The Portfolio Committee on Justice and Constitutional Development continued deliberations on the Protection of Personal Information Bill [B9-2009]. It was proposed by the Committee that the Regulator should be enabled to hire people with special knowledge upfront and not on an adhoc basis. The Committee questioned why under clause 46(7) the Minister of Finance had to be consulted by the Regulator and not the Minister of Justice. The Committee decided that three members would constitute a quorum for the Regulator and that the National Assembly would monitor vacancies to ensure that they were filled at all times. The Committee was yet to decide on whether to retain clause 52 which was the notification provision. The Committee proposed that the general requirement of notification should come out however the categories listed under clause 62 would still remain. The Committee thought that it was a good idea for an acting chairperson to be elected where the current incumbent happened to be absent. The Committee was of the opinion that it would be a good idea for personal processed information relating to consumers be updated on the Regulator’s website. The Committee found the words ‘objectionable conduct’ in clause 62 problematic as it was too vague and subjective. The Committee expressed concern that such things as private investigators were not covered in the Protection of Personal Information Bill. In consideration of National Treasury’s proposed amendments, the Committee was satisfied with the words ‘binding agreement’ in clause 62(10(d). The Committee preferred that the binding agreement should be inserted in clause 77 and not 62.
In respect of clause 57, the Committee was advised to be mindful of two things; the first was that the notification requirement and the second was the prior authorisation. There was a need streamline and render the issue of notification as smooth as possible. It would have been a good idea to use technology to the advantage of the Committee. One of the purposes of notification was to let the consumers know that their information has been processed. It would be valuable to oblige the Regulator to publish on its website parties that were complying. The work for notification should be done at the level of the processing organisation itself. This would assist consumers to know who they were dealing with as well as improve security for the processing of sensitive information as well as trans-border information. Information officers had to be designated to handle information and the duties placed upon them had to be more onerous
The drafters noted options in relation to administrative fines, under clause 111, and said that they wished to clarify with the Office of the Chief State Law Advisors (OCSLA) whether the Regulator should refer prosecutions to the police service, or directly to the National Prosecuting Authority. They clarified the references to the jurisdiction of the Magistrate’s Court. A new clause 111A was intended to allow penalties to be updated for consistency, and the Committee approved the maximum fine of R10 million. It was agreed that the provisions of clause 114 be expanded to refer to incidental matters around administrative fines, and that if a responsible person elected to ignore the fine, was then prosecuted, and was found guilty, the court should be able to impose a penalty in excess of what the administrative fine would have been originally. It was indicated that it was possible that the references to fees may be excluded from the Bill, but the drafters would report back. Clause 113(4) would be further debated, as to whether the Regulator should be given the power to create crimes. It was noted that there had never been a challenge to penalties being included in regulations, in respect of clause 114. A rewording of clause 116(1) was proposed to clarify that all parties would have a year in which to comply with the Act, after it came into operation, and Members indicated that although it may be realistic to provide for extensions, it must be recognised that sufficient notice was given to allow responsible parties to put systems in place. The drafters reported back that, having considered whether the secondment of a Chief Executive Officer to the Regulator should be included in the transitional provisions, they thought it more appropriate to retain this as a main clause. The drafters then took the Committee through the Schedule, pointing out the amendments to the Promotion of Access to Information Act (PAIA), the Electronic Communications and Transactions Act (ECTA) and National Credit Act. Definitions between this Bill and those Acts were to be brought in line. It was noted that PAIA made reference to “living persons” only and this sparked debate as to whether personal data of deceased persons could be protected. Under Item 3, it was pointed out that it was intended to introduce an application for relief to the Regulator, as an alternative to the approach to the court, although the final appeal would lie to a court. Members were not sure that this was desirable, as it might burden the Regulator and cause further delay, but asked that the drafters draft some options. A new Chapter 1A to be inserted into PAIA was described, and it was confirmed, in answer to queries, that a public or private body could request the Regulator to make an assessment of another body. Members asked the drafters to report back on how the position in relation to transfer of matters from the South African Human Rights Commission to the Regulator would be handled in practice.
Members noted that National Treasury had written a follow-up letter to the Committee in relation to the amendments proposed on the previous day, and Members called for further explanation n clauses 62 and 77 which appeared to be contradictory. However, the drafters said that it was not intended that the Regulator could authorise transfer of information to countries that did not have adequate binding laws or agreements around data protection in place. One Member suggested that this might be an option, but others agreed that National Treasury should again confer with the Committee and explain what type of information must be transferred, and why binding agreements could not be made, and noted that it would be very difficult to allow recognition, in the Bill, to non-binding agreements without affecting South Africa’s adequacy rating, in view of proposed tightening of EU Regulations. It was finally noted that a new draft would be submitted by 13 August.
The Chairperson reminded the Committee that the previous days deliberations had ended with clause 46.
Ms D Smuts (DA) said that the Regulator should be enabled to hire people with special knowledge upfront and not on an adhoc basis.
The Chairperson referred to clause 46(7) and said the question there was why the Minister of Finance had to be consulted by the Regulator and not the Minister of Justice.
Ms Smuts said that this was an important part of the Bill especially in light of the Constitutional Court (CC) judgment in the Islamic Unity case where the nature of the complaint was that one could not have regulatory and investigative functions in one body. This Regulatory worked with various tools one of which was performing assessments of data processors. The task of the Committees would be to sit on matters arising from the Bill as well as the Promotion of Access to Information Act (PAIA).
The Chairperson asked the state law advisers how they would get around the CC judgment regarding the use of judges.
Mr Henk Du Preez, state law adviser from the Department of Justice and Constitutional Development (DoJ&CD) said that he was not aware of a judgment but he would dig around. There may be a problem for judges who were in active service.
Ms C Philane-Majaake (ANC) referred to clause 51(2) said that the words ‘total number of members appointed’ after ‘majority’ must be added so as to allow for at least even one member to form a quorum in order to allow for normal proceedings to continue and the business of the Regulator to not be hampered.
Mr J Jeffery (ANC) said that it would be problematic to have the proposed wording, for the sake of clarity it could be proposed that three members would constitute a quorum. It was correct that there was a lack of clarity in the provision.
Ms Philane-Majaake expressed concern that ordinary staff had to have decisions made and the current formulation might hamper this.
Mr Jeffery said that one could not have one person dishing decisions; the National Assembly (NA) had to monitor vacancies to ensure that they would be filled.
Ms Smuts referred to footnote 52 and said that it was a good idea for an acting chairperson to be elected where the current incumbent happened to be absent.
The Committee agreed.
Mr Du Preez said that part of Ms Philane-Majaake’s concerns would be addressed as there would be a CEO in the office of the Regulator.
Mr Du Preez said that the clause might fall away.
The Chairperson asked why.
Mr Jeffery answered that the clause had to do with notifications. There was going to be further proposals on the issue of notifications which may impact on the necessity of the clause. Clause 52 was an enabling provision. The drafters had to consider further where the provision that related to the CEO being the account officer had to remain in the clause or be inserted in clause 47.
Mr Jeffery said that the issue here was that although the Regulator could give exemptions given that personal information was being processed all the time. The proposal was that the general requirement of notification should come out however the categories listed under clause 62 should remain. There was also the issue of the PAIA manuals which had to be submitted to the South African Human Rights Commission (SAHRC). It was understood from the SAHRC that the manuals were at a basement somewhere and also that nobody was looking at them.
Ms Smuts said that there would no longer be a requirement for notification for the processing of information. The notification requirement should be dropped entirely in the interest of reducing red tape.
Ms Philane-Majaake said that she supported the input made by Mr Jeffery.
Mr Mark Heyink, Director at Information Governance Consulting (IGC) said that the Committee had to be mindful of two things; the first was that the notification requirement and the second was the prior authorisation. There was a need streamline and render the issue of notification as smooth as possible. It would have been a good idea to use technology to the advantage of the Committee. One of the purposes of notification was to let the consumers know that their information has been processed. It would be valuable to oblige the Regulator to publish on its website parties that were complying. The work for notification should be done at the level of the processing organisation itself. This would assist consumers to know who they were dealing with as well as improve security for the processing of sensitive information as well as trans-border information. Information officers had to be designated to handle information and the duties placed upon them had to be more onerous.
Mr Jeffery said that he was not sure with the suggestion made by Mr Heyink. The addition requirements for Information Officers were a good. The other proposals for the processing of personal information for consumers were not clear. If an entity had a website then there was a requirement that the manual had to be on its website and updated.
Mr Heyink said that he was proposing that information being processed by an entity could be easily updated on a website controlled by the Regulator. This would be the notification element for consumers, there may well be manuals but they should not be part of the Regulator at all. Such manuals could be requested from the organisations themselves. The notification was important so as to allow the consumer to know who they were dealing with where there was the processing of personal information. There was a need to establish what measures were necessary for securing information. The notification was necessary to allow the Regulator to determine any prior authorisations.
Ms Louw said that the position in the EU was that notification has been replaced by the impact assessment and prior authorisation. The idea was to move away from the notification. Using new technologies would improve things. The Regulator in the Bill may undertake own initiated impact assessments. The question was did the Committee want to do away with notification completely or retain it using the new technologies.
Mr Jeffery referred to Mr Heyink’s proposals and said that the information he was requesting to be made available via the Regulator’s website was viable as it would be easier to administer. This would mean that Notification under Part A would go, the provisions in clause 58 would be inserted in the PAIA provisions on the manual, the provisions on the Information Officer should be beefed up a bit and there would now be a responsibility on them to update the manuals. A member of the public that wanted a copy of the manual would be required to pay a fee for them.
Mr Heyink said that parties should be entitled to notify the Regulator if they chose to do so without necessarily requesting prior authorisation for processing special information. This was because there was a trend around the world that the compliance for privacy regulations was fast becoming a competitive advantage for commercial entities.
Dr Francis Cronje, Adjudicator for the Wireless Application Service Provider’s Association (WASPA) and Internet Service Provider’s Association of South Africa (ISPA) said that he agreed with Mr Heyink that it was important to outline the responsibilities of the Information Officer for purposes of notifying the Regulator. This could be done in terms of clause 55.
Mr Jeffery said that he was not sure what clause 62(1)(b) was about.
Ms Louw said that the clause would be an example such as the South African Fraud Prevention Services (SAFPS) which was a private entity that profiled everybody.
Mr Jeffery said that he had problems with the ‘objectionable conduct’ in the clause; it was too vague and subjective.
Ms Schäfer said that she was worried because it seemed that such things as private investigators were not covered in the Bill.
Ms Louw said that this clause provided exactly for the kind of grey areas that Ms Schäfer was referring to. The Committee had to give the drafters an opportunity to tighten the clause.
Mr Du Preez said that the net had to be cast wide.
Mr Jeffery said that there were things that affected privacy but the Bill was not the place to clamp down on them.
The Chairperson moved on to clause 62(1)(d) and asked if the Committee had any views on Treasury’s amendments.
Mr Jeffery said that Treasury was happy with the words ‘binding agreement’. The issue of a memorandum of understanding was separate and if it was not then Treasury had to find some other device to ensure privacy protection.
Ms Schäfer said that she did not see any justification for doing away with this provision that provided for the safety of information belonging to South Africans, particularly children.
Mr Jeffery said that clause 62 had a list of things for which notification was a requirement. Clause 77 was on how one transferred, one of the requirements was that if a country did not have adequate safeguards then there had to be a binding agreement. It would be preferable if the binding agreement aspect was inserted in clause 77 and not 62.
Mr Sisa Makabani, state law adviser referred to clause 62(1)(a) and said that the clause did not make sense, how would the Regulator be satisfied if he/she did not receive the prior authorisation.
Mr Jeffery said that he could understand Mr Makabani’s point.
Mr Du Preez said that it would be better if the words “unless the Regulator is satisfied that, in the circumstances of the case” were omitted.
The Committee agreed.
Mr Du Preez referred to clause 74(2) and said that after the words ‘a responsible party’, the words “whether that responsible party intends to market different products or services or not” should be inserted.
The Committee agreed.
The Chairperson outlined a scenario whereby a company used multiple methods of communication such as sms or postal mail.
Mr Du Preez said that this was something that could be addressed in the Bill.
Ms Louw said that a company sending communication messages to a data subject had to provide means of opting out for the data subject.
The Chairperson said that the Committee should go through the provisions dealing with offences and penalties for homework.
Mr Du Preez said that the administrative fines had not been dealt with.
Mr Heyink said that it was not provided in the penalties for when an Information Officer did not carry out an assessment, could the drafters research this topic further.
The Chairperson agreed and said that the drafters should provide something in detail. The Committee would complete the remaining clauses as well as the Schedule after lunch.
The Committee paused for the lunch break.
Mr du Preez noted footnote 111, which related to the proposal to delete clause 111. In relation to the administrative fines, there was a further option on page 62. He said that it may be necessary to amend the heading to the chapter.
Mr du Preez said that the drafters had held an informal discussion with Mr Sisa Makabeni from the Office of the Chief State Law Advisor, in relation to the administrative fine provision. This provision was drawn from similar provisions in the Firearms Control Act. However, that Act was administered by the South African Police Services (SAPS), which had its own administrative bodies. In this Bill, if the responsible party opted not to pay the fine and this led to prosecution, the Regulator must had over all documentation to the National Prosecuting Authority (NPA). The Office of the State Law Advisor would need to advise whether it was appropriate for the Regulator to handle the docket directly to the NPA, or if the Regulator must first report the alleged crime to SAPS. In practice, all investigations would already have been done by the Regulator. He would report back on this.
Mr Jeffery agreed that the drafters should be mandated to discuss this with Mr Makabeni and draft the appropriate provision.
Ms Schäfer raised a concern with changing the jurisdiction of the Magistrate's Court in a piece of legislation, noting that this was apparently shared by the Technical Committee.
Mr du Preez said that he had highlighted only a few pieces of legislation, but there were actually 113 pieces of legislation in which this jurisdiction was extended. In answer to her further question why it was then necessary to deal with jurisdiction in the Magistrate’s Court Act, he noted that the main reason had been to indicate to the prosecuting authority where the criminal cases should be tried. There was not a large difference in jurisdiction between the Regional and High Court, and the Regional Court could try all offences other than high treason. When statutory offences and large penalties were being created, the tendency now was to specify that they should be tried in the Magistrate's Court, to avoid flooding the High Court.
Ms Schäfer asked if the offences were minor in nature. She also had concerns about flooding the Magistrate's Court.
Mr Jeffery noted that the offences did not attract high sentences.
Mr du Preez said that the jurisdiction was up to fifteen years imprisonment.
New Clause 111A
Mr du Preez read out the proposals for change, as set out on page 62. The option was to allow the penalties to remain consistent. He asked if the Committee was satisfied on the principle, and the wording.
Mr Jeffery and Ms Schäfer agreed that it made sense to include what was currently in the option, to allow fines to be adjusted in line with the Consumer Price Index (CPI).
The Chairperson commented that the fine of R10 million was appropriate.
Mr du Preez said that the intention was that if the Act was implemented, with a fine of R10 million, and the Minister decided to change the fine, the Minister would determine the CPI for the previous 12 months and multiply that by four.
Members agreed that this was acceptable.
Mr Sisa Makabeni, State Law Advisor, Office of the Chief State Law Advisor, proposed that wording might be needed under this clause to allow the Regulator to make regulations for the manner of administration of the administrative fines, to ensure procedural fairness.
Mr Jeffery said that because the administration fines were voluntary, a responsible party who felt that it had not been given sufficient chance to exercise its rights could refuse to pay and allow the matter to go to court. This was similar to the situation of the Public Protector and South African Human Rights Commission (SAHRC), where although, technically speaking, there might not be full adherence to procedural fairness in arriving at a decision, this was not really an issue because the findings had little substantive effect. For instance, the Public Protector P could not order that a contract be terminated – although she could recommend this it should be done by the civil court. The idea was to provide for a quick procedure and the benefit for the responsible party was to have the matter finalised. If the responsible party felt that there was mismanagement of the matter, it should refuse to pay and air these concerns to the court.
Mr Makabeni said that his concern was that there could be issues around administering the administrative fines, and that the Regulator may wish to make regulations around that process. It could be that in-house rules be made. It was not clear how subclauses (4) and (5) would work.
Mr Jeffery said that clause 114 empowered the Regulator, and it was possible to include something referring to incidental matters around administrative fines. However, he would be reluctant to specify it to the extent suggested by Mr Makabeni.
Ms Schäfer thought that this would be covered by the Promotion of Administrative Justice Act (PAJA) in any event. She did not think it necessary that it be legislated, as fair process must apply.
The Chairperson said that whilst PAJA was in existence, it was often infringed.
Ms Schäfer said that that was no reason to make a new law.
Mr du Preez reminded the Committee of a point raised earlier that the administrative penalty was stated as a maximum of R10 million, yet a person electing to be prosecuted could only be jailed for 12 months. For this reason, it was more than likely that every responsible person facing a fine would simply opt to be prosecuted. He had earlier made a proposal that a provision be included that if a responsible person elected to ignore the fine, was then prosecuted, and was found guilty, the court should be able to impose a penalty in excess of what the administrative fine would have been originally, to address the concerns.
Members noted this point.
Mr du Preez said that the drafters may change the order of the clauses in Chapter 12.
Clauses 112 and 113
Mr du Preez said he did not have much to report, but it was possible that there might be exclusion of the fees portion from the Bill.
Mr Jeffery thought that the Committee was in favour of doing away with the notification requirements. The fees clause was an enabling clause. However, other clauses also provided for fees, as the data subject had the right to request the record “at a prescribed fee”. If Part B of the notification clause was to be deleted, it was possible to charge a fee for the prior authorisation, in terms of clause 62.
Ms Smuts asked about the term “annual administration fee”.
Mr du Preez said he could not recall the precise reason why this term had been used, but said that this had been discussed at the Technical Committee.
Mr Jeffery also could not recall the reason behind this. Although it was possible that the clause 113(1)(b) fees may be charged elsewhere, this was to be an enabling provision to allow the Minister, after request, to impose an annual fee, but only after the first three years of implementation of the Act,. It was possible that this was similar to what applied in Britain, but it would only be applicable to the larger processes.
Mr du Preez promised to report back on exactly why the terminology was used.
Mr Jeffery referred to clause 113(4), pointing out that this was a penalty, although it was not referred to in the penalty section, although it was self-contained.
Mr du Preez said that the offence and penalty would be prescribed in terms of the regulations made under subclause 113(1)(a). He said that the Committee should consider whether it was appropriate to provide the Regulator with those powers. He thought this point should be discussed with the Office of the Chief State Law Advisor (OCSLA). The independent Regulator was being given the power to create crimes.
The Chairperson thought that, as a matter of principle, it was wrong.
Mr du Preez asked if the Committee wanted the sub-clause to be omitted.
Members asked him to leave it in for the moment, and to report back at the next meeting.
Mr du Preez said that the current proposal was that the Minister make regulations on the establishment of the Regulator and fees in clause 113, whilst, in respect of all other matters, the Regulator must make regulations, as set out in subclause (2).
Ms Schäfer asked if the question of penalties as part of regulations had ever been challenged before a court.
Mr du Preez said that, as far as he was aware, delegated legislation had not been challenged.
The Chairperson noted that this was a more specific, relating to regulations that made penalties.
Mr du Preez said that this was done frequently, and again he was not aware that this had ever been challenged.
Mr du Preez noted the point made earlier by Mr Jeffery, to put in a provision around administrative fines into clause 114. He would draft something and revert to the Committee.
Mr du Preez noted that this clause related to the procedure to be followed by both the Minister and Regulator
Mr du Preez asked the Committee to consider re-wording of subclause (1). Presently, it read that if any processing had already commenced when the Act came into force, it must, within one year, be made to conform. However, there had been concerns about the interpretation. For this reason, he proposed new wording, to read as follows: “All processing of personal information must, within one year after the commencement of this section, be made to conform to this Act...” (the rest of the clause to continue in regard to notification to the Regulator under clause 17(1))
Ms Smuts noted that Business Unity South Africa (BUSA) had raised concerns on this clause, and asked Mr Heyink to summarise them.
Mr Heyink summarised that the concern of BUSA was that the current wording could be interpreted to mean that information that was processed, at the time that the Act commenced, must conform within one year. However, any processing commenced after that date must be made to comply with the Act immediately. This would create two separate information systems. His own understanding was that there would be a year within which parties would be allowed to comply with the Act, regardless of when the processing commenced, because they may still be awaiting data, for instance, from data subjects. However, on termination of the transitional period, all processing would then have to comply in all respects. BUSA's interpretation was slightly different to his own. However, he suggested that the wording now proposed by Mr du Preez would take care of that problem.
Ms Louw clarified that the original wording referred to “processing which is taking place”. The reference to “processing which has already commenced” implied something that was not necessarily still in the process. The new wording now suggested by Mr du Preez made the position more clear. The drafters had looked at the position of those who had started drafting a code of conduct. She emphasised that everyone would, in terms of the wording just proposed, have a year to ensure compliance.
The Chairperson suggested that the words “processing which had commenced before the date on which this Act comes into force” because “has already commenced” was problematic.
Ms Smuts suggested that it was not necessary to attempt to alter the original wording, as the new formulation just set out by Mr du Preez was even more straightforward. She asked why there was a reference to “this section” and not “this Act”.
Mr du Preez said that this was because the implementation dates may be staggered.
Ms Smuts said that there had been pleas that processors should not be forced to comply within a year. Some had even felt that the Act would not be passed. However, she had little sympathy for this view, as processors had been aware of the pending legislation for the last eleven years, and in any event should have been trying to set up systems that were secure and that ensured no abuse. The DA was not sympathetic to pleas for extension of the periods.
The Chairperson reminded the Committee that similar objections had been raised in relation to the legislation regulating interception of communications (RICA) and agreed that the Committee should not be overly sympathetic to requests for extension. The main reason why service providers were concerned was because of the effect on their profits, and they were really not concerned with the information.
Mr Peter Hill, Director, IT Governance Network, agreed and said that the abuse of data would continue until it was stopped by legislation. He emphasised that the King III report said that governance should be a win-win system.
The Chairperson noted that he was not entirely happy with subclause (2).
Mr Jeffery reminded the Committee that in respect of RICA there had been two requests for extension and it was necessary to adopt a realistic stance. No submissions had been made claiming that any specific time period was needed to comply, and he agreed that sufficient notification had been given, as this had been under discussion since 2009. However, he thought that perhaps the Bill should make provision for extension of time, but the precise period must be flagged for further debate.
Ms Schäfer referred to discussions on the previous day on whether the secondment of a Chief Executive Officer should be included under the transitional arrangements and therefore in this clause.
Mr du Preez thought that since the secondment was of a temporary nature, but it was a substantive provision directly related to the whole establishment of the office of the Regulator. For that reason, he thought it should remain in the main body of the Act.
Mr du Preez said that strictly necessary subclause (2) was not necessary as it was covered by the Interpretation Act.
The Chairperson suggested that there was no harm in leaving it in, for guidance of some presiding officers.
Mr du Preez said that item 1 related to the amendment of section 1 of the Promotion of Access to Information Ac (PAIA). He started to read out the amendment of the definition of “personal information” to confer clarify on the online identifier, in line with the definition in this Bill. He reminded Members that it was intended that definitions in this Bill and PAIA be brought in line.
Mr Jeffery said that it was surely easier to short-circuit the process and merely ensure that the definition in the schedule for PAIA was copied from page 8 of the Bill.
Mr du Preez thought that it would be even easier if, instead of setting out a new definition for PAIA at all, it could simply be deleted and instead reference made to the definition in the Bill.
Mr Jeffery said that there were still two separate Acts. On the previous day he had raised a similar question, and the Committee had decide that it would be clearer to repeat the wording, rather than merely cross-reference to another Act. He said that the definition as set out in the Bill could be cut and pasted, in place of attempting to leave out some words from the PAIA definition and replace others.
Ms Louw said that this was not really possible, because the definitions, whilst very close, did not match exactly. For instance, the Bill referred only to “living persons” whereas PAIA did not contain any reference to “living” only. For this reason, it could be problematic merely to do a cut and past.
Mr Jeffery accepted that, but said that where possible the definitions should mirror each other.
The Chairperson raised a query why “living persons” only were mentioned, saying that he would be troubled if someone attempted to process, for instance, the information of his late mother.
Mr du Preez said the right to privacy was an individual right, which only the person affected would exercise. A person would institute proceedings in his own name only.
Ms Louw said that when the matter first came to the South African Law Reform Commission, Professor Neethling was adamant on the fact that a deceased person's information should not be included. She could provide the Committee with a memorandum.
The Chairperson was adamant that processing of information of a deceased person was incorrect, unless permission had been obtained from the immediate family of the deceased.
Mr Jeffery suggested that a “data subject” could be defined as “a person, living or dead”. However, he made the point that the Bill of Rights only applied to living persons.
Ms C Pilane-Majaka (ANC) said that if the debate was to be taken further, consideration would also need to be given to which generation of relatives could enforce rights.
Mr du Preez moved on to page 67. He noted that the intention was to take out the provisions dealing with access to information by a personal requestor and include that in the Bill, but then, under the conditions, to state that grounds for refusal under PAIA would still apply to access for a request for personal information (as set out under item 2).
Item 3 dealt with consequential amendments, because the Committee had proposed that the powers under PAIA be extended. For instance, section 21 specified when internal appeals must be lodged and there was reference to court cases. At the moment, PAIA stated that a person whose request wanting information must apply firstly to the public body’s Information Officer. If that request was refused, or the requestor was not satisfied, the requestor must launch an internal appeal to the relevant authority of the public body, who would, for instance, be the Minister of a national Department. If the requestor was still not satisfied after that process, s/he may approach a court for relief. Currently, in relation to private bodies, an approach to the court was possible after the head of the private body had refused.
The position would change when the proposals set out in the schedule were implemented. In relation to public bodies, a requestor would be given an option, if dissatisfied with the response of the Information Officer, either to approach the court directly, or to approach the Information Regulator, for appropriate relief. Should the latter option be followed, and satisfaction not be obtained, the requestor could then still approach the court. A similar choice would apply in respect of private bodies
Mr Jeffery was concerned that this might over-burden the Regulator. If the choice was provided prior to the internal appeal process for public bodies, and no internal appeal was allowed, then this would certainly increase the matters referred to the Regulator. However, if it was specified that the internal appeal process to the Minister first must be followed, within the specified time, this would probably reduce the number of matters ending up with the Regulator.
Ms Smuts said that past experiences was that many departments were not willing to provide information and in fact the Chairperson had previously related that that an instruction had gone out to some government departments routinely to turn down every application for a request for information. She therefore thought that all three avenues must be made available.
Mr Jeffery asked what, in that case, would be the point of having the internal appeal procedure. At the moment, he thought that many internal appeals succeeded, but if an option to approach the Regulator was provided at this point, most requestors would take that option. He was not aware of instructions that every request under PAIA be refused. He suggested that the Regulator should rather be one of the choices at the very last stage, prior to the court.
Ms Smuts suggested that this could be considered and optional wording provided.
Mr du Preez said that one of the concerns was an application to the Regulator built in at this stage would effectively extend the route to be followed by those requesting access to information held by a public body, by an extra stage, in comparison to a request from a private body, and that would mean an extra hurdle before a final decision could be reached.
Members noted this but asked the drafters to come up with two options.
Mr du Preez drew attention to pages 68 to 71 but did not need to go into detail.
Mr du Preez then noted that the proposed new Chapter 1A to be inserted into PAIA mimicked the provisions of enforcement of the Regulator in the Bill, but suggested that it was not necessary for him to read through everything.
A proposed new section 77A was to be inserted into PAIA, as the complaints provision, whilst 77B provided for the methods of complaint in writing, and noted that the Regulator had the obligation to assist if there were problems for the complainant in transforming the complaint into writing. A new section 77C set out what the Regulator was allowed to do, and there was reference to the Enforcement Committee in 77C(1)(b). The new section 77D set out that the Regulator may decide to take no action. The investigation proceedings were set out in the new sections 77E, 77F and 77G. Assessment procedures were set out in the new section 77H. Mr du Preez said that he had no problem with the head of a public body requesting the Regulator to make an assessment, but did have some concerns should another person be able to request an assessment of a public body.
Ms Smuts disagreed and said that if answers were not received, citizens should be allowed to put this request for assessment. She noted that anybody could approach the Public Protector or the SAHRC, and the same principle should apply here. It would soon become apparent if the request was frivolous or vexatious. The Regulator would be able to undertake an assessment on its own in any event.
Mr du Preez asked if it was also assumed that then a public body could also request an assessment of a private body
The Chairperson said that this was assumed, and he saw nothing wrong with this.
Ms Smuts made the point that the citizen’s right of access to information in the hands of the state was unqualified, but the right to access information in the hands of a private body could be supported only in respect of the requestor’s own information, which was much narrower. The public body requesting assessment of a private body would probably have to demonstrate that it had a comparable interest, and it would be very difficult for a public body to demonstrate a fundamental human right.
Mr du Preez moved on to the new section 77I, in terms of which a recommendation was made to the Information Officer to relinquish the information. Another option was provided for an enforcement notice, and non-compliance with an enforcement notice would lead to consequences.
The Chairperson asked if an e-mail was regarded as something “in writing”. Mr du Preez confirmed that it was covered.
Mr Heyink said that one of the issues related to the possibility of the Minister exempting a body from having to provide a manual. He wondered if that reference, in section 51 of PAIA, needed to be amended so that in future it would be the Regulator who would provide the exemption.
Mr du Preez responded that the Committee had debated the possible conflict in the power to regulate that morning. The Minister had the power to make regulations under PAIA, and the Information Regulator had the power to make most of the regulations under this Bill. Since there was not a link between sections 14 and 51 manuals, and the delivery of the notification requirement, there was no longer a potential conflict. That had been pointed out in one of the notes. He would, however, be checking all the consequential amendments when he was preparing the final draft for the Committee.
Mr Jeffery thought that perhaps something relating to the PAIA manuals should be placed in the Schedule to the Bill, in order to state what should be included in the PAIA manuals, the fact that a hard copy of the manuals no longer needed to be submitted in future to the Regulator, as long as a hard copy was available, and that the manual should, where applicable, be put up on the website of the public body.
Mr du Preez responded that when the amendments to sections 14 and 51 came into operation, the Minister would need to ensure that the regulations under PAIA were brought in line.
Mr Jeffery noted that different clauses of this Bill would come into effect at different times. He wondered if the whole of the Schedule ( as referred to in clause 112) should be put into effect at the same time, or if the provisions on the PAIA manuals should be put into effect earlier, and how this would work in practice. It would be of benefit to deal with the question of the manuals sooner rather than later, assuming that the Regulator was in place. He also wondered if there might need to be a transitional provision to state how matters in the course of being handled by the SAHRC would be dealt with when the Bill was put into force.
Although in practice the SAHRC had not been able to do much with PAIA matters, it nonetheless seemed strange that its powers and duties should cease immediately. The changes that affected the replacement of references to the SAHRC with references to the Regulator might need some further elaboration.
Mr du Preez noted this and would revert to the Committee on this point.
He added that the first portion of the legislation that should be put into effect was the establishment of the Information Regulator, and there would need to be coordination between Parliament and the Minister. The Minister would probably ask the Speaker to indicate the process.
Ms Smuts said that appointments would probably be done by an ad hoc Committee, or this Committee.
The Chairperson confirmed that the Minister of Justice would normally deal with that matter.
Mr du Preez then went on to elaborate the changes, in the Schedule, to the Electronic Communications and Transaction Act (ECTA), from page 80. He quipped that it was interesting here to see there had simply been a deletion of the old definitions from the ECTA and a straight replacement with those from the Bill. However, he also drew attention to the fact that a person deceased for 20 years was excluded.
Ms Smuts suggested that this was probably copying the UN model law.
Ms Louw said that the definitions in the ECTA and PAIA had been largely the same, as they were drafted in the same year, but reiterated that the definition in PAIA made specific reference to “living persons”. Act and PAIA were the same, except that the definition in PAIA included living persons.
Mr du Preez said that he had been thinking about the point but was still concerned about the basis of responsibility, and said that the right to privacy was an individual right attaching only to that individual. Other remedies could be available, such as crimen iniuria, in respect of other people.
Ms Smuts thought that information of deceased persons should be protected, even though other remedies might apply
Mr du Preez said that concerns could be limited to specific conditions.
Mr Hill gave the example that it would be undesirable to allow, for instance, of details of people killed in accidents being released, prior to their family being notified.
Mr du Preez thought that perhaps a bold stance should be taken.
Ms Smuts made an inaudible comment around the twenty year period.
Mr du Preez moved on, pointing out the changes effected in the Schedule to the National Credit Act.
Other issues: Clauses 62 and 77 and “binding” agreements
Mr Jeffery noted that he had received an e-mail from Mr Ismael Momoniat, Deputy Director General, National Treasury, relating to the presentation on the previous day on the amendments that National Treasury had requested. He thanked the Committee for listening to the comment, and summarised the motivation that had been given in respect of the Financial Services Board international obligations to the Securities and Insurance bodies. He had reiterated that the problem was that many of the neighbouring countries had Memorandums of Understanding (MOUs) that National Treasury accepted were not binding. However, Mr Jeffery said that this itself was of concern. If the MOUs were not binding, this raised a question about the validity of the safeguards that were set out in those documents.
Mr Jeffery raised a question around the provision of primary notification as contained in clause 62. This stated that, in relation to certain particularly sensitive information, the responsible party must obtain permission from the Information Regulator if it wanted to transfer that information to a country that did not have binding corporate rules or provisions, that would essentially be in line with the EU Directives. However, clause 77 stated that a responsible person “may not transfer” information, unless binding corporate rules and binding agreements were in place. He thought that the two clauses were in contradiction with each other, since clause 77 seemed to impose an outright ban on transferring information to countries who lacked adequate protection or legislation, whilst clause 62 required a notification to the Regulator prior to transfer. He thought that a possible solution was to follow the route of clause 62 and leave the decision up to the Regulator, in the case of a transfer to a country without binding rules, whereas if the country did have binding rules, it would simply be possible to transfer information in terms of clause 77. He said that clause 77, as it was currently worded, seemed very onerous and wondered if it was excluding a number of other countries in Africa.
The Chairperson asked how this would affect obligations in terms of the EU countries.
Ms Smuts wondered if the exceptions did not cover all the parties.
Ms Louw said that, during discussions with the National Treasury, she had asked why it was not possible for those countries that had non-binding MOUs to enter into binding agreements, and this had not been addressed. Clause 77 dealt with the adequacy rating requirements, and clause 62 had attempted to deal with the Regulator’s position. It was not correct to assume that clause 62 was saying that information could not be transferred. However, there had, since those clauses were drafted, been some further developments. The EU Directive requirements were set out in clause 77, and in most instances, the Regulator would not become involved in transfers between countries with an adequacy rating, and the responsible party would, in practice, take the decision as to whether a transfer of information would be correct. The responsible party would either establish that the receiving country had adequate data protection laws or would take the initiative to have contractual obligations imposed on that country. Clause 62 was simply saying that in cases involving the exchange of particularly sensitive information, the Regulator must be informed, and must give authorisation. Even if clause 62 were to be removed, it would still be necessary to comply with clause 77.
The Chairperson said that Mr Momoniat had raised the question of binding agreements, and it was possible that this Committee suggest that wherever there were non-binding MOUs, the parties must reach binding agreements instead.
Ms Pilane-Majaka said that it would be difficult to entertain bilateral agreements, and it was possible that National Treasury may have already entered into agreements to cater for the present position. However, she urged that the Regional Protocols should be followed, which would make it easier to deal with these issues. It was also possible that not only National Treasury, but also other departments had MOUs, and she wondered to what extent South Africa was complying with protocols to which it was already committed.
Ms Schäfer asked what kind of MOUs would be affected by exchange of personal information with another country. She would be worried if her personal information was to be exchanged with another country that did not have adequate safeguards in place. She did not understand how this Bill affected trade relations with other African countries, and, if it did, she thought that the countries must be encouraged to put proper legislation in place.
Mr Jeffery still saw clause 62 as implying that the information could be sent if permission was obtained from the Regulator. There may be personal information exchanged between various country-offices of multi-national companies. He cautioned that it may not be a simple process to change non-binding agreements into statues.
Ms Louw said that at the moment, Article 42(5) of the EU Draft Regulation said that where appropriate safeguards were not contained in a legally binding document, transitional arrangements could be in another document. At the moment, a contract must be drawn, in terms of which the party showed the intention to protect personal information properly, but this would change, following discussions of the Data Protection Working Party and EU Supervisors. The binding nature of an agreement was important. Since it was being proposed that Article 42(5) be deleted, this would definitely impact upon the adequacy rating if South Africa were to include non binding agreements, as proposed by National Treasury, and so she was not sure that it would be advisable to accede to their proposal.
Mr Jeffery made the point that whilst it was easier for the EU countries to “pull rank” through their size, it was not so easy for South Africa. He thought that there was a need for further discussion and suggested that Mr Momoniat be asked to speak to the Committee.
The Chairperson said that the concern of possible abuse remained, in relation to both public and private bodies. He thought that the MOUs that National Treasury had were not sufficient to ensure confidence in other countries.
Mr Jeffery said that the proposal from National Treasury also had not specified what type of information would be included, although there was some reference to conduct of directors and senior staff of companies. He was not sure if the Regulator could control the type of information transmitted.
The Chairperson still had concerns, and felt that National Treasury must explain why it would not be possible to enter binding agreements.
Ms Louw thought it was probably not necessary to change the MOUs themselves, but stressed that a new and binding contract should be drawn with the receiving country.
The Chairperson said that even if this was the case, he would like National Treasury to engage actively with those countries and start the process. Because it was proposed that strict restrictions be imposed on South Africa’s own public bodies, it made little sense not to impose similar restrictions on those in other countries.
Mr Jeffery said that this was why he preferred that the Regulator monitor the position. If a foreign country wanted to transfer information on staff based in South Africa, this could be done without sending through an entire databank. He agreed that further engagement was needed with National Treasury.
The Chairperson noted that many outstanding matters had been flagged, and asked when a new draft could be brought.
Mr du Preez said that a document would be submitted by no later than 13 August, and he could present it on the following day.
The meeting was adjourned.
No related documents
- We don't have attendance info for this committee meeting