Protection of Personal Information Bill [B9-2009]: public hearings

Meeting report

Open Democracy Advice Centre (ODAC) submission
Ms Allison Tilley, Chief Executive Officer for Open Democracy Advice Centre (ODAC), stated that the idea that this privacy law was part of the Open Democracy legislation seemed odd for some observers. ODAC wanted to emphasise that the protection of private information was the “other side of the coin” in terms of making sure public information was made accessible. Information could only be made accessible once one was confident that the information that needed to be kept private would be kept private.

Clause 43(3): Powers and Duties of the Regulator
ODAC welcomed the legislation, as it created the Information Protection Regulator (IPR). Internationally, these structures were usually called the Information and Data Protection Commissioner as it dealt with both the Protection of Personal Information and the Access to Information Acts. ODAC fully supported the creation of a structure that would allow quick, cheap access to dispute resolution around access to information and privacy issues. However, they were concerned about the powers of the Regulator in relation to accessing information. They proposed that this be dealt with by adding powers in this regard. The Regulator’s powers were limited to promotional and monitoring activities that were currently undertaken by the South African Human Rights Commission (SAHRC). This section of legislation was yet to be amended. The promotional aspect of access to information and protection of personal information were set out in detail for the Regulator in both the PAIA and the Protection of Personal Information Bill (PPI); however, the powers of the Regulator were only set out in relation to the PAIA.

One of the greatest obstacles to accessing information was the problem of “mute refusals”, which were requests for information that did not receive responses during the appropriate time frame. The prescribed period of 30 days in which responses were supposed to be given was considerably longer than that prescribed by international standards.

ODAC was particularly concerned about the responsiveness of district municipalities. Effective communication was required to counter rising service delivery protests. The Medium Term Strategic Framework (MTSF) recognised the importance of the promotion of a culture of open and transparent government by implementing provisions of the Promotion of Access to Information Act (PAIA). The appointment of Deputy Information Officers (DIOs) would ensure that there was capacity to respond to requests for information.

Location of the IPR
ODAC stated that there were arguments for and against the IPR being located within the SAHRC. The role of the Commission would replicate that of the Canadian Human Rights Commission, where it would not deal with complaints on access to information and data protection directly. Privacy and access to information rules would have to be implemented within the IPR. Canada dealt with two separate Commissions to deal with complaints, one to deal with privacy complaints and the other to deal with access to information complaints.

The SAHRC was a “champion” in terms of promoting access to information. ODAC wanted to see the Commission keep this role regarding promoting access to information and privacy. However, it was noted that the SAHRC was unable to support adequate performance in the public sector. It was ODAC’s view that a separate agency dealing with these issues was necessary in terms of international data protection directives, and it was in the best interests of the right to access to information. They preferred that the IPR establish itself with the two laws clearly in focus. Balancing these rights was exactly what the agency had to do. The question of resources was an important issue. ODAC suggested that the cost of processing and deciding cases be borne by the agency against whom the appeal or complaint is brought. This would disperse the cost across government agencies and would provide an incentive towards achieving public policy goals that PAIA embodied.   

The role of National Archives had to be scrutinised. Record keeping and information management were central for managing access to information. Records had to be maintained and preserved so the government could be held accountable for their actions.

Other issues:
- ODAC questioned the inclusion of juristic persons in the legislation. They wondered where information privacy was applicable to the juristic person.
- The state was entitled to process personal information where national security, defence and public safety were involved without obeying safeguards in the Act. This could be done if they had legislation in place that created safeguards for privacy relating to the information they were processing. ODAC suggested that all databases be treated this way.
- ODAC wondered if the exemption of journalists who processed information was broad enough.
- They questioned whether the law would limit access to information that was available currently.
- They asked if existing databases would be protected.
- ODAC wondered if the time allowed for appeals to court was adequate. They said that the 30 day limit for appeals to the High Court in PPI matters imposed restraints on access to justice. The proposed time frame should be aligned with the 180 days proposed by the court in the Brummer matter where it was ruled that imbalances in capacity between ordinary individuals and resourced parties hampered access to justice. 
Common implementation challenges were evident such as a lack of commitment to compliance from holders of information, lack of capacity in terms of record-keeping, insufficient funding for implementation and a lack of enforcement mechanisms.

Discussion
Mr S Swart (ACDP) noted that ODAC indicated that the SAHRC should keep its champion role as the promoter of PAIA. He asked ODAC to comment on the functions of the Regulator, given that the Asmal Report spoke of an overarching structure to oversee the access to information function and the protection of personal information function.

Ms Tilley stated that it was clear from the EU Data Protection Directives that a separate structure was needed. Once there was an enforcement body to deal with privacy, the logical question would be why there was not separate body to deal with access to information, as this was the national trend. In most international cases where a Regulator was put together, the two agencies for the PAI function and the PPI function were combined. It was then easier to decide on what information to release and what not to disclose. With two separate regulators to deal with the functions there could be situations where there would be disjunction between the two. The SAHRC has developed a “practice” around access to information. She would feel badly about taking this function away from them simply because there were so few “champions” of access to information. She thought they should retain the function of promoting access to information even if there was a regulator to oversee access to information. However, she thought there was a definite need for a separate structure that would oversee both privacy and access to information functions.

Mr M Oriani-Ambrosini (IFP) asked ODAC to send the Committee a draft proposal of the types of powers they wanted to see in the Regulator.

Ms D Smuts (DA) noted that ODAC's submission was very clear about its recommendations regarding the PPI Bill and the PAIA. She found the submission to be very valuable. She sympathised with ODAC's recommendation that the Regulator should in fact look after both the PAIA and the new PPI function. She noted that ODAC proposed cost recovery as a new funding mechanism. She understood that the Bill protected the rights of natural persons due to the increase in electronic databases that there were a whole new form of intrusion into people’s privacy. The Bill would prevent people from going to court to protect their privacy, as it was an expensive process. She wondered what kind of cost recovery plan the Centre could muster on the basis of complaints from individual natural persons. She added that the whole field of journalism should be excluded from the Bill as soon as possible. She asked ODAC to comment.

Ms Tilley agreed that journalists should be excluded, as it pertained to a balancing of rights such as the Right to Freedom of Expression. However, there were instances where journalists were given personal data. She suggested having specific exclusions around processes such as whistle-blowing.

Adv J Jeffery (ANC) stated that it seemed as if ODAC actually wanted the PAIA amended rather than the PPI Bill. He knew there were problems with the implementation of PAIA but he did not think they could focus on that legislation at this moment. However, he agreed that it would be useful for Parliament to do a review of PAIA and how it was working. He said that it would be useful for ODAC to be more specific about their recommendations. The recommendations in the submission were brief and it would be useful for ODAC to give the Committee more substance. He added that ODAC should look at the Long Title of the PPI Bill, as the Centre seemed to be proposing something entirely new that concerned the PAIA.

Business Unity South Africa (BUSA) submission
Ms Simi Siwisa, Director for Economic Policy: BUSA, said that BUSA supported the rationale behind the introduction of the PPI legislation. However, it was important that the implementation of the Bill, once enacted, was carefully managed so as to minimise the cost to business. They were conscious of the potential costs this Bill could have on micro firms, who would need specific assistance in implementing this Bill. It was important that these costs were spread out through a longer period to assist business, especially during the current economic crisis.

General comments:
BUSA was disappointed that the Department of Justice and Constitutional Development did not table this Bill with the National Economic Development and Labour Council (NEDLAC) in 2007 as requested by the Trade and Industry Chamber. They were also concerned that the period in which constituencies were supposed to submit their input was not adequate.

The Regulatory Impact Assessment (RIA):
The RIA framework was recognized as one of the most useful instruments in reducing the regulatory burden on Business. However, they were disappointed by the limited progress in implementation of this framework. It would have been a useful process for the Department to undertake a regulatory impact assessment to ascertain the cost of implementation and compliance for business. This process could have enriched the development of the Bill and assisted in minimising some of the costs anticipated by business. The full implementation of the provisions of the Bill would employ time, money and scarce technical resources.

Transitional Arrangements:
BUSA proposed that the transitional period be extended up to five years to allow for the prerequisite development codes and the independent adjudicators.

Clause 10(2)
The current draft could hinder business operations and was open to abuse. BUSA suggested that the following proviso be inserted after “personal information”: “in the event that the operator cannot demonstrate reasonable grounds for retaining such personal information”.

Clause 36
The proposed structure of the Regulator had to be revised. BUSA’s view was that the Regulator should have an executive Head and a non executive Chairman.

Clause 39(5)
BUSA proposed that this section be amended to allow for the Minister to be informed of the decision to dissolve a committee.

Clause 43
BUSA was concerned about the extensive responsibilities assigned to the Regulator. It was important that the Regulator was structured in a way that minimised conflict of interest and allowed for the attainment of the objects of this Bill.

Clause 69
It was important that guidance was given to businesses on a standard data protection clause that had to be inserted in all agreements in respect of which data would be exported to other jurisdictions, particularly those that did not have adequate data protection laws, for consistency purposes.

Association for Savings and Investment South Africa (ASISA) submission
Mr Johan Davey, member of ASISA, stated that ASISA fully supported the purpose and the objectives of the Bill. However, it was calling for a more moderate pace for implementation of the Bill in order to balance the risks and costs associated with the new regime. The imposition of the new privacy regime established by the Bill would be a major undertaking and would have a substantial economic impact. The shorter the implementation period, the higher the costs would be. ASISA proposed a general phasing in period, which would realistically enable its members to comply with the proposed legislation.

Definitions
ASISA noted that the wide scope of the definition of “processing” created compliance difficulties in respect of data which was already being held by an organisation when this Act comes into force. Certain types of processing which were not linked to the data subject and did not result in a new or different application of the data, such as the mere storage of data, should be exempted from certain provisions of the Act or, alternatively, not be regarded as “processing” in terms of the Act (and accordingly not subject to certain provisions of the Act).

The extensive scope of the definition of “personal information” in the Bill and the privacy principles which had to be complied with, brought with it the complexity of addressing issues like the requirements to isolate data, classify data (typically in terms of the level of priority/security the data required) and to categorize data.

Clause 10
ASISA submitted that transitional relief in respect of the consent principle as far as it pertained to existing clients and data, be extended to a three year period, so that the majority of ASISA clients might be approached for purposes of consent in the normal course of business.

Clause 14
Clause 14 of the Bill provided that, subject to certain exceptions, records of personal information should not be retained for any longer than necessary for achieving the purpose for which the information was collected or subsequently processed.

In respect of data which was held by an organisation at the time the legislation would come into effect, however, tons of archived hardcopy and terabytes of electronic personal information would need to be destroyed, erased or anonymised. However, the real issue here was not necessarily the actual destruction, but the process required to identify which personal information needed to be destroyed. For larger organisations it would probably be an impossible task to achieve compliance with the destruction requirements of the Bill in the proposed time frame of one year without great expense.

ASISA submitted that, an implementation period of at least five to six years be allowed for compliance with the retention limitation principle. Where the data is merely being stored, exemption should be granted in respect of the retention limitation principle, provided that the data was secured as required in terms of the Bill and that the data was not processed in any other manner.

Clauses 103 and 104
ASISA stated that the provisions as currently worded did not provide sufficient clarity and certainty regarding the implementation of the Act. They believe that certain minimum implementation periods would be required by members in order to design and implement the necessary compliance solutions. The problem with the current formulation was that businesses were left to guess the dates upon which they would have to comply with the various provisions of the Act, which made it very difficult to plan for and achieve timeous compliance.

ASISA stated that the period by which Clause 103(1) transitional relief may be extended, should not be
limited to three years. The one year period referred to in 103(1) should be extended in accordance
with the Proposed Implementation Table (see submission). The Information Protection Regulator, in addition to the Minister should be provided with the power to allow further extensions of time in terms of sub-section 103(2). Clause 104(1) should be amended by the addition of the following words at the end of the sentence “…which date shall be at least 12 months after the date upon which he signs this Act.”.

It was also submitted that the Information Protection Regulator, in addition to the Minister, should be provided with the power to allow further extensions of time in terms of Clause 103(2).

Clause 34
ASISA stated that an allowance should be made under Clause 34 for the Information Protection Regulator, on application, to provide temporary exemptions in respect of one or more provisions of the Act under circumstances.

Discussion
Mr Swart asked the business organisations to explain why the Bill had not gone through the NEDLAC process. He said that the Committee accepted additional written submissions, particularly if they wanted to recommend specific amendments. The Committee would welcome this. He noted that there were huge costs in implementing the Bill. This was an implication that the Committee needed to consider, as there were huge financial consequences. He asked the entities to elaborate on this.

Ms Siwisa stated that BUSA had had many discussions with the Presidency and National Treasury on the cost implication matter. The idea was that while the legislation was still being drafted, cost implications for the state as well as for businesses should be considered.

Ms Siwisa said that if NEDLAC requested that a government entity table a particular legislation with them, then other constituencies expected that the legislation would indeed be tabled with NEDLAC.

Mr Davey welcomed the proposal that ASISA could contribute to the specific wording of the Bill.

Mr Davey stated that BUSA and ASISA were not in the position to do an exact cost analysis. However, they had considered certain costs such as destruction of data costs, costs for system changes and securing data.

Ms Rosemary Lightbody, Senior Policy Advisor for ASISA, added that BUSA and ASISA could not draw up an accurate assessment of costs, as there had not been enough time to do a proper cost analysis due to the short amount of time there was to send in the submission.

Mr Oriani-Ambrosini said that the submissions were beautifully drafted and very logical. He asked them to say whether there were any businesses that were not affected by the Bill. Almost all businesses processed personal information in some capacity. This meant that the Regulator would act as a processor of businesses, and this in turn would lead to the registration of all the businesses in the country, which was what was needed.

Mr Davey stated that the Bill would impact on every business that dealt with personal information. The more personal data the business dealt with, the greater the impact would be on the business in terms of costs and human resources. In his opinion, there was not one business that did not handle personal information.

Adv Jeffery stated that his understanding of the NEDLAC Act was that it focused on labour matters and economic policy. He thought that the PPI Bill did not look at labour matters, although it might have a little to do with economic policy; however it did not have anything to do with legislation. This was one of the gaps in the NEDLAC Act. If a party was aggrieved, they would approach NEDLAC to approach Parliament. He did not know if NEDLAC had been approached about the Bill not being submitted to them, as NEDLAC had not yet approached the Committee. He asked if BUSA had approached NEDLAC to complain that the Bill had not been tabled with them. He commented that more details were needed about costs and the time it would take to implement the provisions in the PPI Bill.

Ms Siwisa said that BUSA took this matter up with NEDLAC and the Department of Justice had agreed to table the Bill with NEDLAC in the week. She said that it could have been more useful for the legislation to be tabled with NEDLAC long before, as some of the issues in the Bill could have been resolved much earlier. 

Mr Davey agreed that the Bill did not concern labour; however, it was debatable whether it concerned social and economic policy.  

Ms N Michaels (DA) said that the entities spoke extensively about documents that were stored but not being processed. She noted that because of the PPI Bill, it would be considered as being processed. It was known that the destruction of documents was quite costly. She asked what the alternate option was to ensure that the documentation was either destroyed or kept safe. The Committee needed more information about this in order to assist businesses.

Mr Davey said that businesses needed the necessary time to implement changes in their systems. These changes were costly. There were systems in place to secure data; however, these systems would have to be updated.

Nelson Mandela Foundation and South African History Archive submission
Mr Verne Harris, Acting Chief Executive Officer: Nelson Mandela Foundation (NMF) and member of the South African History Archive (SAHA), briefed the Committee on the two organisation’s submission.

Definitions
NMF and SAHA addressed the definition of “personal information”. First, it was not clear what the effect of ‘where it is applicable’ was, given that the Bill made no further reference to juristic persons and only referred to personal information. There were no provisions that only applied, or did not apply, to juristic persons. Second, it was still not clear why juristic persons should enjoy the same rights of human dignity that were at the heart of the right of privacy. It was also not clear what legitimate interests of juristic persons were not already protected by non-privacy related protections such as the mandatory protection of commercial information of third parties in Clause 36 of the Promotion of Access to Information Act (PAIA), and other laws protecting confidential commercial information.

Clause 32
The special needs of private archival institutions (like the NMF and SAHA) were not provided for, as there was no exemption for information processed for historical, statistical or research purposes. Accordingly, archival institutions were generally not permitted to process special personal information without consent or a specific exemption granted by the Information Protection Regulator. It was recommended that the ‘historical, statistical or research purposes’ exemption be restored.

Discussion
Mr Swart asked Mr Harris for further comments on the exclusion of juristic persons.

Mr Harris answered that with the implementation of privacy legislation in other countries, one could see that there was the danger of organisations and corporations using the idea of privacy as a means of protecting themselves from legitimate scrutiny. If one opened the doors to juristic persons enjoying the protection afforded in the Bill, organisations that legitimately documented employees could find themselves constrained in ways unforeseen by the drafters of the Bill. He just wanted the Committee to think carefully about juristic persons enjoying the rights defined in the Bill.

Mr Oriani-Ambrosini addressed the exemption on the collection of personal information for historical research purposes. Historical information needed to be kept accurate, therefore it had to be subjected to regulatory processes. Regarding the regulatory processes, there was provision in the Bill to make the relevant extension to ensure there was consideration given to this. He asked for further comments on this.

Mr Harris said that the rights of organisations and businesses to reasonable protection in relation to information was “at rest” by other legislation. This needed to be looked at more closely. The PPI Bill provided for the protection of third party commercial information. So, corporations and organisations were not dependent on the PPI Bill for protection.

Banking Association of South Africa submission
Mr Stuart Grobler, Senior General Manager: Banking Association of South Africa, said that the most important issue with respect to this Bill was that it was urgently needed to bring the South African personal privacy legislation up to the minimum standard required by other major standard-setting organisations, in particular the European Union. Such conformance with a minimum standard was critical for multi-national institutions doing business (as service providers or customers) across international borders.

Definitions
The Association proposed amendments to the terms “biometric”, “person”, “and personal information”.

Clause 15
It was suggested that compliance with a law should not be conditional on a “pecuniary penalty”, and that the words “imposing a pecuniary penalty” be deleted.

Clause 21
Clause 21(6) should be amended to empower the Regulator to “direct a responsible party to publicise, in any reasonable manner specified, ….” to ensure that the media, costs and coverage of such required publication were relevant and reasonable. 

Clause 22
Clause 22(3)(a) required that in every situation where a fee for services was required the responsible party “must” give a written estimate of such fee before providing the services. This left little room for discretion and would lead to an excessive and unnecessary compliance burden. It was recommended that the Clause be amended to read “must, if so requested by the applicant, give the applicant …”

Clause 23
It is recommended that the Clause be amended to read as follows:
“(2) on receipt of a request in terms of Clause (1) a responsible party must, subject to Clause (d) –
“(a) correct …”

Clause 25
Clause 25 prohibited processing of personal information, inter alia relating to trade union membership or political opinions. Clauses 26 - 32 provided for certain exemptions. The Association recommended that appropriate provision should be made in the Bill (such as Clause 32) relating to information required in payments and customer identification systems to ensure full “know-your-client” capacity and the combating of money laundering and terrorist financing.

Clause 36
It was recommended that, in line with other legislation, this full-time executive be called the “Registrar of Information”, and provision be made for the appointment of an independent chairperson of the governance structure.

Clause 38
The Association recommended that this clause be deleted.

Clause 43
It was recommend that Clause 43(1)(e) be deleted as an explicit duty.

Clause 43(1)(g) required the Regulator to have taken certain actions, and to report to Parliament, on the basis of “a data subject”. It was recommended that this clause be amended by deleting the words “ of a data subject” where they appeared twice.

Similarly Sub-clauses 43(1)(i) and (l) referred to “a data subject”, which as noted above, could be impossible to manage. It was recommended that these clauses be amended by deleting the words “of a data subject” where they appear, and replaced with “data subjects”.

It was recommended that Clause 43(1)(n) be deleted.

Clause 46
It was recommended that the Clause 46(2) report adequately covered “matters investigated by the Regulator”, and that Sub-clause (1) be deleted.

Clause 55
It was recommended that Clause 55(3) be made “subject to Clause 56.”

Clause 56
It was recommended that Clause 56(7) be amended to read “…in terms of Clause (5) may be issued as an enforcement notice in terms of Clause 90 of this Act where necessary”, in order to restrict the issuing of enforcement notices to those actions requiring change.

Clause 61
It was recommended that the words “may lodge a complaint with the Regulator” be amended to “may lodge an objection with the Regulator…” to clearly differentiate the ab initio complaints handling processes of the Regulator from the review function where a complainant objects to the outcome or determination as a result of an original complaint to an independent adjudicator. Any complainant aggrieved on the merits of an adjudicator’s determinations should appeal to the courts as in other ombudsman schemes.

Clause 64
It was recommended that Sub-clauses 64(2)(b) and (c) be deleted.

Clause 68
The Association requested that the envisaged scope and operation of Clause 68 be discussed with the Banking Association to ensure clarity.

Clause 69
The Association recommended that Clause 69(a) be clearly “ring fenced” to “a data subject excluding a juristic person or private body …” The protections afforded juristic persons under the provisions of Sub-clauses (b) – (e) would still remain in effect.  

Clauses 71 and 73
Clause 71(b) should therefore be deleted.

Clause 73(1) should be amended to allow the Regulator to first decide on the merits of the complaint before investigating.

Clause 84
Sub-clause 84(1)(b) should be deleted.

Clause 88
Sub-clause 88(6)(b) should be deleted.

Clause 92
The existing provisions for appeal processes in the Bill should be increased from 30 days to 90 days, to allow for appropriate time delays. Consideration should also be given to including a clause to allow the court to condone late submissions, if necessary.

Clause 93
In terms of Sub-clause 93(1)(b), it was recommended that the word “must” be replaced with “may”.

Clause 94
It was recommended that Sub-clause 94(1) be amended so that the cause for civil remedies should remain on the existing, well-founded law of delict (gross negligence or intent). It was recommended that the punitive damages in Sub-clause 94(3)(b) be deleted. The word “must” in Clause 94(7) should be amended to “may”.

Clause 103
It was important that the time periods for implementation be phased to provide for this framework to be put in place (for a period of not less than 18 months), and then a follow-on implementation (for a period of not less than 18 months). Any delays in finalising the regulatory framework would therefore not be held against the private sector implementation phase.

Discussion
Mr Swart said that more information and documentation was needed about the costs of implementing the Bill.

Ms Smuts stated that there was a suggestion to re-write the clauses on the Regulator in order to give it more independence. If this was done, one of the consequential amendments would be to not allow the Minister to rewrite regulations, but to allow the Regulator to do so. She asked him to comment on this.

Mr Grobler replied that when it came to regulations, usually the state or government was responsible for drafting regulations. There were one or two statutes that required the regulations to be tabled through parliamentary processes. When it came to whom should make the regulations, one needed to start with a set of regulations that would create the Regulator itself. Once the Regulator was established, the Regulator could then pass regulations dealing with the institutions that would be regulated. It was a two-phase process; the Regulator had to be created and it would then draw up implementation guidelines as a process.

Credit Bureau Association (CBA) submission
Advocate Ashina Singh said that the CBA respectfully requested that the Committee review the full application of the Bill to legal/juristic persons. They recommended that the Committee exclude juristic persons from the ambit of the Bill, alternatively, that the Committee consider partial application of the principles of information protection to juristic persons.

Clause 103
There appeared to be a typographical error in Clause 103(3). CBA recommended it be amended to say “Clause 56(2) does not apply to processing referred to in Clause 55, which is taking place on the date of commencement of this Act, if legislation, regulations or codes of conduct apply to such processing”.

Discussion
Mr Swart asked if the CBA could submit to the Committee, in due course, specific amendments regarding the exclusion of juristic persons from the Bill.

Ms Singh said that the CBA was saying that juristic persons should be excluded from the Bill, specifically in the event that some protection should be afforded to them. She would be happy to forward some suggestions to the Committee.

COSATU submission
Ms Prakashnee Govender, Parliamentary Officer for COSATU, stated that COSATU was concerned that the Bill had not been tabled with NEDLAC for consideration. This was a question of principle. She requested that the Committee consider submitting the Bill to NEDLAC.

COSATU voiced their unhappiness with the short time frame afforded for a submission in respect to such an important piece of legislation which dealt with the fundamental rights of its members. Given the short time frame, they were unable to consult as extensively as they wished on this issue and its implications for all of its members.

Ms Anthea Van der Berg, Parliamentary Deputy Coordinator: COSATU, briefed the Committee on amendments proposed by COSATU.

Clause 10
In relation to Clause 10(1)(a), COSATU was of the view that consent needed to be defined in a broader sense to include consent without coercion or duress. Employees, by virtue of the uneven power relationship which existed between employer and employee, might be required to consent to something due to fear of not receiving their salaries for instance. Consent in this instance needed further clarification and needed to ensure that the consent was not received under duress or coercion.

Individual worker consent had to take into account the protection of collective rights of workers, especially in relation to its ability to counter uneven power relations inherent in the employment contract. Accordingly such individual consent should only be obtained AFTER an employer consulted with registered trade unions. If the worker was asked to sign a statement authorising the employer or any other person or organization to collect or disclose information about the worker, the statement had to be in plain language and specific as to the person, institution or organization to be addressed, the personal data to be disclosed, the purpose for which the personal data would be collected and the period of time which the statement would be used. It would be important to ensure that adequate information was disseminated to workers in order that they made an informed decision prior to giving their consent to the data collection. The clause therefore needed to be extended to ensure that a process of information dissemination preceded the consent from the employee.

Clause 14
It was on the basis of this right to privacy that COSATU raised concerns with the Bill. They pointed out the current practice being implemented in the City of Cape Town which raised concerns related to workers’ rights. The South African Municipal Workers Union (SAMWU) raised concerns about a process recently initiated in the City of Cape Town entailing the implementation of a fingerprinting system in place of the traditional “clocking” system used to measure the hours worked for remuneration purposes. SAMWU raised concerns relating to constitutionality and the invasion of their rights to privacy especially in relation to the storage and further distribution of the fingerprint data. The system was implemented without consulting SAMWU and many workers were forced to submit to the system under threat that they would not be paid. 

Other Concerns
Biometric technology made privacy violations easier and more damaging: Privacy mechanisms should be designed into these systems from the beginning, as it was difficult to fix a problem related to privacy later.
Biometric identification was often overkill for the task at hand: It was not necessary to identify a person (and to create a record of their presence at a certain place and time) if all you really wanted to know is whether they were entitled to do something or be somewhere. Biometric system accuracy was impossible to assess before deployment: Accuracy and error rates published by biometric technology vendors were not trustworthy.

If workers were monitored they had to be informed in advance of the reasons for monitoring, the time schedule, the methods and techniques used and the data to be collected, and the employer had to minimize the intrusion on the privacy of workers. This led one to another key issue, which was what the information would be used for and the issues related to consent by individuals. Any biometric data capturing system needed to take account of individual’s rights to privacy, accompanied by a detailed explanation of what information would be required and for what purpose. Further, it needed to be established that it was absolutely necessary.
 
Clause 14(2) and (3)
The retention of records and its use and purpose had to be done subject to consultations with registered trade unions through relevant collective bargaining structures. This relates closely to the retention of personal information and was subject to abuse. COSATU thought it would be imperative to ensure that any personal information which was gathered was held only for the purposes for which it was initially intended and as explained to the data subject. Clause 15
The processing of any personal data, including further dissemination, should be subject to consultation with registered trade unions through relevant collective bargaining processes.

Clause 18
This clause should include wording related to ‘appropriate confidentiality training should be conducted with security personnel and those operating or processing personal information of individuals’. The security of personal information of individuals needed to be prioritised by all parties acting on behalf of the employer. Trade unions should be consulted and involved in training initiatives with security personnel.

Clause 21
The list in Clause 21(4) should take account of illiteracy levels and language. The current list of communication was aimed at literate individuals. Communication should be inclusive in various forms and languages. The wording of Clause 21(1)(b) was confusing, as it made no sense to be taking information from a data subject who was unknown to the employer – this would speak to serious security violations. Security and the collection of information needed to be of the utmost importance. Any information which was disseminated had to be disseminated to the registered trade unions as well.

Clause 25
It was submitted that the list included in Clause 25(b) should include ‘medical illness or history or anything to which the data subject objects to.’ Medical illness and records were highly confidential and any information pertaining to an employee’s medical records were privileged and should not be disclosed without a confidential discussion with the employee concerned.

Clause 34
It was submitted that this clause was very broad and that interests of a public nature should be weighed up against the personal rights of individuals in protection of privacy of information. COSATU’s recommendation was that the Regulator may only authorise the processing of personal information, after an application to court has been made. The application would set out the circumstances under which the authorisation was recommended and the court would decide on whether the circumstances justify the authorisation. COSATU recommended that this application be made via the High Court.

Recommended insertion of provision into Bill:
Given the clear guidelines provided by the International Labour Organisation (ILO), COSATU recommended that a Clause be inserted into the Bill to make the development of a Code of Good Practice, according to the ILO guidelines, mandatory in every workplace in which this Bill would find application. The Code should be developed by taking into account input from all relevant parties including employers, trade unions, employees and security personnel and other relevant parties who may have any interest in the implementation of this legislation, and specifically should be tabled for negotiation through NEDLAC.

Discussion
Mr Oriani-Ambrosini said that he sympathised and shared COSATU’s concerns. However, he found it difficult to see how the concerns related to the Bill. The Bill stated how the information should be handled.

Ms Smuts asked if COSATU was opposed to the South African Police Service (SAPS) having automatic access to the fingerprint database from the Department of Home Affairs and other records in government’s possession. She thought that remarks regarding Clause 25 were well made.

Ms Govender said that she would have to find out if the Department’s information was similar to SAPS and if SAPS information could be used. It was a question of principle. There was a difference between state institutions at that level sharing information with a regulatory framework versus one employer sharing personal information with another employer. This was where the problem arose. 

Mr L Landers (ANC) said that it was worrying that NEDLAC seemed to be the new Parliament of South Africa, as Members were being told that legislation should not be proceeded with unless it had been tabled with NEDLAC. He was concerned about COSATU’s amendment to Clause 34. He asked if they had thought about costs that individuals would incur when bringing matters to the attention of the Regulator. He wondered if the trade union had to be called in on every occasion when personal information was needed from employees.

Ms Govender strongly disagreed that NEDLAC was the new Parliament. A meeting was held with NEDLAC constituencies to discuss the bypassing of NEDLAC. It was agreed with the Leader of Government Business that due consideration would be given to NEDLAC. NEDLAC was also in the process of reviewing the processes of protocol in terms of tabling legislation and compelling other entities to process legislation.

Ms Govender said that COSATU would re-look at the Bill in terms of the costs. However, she thought some gaps in the clause needed to be tidied up to address some concerns.

Mr M Gungubele (ANC) said that the Bill focused on PPI of South Africans regardless of who they were. He wondered if the trade unions and labour movements would respect the individual’s right to handle his/her own personal information.

Ms Govender said that COSATU was only asking the Committee to ensure workers protection in the work place.

Mr Jeffery addressed the issue of fingerprints. He asked what legislation governed this issue at the moment. He was concerned that the PPI Bill was not the correct legislation to deal with the issue, as it did not deal with labour issues even if it dealt with economic policy. He noted that COSATU had not raised the NEDLAC issue in their submission. It seemed like the matter had cropped up after BUSA mentioned it. He questioned the terms on which the Bill fitted in to the NEDLAC framework. He wondered if COSATU shared the same concern as BUSA regarding the cost of implementing the Bill.

Ms Govender argued that the legislation fitted into the framework, as it affected labour rights. Therefore, the legislation should be tabled with NEDLAC. It was not specific labour legislation but it affected certain areas in the labour sector. For example, the Immigration Bill was not a piece of Labour legislation; however, it affected work permits, migrant workers and the implementation of international labour legislation.

Ms Van der Berg said that the concerns were broader than fingerprinting issues. It was about the collection of information and the use of this information. The information could be taken for one purpose and used for another.

The Chairperson stated that there was a need to agree on the purpose and objectives of the Bill. The Committee and COSATU did not seem to have the same understanding regarding the purpose of the Bill. Perhaps, once the Department responded to the submissions, COSATU would have a better understanding of the purposes of the Bill.

Ms Van der Berg agreed that it seemed as if the Committee and COSATU were not “on the same page” regarding the collection and use of data.

The Chairperson said that there would be further engagements with COSATU concerning certain aspects of the Bill.

The meeting was adjourned.