Protection of Personal Information Bill: new working draft & Technical Committee roadmap

Meeting report

Protection of Personal Information Bill: New Working Draft dated 24 February 2011, and future planning
The Chairperson noted that this meeting was being held to summarise the way forward for the Technical Committee (TC). Before receiving comments from Members, he noted that a new Working Draft of the Protection of Personal Information Bill, dated 24 February 2011, had been formulated, and he asked the drafters to outline it briefly to the Committee.

Mr Henk du Preez, State Law Advisor, Department of Justice and Constitutional Development, said that this draft incorporated amendments previously discussed, and some options. The insertions were underlined, and appeared in red, and square brackets indicated deletions. An electronic version of this would be made available to Members.

He then briefly went through the main amendments, indicating that he would not be dealing in any detail with the technical amendments.

Clause 1
Mr du Preez noted that the definitions clause would be dealt with last.

Clause 2
Mr du Preez pointed out a minor amendment to Clause 2(a)(1), to cater for the suggestion that “identifier” should be clarified.

Clause 3A
Clause 3A amendments were mostly of a technical nature.

Clause 4
Mr du Preez said that no new amendments had been included. However, this was still subject to discussions and the proposal to be given by South African National Editors’ Forum (SANEF).

Clause 4A
Mr du Preez outlined that this was the first draft on exclusion for literary and artistic purposes. He mentioned that the footnotes reflected options suggested, or areas where further discussion was needed.

Mr du Preez noted that Ms Smuts had questioned the R1 000 fine included in the old Clause 56(b). He said that the drafters also had concerns around this. It was proposed that Clause 56(b) be deleted and that a new Clause 101A should instead be included. He noted the suggestion that the fine should be, for instance, five times the amount for registration, but this was something to be discussed later.

Clause 14(1)
Mr du Preez noted that a definition of a databank, and options, had been inserted following the request by Dr Oriani-Ambrosini

Clause 25
Mr du Preez said that it might be necessary to insert a subclause (2) explaining what criminal behaviour meant. This was not defined in the UK legislation but was explained in the substantive provisions.

Clause 36AA
Mr du Preez noted that the powers, duties and functions of the Chairperson would be discussed by the Committee later, and the same applied to the powers, duties and functions of the Chief Executive Officer, in Clause 38A. The wording outlined in these clauses must not be regarded as the final proposals.

Clause 41
M du Preez noted that this was necessary to ensure that the funds of the Regulator would consist of money allocated by Parliament. This clause also dealt with fees.

Clause 43
Mr du Preez said there were some amendments, and an option regarding the reporting of matters by the Regulator. Page 35 of the draft set out when the Act would be applicable.

Clause 54
Mr du Preez highlighted the proposal from the Department of Justice and Constitutional Development (DOJ) on page 38, at sub-clause 54(2).

Clause 101A
Mr du Preez noted that this clause dealt with fees. He drew attention to subclause (4), dealing with regulations. He also drew Members’ attention to the fine proposed.

Clause 102A
Mr du Preez said that a point was raised previously that the TC perhaps should provide for a specific procedure under which the regulations should be made. This clause was the first draft to cater for that.

Discussion
The Chairperson asked that any questions by Members should be related to the process rather than the substance.

Dr M Oriani-Ambrosini (IFP) noted that this was a technical committee, sitting with a non-political agenda, and would be reporting back to the full Portfolio Committee. He thought that the options should be presented without a mention of who had proposed them.

Dr Oriani-Ambrosini said that he had asked that one of the options should be kept in, yet he did not see this included. He had suggested that instead of this Bill applying to all South Africans (with a few exceptions), it should apply only to those in respect of whom the Regulator had issued a Code. There was also the possibility of a default code being issued, regaining the universality of this Bill.

The Chairperson asked where such an option should be placed.

Dr Oriani-Ambrosini suggested that it could go under the Application clauses, and the wording would be along the lines that the Bill would apply to all persons in respect of whom a code contemplated in the relevant section had been issued.

The Chairperson said he did not recall whether this issue had been discussed specifically. At the moment, the Bill would apply to everyone residing in South Africa.

Ms M Smuts (DA) said that the suggestion was made, but she did not recall that it was agreed that it should be included as an option.

The Chairperson noted that these discussions should not focus on the substance of the Bill. Any options would be put to the full Portfolio Committee. He suggested that Dr Oriani-Ambrosini should formulate his submission to the TC, so that it could include an option when reporting to the full Portfolio Committee.

Ms Smuts responded that this TC seemed to be getting closer to concluding its work, and wondered whether it should not rather be trying to reduce the number of options. For instance, she was happy to leave out an option that she had proposed if she could reserve the right to present her arguments, and other opposition parties could also make their positions clear, during debates in the Portfolio Committee.

The Chairperson said that, in the past, Members had withdrawn suggestions that they knew were unlikely to be accepted. He agreed that the draft would need to be tightened up before being presented to the full Portfolio Committee. Some time would be spent on this. He suggested that when the TC attended to the clause-by-clause discussions, Members could indicate whether they still wished the options to be included. If there was strong feeling on inclusion of an option, then this TC must present the option to the full Portfolio Committee.

Mr du Preez said that in the past, the practice had been to include several options for clauses, sometimes with only slight differences. A note was made of who had suggested the option, so that this person could check the wording. In relation to use of foreign words, Mr du Preez also noted that there would be clarification of any foreign-language expressions in English.

The Chairperson then referred back to Dr Oriani-Ambrosini’s point about the attribution of the options. He quipped that some drafters’ options would be identifiable by their style. However, he had no strong feelings on this. Attribution would help to remind Members who had made the proposal. He agreed that the TC was acting in a non-partisan way, and suggested that it might be useful to leave the attributions when considering the options could be named at TC level, but remove the proposer’s name when the Bill was considered by the Portfolio Committee.

He suggested that the draft need not be amended by the drafters, at this stage, to include Dr Oriani-Ambrosini’s option.

The Chairperson then asked the Committee to consider the other aspects that required attention by the TC. He outlined the issues as follows:

(a) Issues around the Promotion of Access to Information Act (PAIA) and the input made by the South African Human Rights Commission (SAHRC), including possible amendments to PAIA to make the procedures less onerous. He also asked that the DOJ comment on the proposals.

(b)The other aspect linked to PAIA was the Protection of (State) Information Bill. This was still work in progress. It would be necessary to discuss any overlaps.

(c) The exclusion of the National Credit Regulator, on which he would be asking Mr du Preez to report, during this meeting

(d) A letter had been received from a Medical Aid scheme asking for a meeting with the Chairperson. He had declined this request, as he did not think it appropriate to meet separately with the scheme. He had also asked for a submission in writing, and had received a one-page letter, and another note attached to a copy of an Annual Report. The issues around medical aid schemes had been canvassed during the public hearings, and he did not think that new issues had been raised here, although new issues could be considered as they arose.

(e) The Committee would need to reflect on the meeting with SANEF and the exclusion of journalists.

(f) He pointed out that the exclusions around literary and artistic purposes had been an issue raised, and that Mr du Preez had pointed out that a draft on this was now included in the latest version of the Bill. Provisions to cater for provincial councils, the processing of bank account information and notification fees were also now included in the bill

(g) Implementation matters must be discussed.

He asked Members if there were other issues.

Ms Smuts said that although this could be included in the discussions on PAIA, it would be necessary to look at the “architecture” of the Regulator, and added that an appeal and / or review mechanism must be created. There should either be divisions, or the clause dealing with the committees should be rephrased to stress that the Regulator should set up some structure to cater for investigations.

Ms Smuts also noted that she had reviewed her own thoughts, and thought that Clause 98(b) should criminalise the creation and selling of lists.

Dr Oriani-Ambrosini apologised in advance that he was not raising this issue until the discussions had progressed quite far, but that he was hoping to improve the Bill by presenting a suggestion to adopt a different approach. The Bill said that every company would be required to have an information officer, who would be legally responsible for ensuring compliance with the Bill, would have to report on the activities of the entity, and interact with the Regulator. Some submissions that had been received noted that under the German system, provision was made for the establishment of a profession who could certify the compliance of entities with this Bill. Large companies would be able to appoint a professional in-house whereas small companies could contract in professional services. Some small companies were being relieved of the responsibility to have full audits, and this would similarly reduce their burden. He pointed out that the immigration legislation now recognised a new profession, and, along similar lines, the Regulator under this Bill should be able to issue regulations and standards for the “profession” of information data protectors, to provide continuing education, hold them accountable, and strike them off the roll for non-performance. This would also allow for good liaison in a field that was far more technical than accounting. This model worked well in Germany. The Regulator could also use this mechanism to implement changes in the infrastructure, and such a model would go far in addressing difficulties in how to implement the Bill.

Ms Smuts thought that this suggestion might not have been given in writing, but had been suggested by experts in the field.

The Chairperson asked if this system had been considered during the South African Law Reform Commission (SALRC) process.

Ms Ananda Louw, State Law Advisor, South African Law Reform Commission, said that all countries had some sort of information officer, but there was a balance required in setting the kinds of qualifications required to do the job. The German model required a lot of work to be done, and that in turn required a lot of expertise. The SALRC had deliberately opted for a model where the information officer would be more of a link between the company and Regulator, and thus did not need so much expertise. This was considered to be more appropriate at present, because there was a shortage of expertise in South Africa. In future, there was a possibility that information officers might develop into a stronger and more well-resourced profession.

Mr du Preez said that the DOJ had discussed this, and there were some concerns about the possibility of delay. He noted that the implementation of the Bill was one of the issues that needed to be discussed.

Dr Oriani-Ambrosini started to comment on the differences between the South African and German officers.

The Chairperson asked him not to take this discussion further for the moment, but said that it would be useful to have something in writing to inform the Committee when it did deal with the issue.

Ms Louw said that there was a written submission from the Government Information Centre.

Ms Smuts said that there should not be any difficulty in getting something in writing. However, she thought that the proposal was that there should be people sufficiently skilled to attend to the checking, and that was the point when the potential new industry would be involved.

Dr Oriani-Ambrosini said that once the Bill was passed, there would no doubt be a flurry of new computer programmes and services claiming to provide assistance to companies in meeting the requirements of the Bill. He took the point that the current levels of skill did not exist, but also made the point that the skills required under both the German and South African systems would be similar. It was possible either to address the issue through trial and error, or to institute a planned process, by establishing a profession under the Regulator, who could then identify the commercial products that met the requirements. He thought that careful attention must be paid to implementation.

The Chairperson said that much legislation was complex and spawned new industries of advisers, yet no other legislation made similar provisions. He cautioned against burdening the Regulator with too many responsibilities. There was already advice being given as to how to implement this.

There were two main issues. The first related to the information officers appointed under PAIA, and how to address the Bill’s requirements without adding to their functions. Linked to that would be any technical amendments to PAIA to make its implementation less onerous, including the SAHRC input and proposals for amendment.

The other issue related to Chapter 5. Ms Smuts had already identified the need to clarify the structures of the Regulator. Once there was broad agreement on the functions of the Regulator, it would be necessary to look at the architecture and appeal and review processes.

Dr Oriani-Ambrosini did not have a final view on whether PAIA implementation should be removed from the ambit of the SAHRC, although he was aware of the problems. He was worried that any replacement system might not improve the position. He wondered if the views of Ms Smuts and the Chairperson could be outlined.

The Chairperson said that the TC had not yet discussed this, so the matter was still open.

The Chairperson then asked Mr du Preez to give a report on the current position of the National Credit Regulator (NCR), which had asked that it be exempted from the provisions of the Bill.

Mr du Preez noted that when the NCR and Department of Trade and Industry (dti) first raised the matter, there were concerns about the proposed amendments to be inserted into the National Credit Act (NCA). The only outstanding concern from dti remained whether the enforcement mechanism under this Bill was comparable and equal to that under the NCA, as far as personal information was concerned. However, Mr du Preez said that this was not really relevant. The question was rather whether the enforcement mechanism covered everything that it needed to cover. He suggested that no more could be done other than to amend the NCA to ensure that the processing of personal information should be dealt with by the Regulator under this Bill. The National Credit Regulator’s substantive functions should not be affected by the proposed amendments. However, the drafters, after the discussions, had realised that their proposed amendment would need some rewording. The principle, would remain the same, that enforcement of processing of personal information must be done under this Bill. There was quite a lot of information outlining the comparisons between the NCA and this Bill, but he suggested that it was not necessary to present it at this stage. The question was whether the Directors General of DOJ and dti should continue its discussions and try to reach finality.

Dr Oriani-Ambrosini reminded the Committee that during the second meeting on this Bill he had raised this point, but had been assured by the Department that there was no problem. The regulation of credit agencies was consistent, and made sense. However, what was missing was the requirement of how to keep and process the information internally. He thought that the more specific submissions now made were superior.
He reiterated that if his option were to be adopted, that this Bill should apply only insofar as Codes had been issued, then the specific subject matter could bring that in. The same would apply to the medical aid schemes. Most medical aid schemes operated by assent (advising their customers that a course of action would be followed, unless the members opted out) rather than by consent. Most of the procedures to do with protection of information were on an opt-out basis. There would need to be a sectorial approach.

The Chairperson noted that there should not have been disagreement between departments, as this issue had come before Cabinet, but that was another matter. The issue had been under discussion between Directors General for some time. He suggested that the dti should be invited to attend a meeting and address the TC on its difficulties with the Bill, so that the Committee could deliberate on the comments and consider whether the issues were covered in the Bill. However, in the meantime the officials should continue to negotiate and if they managed to resolve the issue, then this should be reported to the Committee.

Ms Smuts thought that the issues could not be resolved.

The Chairperson added that this also impinged on the Portfolio Committee on Trade and Industry but perhaps it would not be necessary to involve them at this stage.

Ms Smuts suggested that the dti should be asked to specify its problems in writing.

Dr Oriani-Ambrosini suggested that the National Credit Regulator should be invited, rather than dti.

Mr du Preez said that DOJ had been dealing with both dti and the NCR. The last two meetings had been primarily with officials from dti, although there was previously representation from NCR. There was a long history to the matter, and when the National Credit Bill was voted through Parliament, it was already realised that the few provisions dealing with protection of personal information were likely to be of an interim nature.

The Chairperson agreed that the TC’s letter to the dti calling for comment should be copied to the NCR. He suggested that the TC first obtain the written comments and proposals, as it may not be necessary to call in the officials.

Dr Oriani-Ambrosini commented that he would prefer to have face-to-face interaction with the officials.

The Chairperson then turned to the issue of the medical aid schemes. No comment on the Bill had been made by any regulatory body in the medical aid sphere. The letter he had received did not make a substantive submission, but merely complained that the Bill would cause problems. There was a huge amount of personal information held by medical aid schemes.

Ms Louw said that there was an information cycle in all these schemes. It was impossible to take one aspect out of the cycle.

The Chairperson asked DOJ and SALRC to consider and give a response to the TC on the one-page letter from the medical aid scheme, as well as their one-page comment attached to the Annual Report.

The Chairperson then noted that the Portfolio Committee had asked the TC to reflect on the comment from SANEF, and he suggested that this could be done when the Bill was finally considered, as the issues related to the text, not to new issues.

The Chairperson then briefly discussed issues around implementation. When the Regulation and Interception of Communication and Related Matters Act (RICA) was being amended, the industry players had complained about implementation times. Although this Bill did not involve customers to the same extent, he thought that there should be further engagement with the industry, to ensure that they would be ready by the statutory deadline.

Ms Smuts said that it was unlikely that consumer problems would arise, but asked how this engagement with industry would be done.

The Chairperson noted that collective bodies had made submissions.

Ms Smuts suggested that they should be notified that the Portfolio Committee intended to pass the Bill as tabled. Industry bodies would have nothing new to add to the submissions already made. They should already have been taking steps to improve their electronic security. There was widespread invasion of personal privacy, sale of personal information was rife, and large companies were profiting from their failure to spend enough on security.

Dr Oriani-Ambrosini thought there was a link between the Press and implementation issues. Once again, he stressed that if the approach were adopted that the Bill should become applicable only when Codes were issued, then implementation problems would be lessened. Details of requirements must be spelt out before people could begin to implement. He did not think invasion of privacy was as serious in South Africa as in other countries. The sectorial approach would also solve the media’s problem, because the Regulator would probably not issue a code for the press, in recognition of the existing Press Code.

The Chairperson pointed out that it was unlikely that this approach would be followed. The proposal that he had made to consult with industry would hopefully avoid the problems apparent with RICA, and attempt to tie the industry in to agreement on an implementation date. This could be done when the TC was closer to finalising the Bill.

Discussion on South African Human Rights Commission (SALRC) issues
The Chairperson asked if Members had views on who should regulate PAIA.

Ms Smuts thought that a new Regulator should be created and that the duty to compile requests and deal with matters under Section 32, should be transferred to the Regulator. She would not have any objection to most of the SALRC’s functions being left with that body, apart from the Section 32 function. PAIA should be amended to “modernise” it, for instance Section 14, especially by providing for electronic manuals.

Dr Oriani-Ambrosini asked for clarity on enforcement and appeals. At the moment the SALRC had the function to follow up on requests under PAIA that were not being complied with.

The Chairperson reminded Members that there was a proposal that Part 5 should be amended by substituting the words ‘Human Rights Commission” with “Information Protection Regulator”, so that the monitoring function, formerly done by the SALRC, would be taken over by the Regulator.

Ms Smuts disagreed with that. She noted that the SALRC’s work also included manuals and reporting. Education and monitoring were the two main functions, with dedicated staff members, and this could be retained by SALRC. However, when faced with a mute refusal to grant information, the person wanting the information would need to approach the Public Protector. She suggested that the enforcement and appeal functions should, in terms of this Bill, be assigned to the Regulator

The Chairperson thought that Members had previously agreed that promotion should remain with the SAHRC, but that administration and information officers should report to the Regulator. He asked that the matter not be further discussed for the moment.

Mr L Landers (ANC) asked about the position of the Companies and Intellectual Property Registration Office (CIPRO), which also dealt with data. It would be necessary also to engage with CIPRO and inform it in terms that it would have to comply with the Bill.

The Chairperson said that CIPRO placed emphasis on access to information.

Ms Smuts said that much of the information in CIPRO was not correct, and the Bill required that information be kept updated and correct. CIPRO was a prime example of why this Bill was necessary.

Dr Oriani-Ambrosini added that there were also other organs of State that may not be able to comply. He reiterated that a sectorial approach would allow for the Act to be applied more effectively.

Mr du Preez said that there was another debate about whether juristic persons were included. Identity theft was rife.

The meeting was adjourned.