freedom of access to information.
What does this mean for the way in which archivists ‘process' the records in their custody? Four key issues demand urgent resolution and action:
- The Information Regulator will have to approve the special purpose of records selected for permanent preservation as archives, with a view to their use in historical or other research;
- Archivists will be required to process personal information according to a code of conduct which specifies, amongst other things, how the conditions for lawful processing of personal information are to be applied. Records management policies, procedures and systems may have to be amended to align them with the code of conduct and with POPIA;
- Records coming into the institution or appraised for preservation will have to be scrutinised carefully to determine whether they include information covered by the Act and what, if any, actions are required to: make processing of these lawful; ensure security and; determine access controls; and
- Oral history interviews or transcriptions thereof will have to be treated with special care, particularly because they may reveal personal information about both the interviewee and third parties.
In determining the way forward, South African archivists are fortunate to be able to draw on the experiences of colleagues in other parts of the world who have done pioneering work in this regard. The Archival Platform will be working with local stakeholders to carefully consider and develop ways of working with personal information in order to comply with protection measures in the present, without unduly compromising the record for the future. We look forward to engaging with you in this task.
Explanatory Notes:
[1] A 'juristic person' is a social entity, a community or an association of people which has an independent right of existence under the law these include: associations created with governmental permission such as the SABC and established through legislation; associations such as banks and private hospitals which are required by government to be registered in one way or another and are incorporated in terms of enabling legislation and; associations such as non-profit societies which continue to exist irrespective of changes in membership and which comply with the common-law requirements for the establishment of a juristic person.
Restrictions regarding the way in which personal information is collected, retained and disseminated apply to living persons. Restrictions on access to someone else's personal information, rather than your own, apply until such time as the person has been deceased for more than 20 years.
[2] 'Public interest' as defined Section 37 of the Act includes: the interests of national security; the prevention, detection and prosecution of offences; important economic and financial interests of a public body; fostering compliance with legal provisions; historical, statistical or research activity; and the special importance of the interest in freedom of expression.
[3] Persons to whom the information relates are referred to in the Act as 'data-subjects' while the public or private bodies or individuals who determine the purpose and means of processing information are referred to as 'responsible parties'.
[4] The Act deals extensively with the regulation of direct marketing, by means of unsolicited electronic communications, directories and automated decision making and spells out the mechanisms used to address complaints and enforce compliance.
[5] In terms of the Act, 'processing' means activities or operations including: collecting, receiving, recording, organisation, storage, collated, updating, modifying, altering, retrieving, consulting or using information as well as the way in which information is disseminated, transmitted, distributed or made available, linked or merged with other data or, restricted, degraded, erased or destroyed.
Jo-Anne Duggan is the Director of the Archival Platform