Protection of Personal Information Bill: Departmental and Public representations

NCOP Security and Justice

22 May 2013
Chairperson: Mr T Mofokeng (ANC, Free State)
Share this page:

Meeting Summary

The Committee continued with its deliberations on the Protection of Personal Information Bill, firstly receiving submissions from the Council for Medical Schemes, who proposed four amendments. It felt that the requirement, in clause 11, that each data subject should give consent for the disclosure of information could lead to delays in treatment. There were inconsistencies with the definition of children, as they could already undergo certain procedures without parental consent. It also suggested that a contract with a member should be cancelled or suspended if a member subsequently withdrew consent. It suggested that the proposed period of one year for medical schemes to implement the legislation was too short. The Department of Justice and Constitutional Development (the Department) responded to the specific concerns, noting that the Bill had been carefully drafted to capture all concerns. There were different ages of consent specified in different Acts of Parliament. The Department felt that there were enough areas in the Bill to cover all the potential difficulties raised by the Council. Members expressed opinions that the Council was acting in the interests of the medical schemes, and felt that the Council was not exercising sufficient oversight over the policies of the medical schemes.

Legal advisers from the Department then briefed the Committee on the content of the Bill. The implementation would bring South Africa into line with international best practice, as there was no current legislation on privacy. An Information Regulator would be established to oversee the implementation of the Bill and the Promotion of Access to Information Act. There would also be reliance on Codes of Conduct, approved by the Regulator for the various sectors, which would be legally enforceable. It was stressed that the Bill would act as framework legislation, with a number of exemptions and exceptions contained in its provisions, and that specific regulations and rulings would back up the framework. It was stressed that the work of the Regulator would be driven by complaints, but it would also be important to oversee systems to ensure smooth operation across the sectors. The Regulator would facilitate adjudication and mediation, but there were provisions for administrative penalties being imposed, and both criminal and civil actions would be possible. It was stressed that the country needed to make adequate provision for the safeguarding of personal information, especially when such information was transmitted across borders.

A debate followed on exchange of information, between representatives of the Department, National Treasury, the Financial Services Board and the Council. Both the Council and the Board argued that they needed freer access to personal information in the course of their daily activities of assessing the conduct of people in the financial sector. The Financial Services Board had already requested, several times, amendments to the legislation, and it was noted that although the Department had subsequently agreed that clause 72 be amended (with the amendments being presented later), it still believed that there was no necessity to amend clause 36, and both the Department and Office of the Chief State Law Adviser maintained that there was nothing in that clause that would prevent the FSB from carrying out it operations. The Department noted that provisions in existing legislation and in the exemptions in the Bill itself would satisfy the needs expressed by the Board and the Council. International examples were quoted where bodies similar to the Board complied with the privacy laws in their countries. Members complained that on these points, they felt they were not adequately briefed by Parliamentary legal advisers.

The Department presented a list of further amendments to the Bill, many of which were of a technical nature. The Department, in response to a request from the CMS that it be allowed to give a further written submission, indicated that the Bill had been subject to Parliamentary processes since 2009 already, but was informed by the Committee that the Committee would decide on the point. The Committee instructed the Department to prepare the amendments, as outlined, but also urged it to meet with the Financial Services Board again to attempt to resolve the outstanding issues, failing which the Committee would make a decision on the final wording.
 

Meeting report

Protection of Personal Information Bill: Public representation
Council for Medical Schemes (CMS) submission

Mr Milford Chuene, Legal Advisor, Council for Medical Schemes, said that the Council for Medical Schemes (CMS or the Council) was not totally opposed to the Protection of Personal Information (POPI) Bill, but did wish to bring some points to the Committee's attention. Much of health care dealt with personal information. For a flow of funds beneficial to a beneficiary it was necessary to have a flow of information. The CMS felt that the POPI Bill was important, and had established a task team to consider it. He highlighted some of the definitions.

Mr Chuene said that his first proposal dealt with clause 11. The proposal was that the scope of those who could authorise the passing of information should be broadened. If the dependents of a member of a medical scheme were registered as beneficiaries, the direct consent of an adult dependent was required to disclose information, although this did not apply to children, as they were not regarded as legally competent. The necessity to get consent could lead to a delay in the enrolment of an adult dependent such as the wife of a member, and treatment might be denied while this lengthy process was completed. This could be a burden on the state. The CMS proposed that where a medical scheme had to process claims, consent could be needed from dependents who were not the contractual partner, for the claims to be processed. If this proposal were to be considered, this problem would be avoided. The contracting party could then provide consent on behalf of the adult dependents. The contract was between the member and the scheme, and it should not be necessary to revert to the dependent for permission to process information.

Mr Chuene said that clause 11(2) was also problematic. This clause gave the member the right to withdraw from a scheme. There were qualifications, but it was a challenge to the industry. A member could withdraw consent, but still remain a member. CMS proposed that should consent be revoked, then the contract could be terminated. Without continued consent, the medical schemes would find it difficult to process accounts. The CMS proposed that any change to the contractual agreement should be seen as grounds to terminate or suspend the contract.

Mr Chuene was aware that the results of children were addressed in Clause 34. There were, however, cases, such as abortion, where a minor could authorise a procedure without parental consent. This information could not be processed in terms of the POPI Bill, as it directed that any person under the age of eighteen years must be assisted by an adult. The exemptions proposed in clause 32 should also be applicable in clause 35. Clause 32(1)(a) prohibited the processing of information regarding the health or sex life of a data subject.

Mr Chuene said that the final area of concern was Clause 114. This made provision for the Bill to apply retrospectively, with one year for compliance. Medical insurance was a complex industry, and it would be difficult to get consent retrospectively. CMS proposed that the Bill should apply prospectively, or that there should rather be an interim period of five years before it took full effect. It would take some time to process current members. As the Bill read, medical schemes would have to implement reporting mechanisms that would have a serious impact on the schemes. The costs would have to be passed on to the members, which would counter the objective of the Bill to make medical schemes more affordable.

Discussion
Mr Henk du Preez, State Law Advisor, Department of Justice and Constitutional Development, introduced the team who had worked on drafting the Bill. On the issue of children, two issues had been raised. The Bill had been drafted carefully in the technical committee, especially in regard to the definition of 'child'. There were different ages of consent in different laws, and he accepted that, for instance, a sixteen year old child could open a bank account, but the definition in this Bill was stated as eighteen years of age. An important qualifier was that if the person was not competent to process his or her own account, then that child must be assisted. Opening a bank account would entail the processing of personal information. However, a child over the age of sixteen was regarded as competent to open the account. The definition recognised this. The purpose of the Bill was not to amend the existing substantive law on the age of consent.

Mr du Preez said that the second issue raised was the request that the exceptions in clause 32 should relate to clause 35 as well. He summarised the written submission made to the Committee. The Department of Justice and Constitutional Development (DoJCD or the Department) felt that CMS had not considered all the issues involved. The key definition was that of a 'data subject'. This was the person to whom the personal information pertained. He felt that the case had been addressed in clause 32.

Mr du Preez continued that it was important to recognise that clause 11 did not just cover a single situation. Paragraphs (e) to (f) were also relevant. There were many instances in which a responsible party could process the personal information. The consent of the data subject was not the only requirement that had to be complied with by the responsible party.

Mr du Preez then responded to the concerns over clause 115, noting that DoJCD felt that the prerequisites were not confined to the obtaining of consent. There were more factors concerned. There was a reasonable test in clause 14, to consider matters on a case-by-case basis.

Ms Amanda Louw, Principal State Law Advisor, South African Law Reform Commission (SALRC) said that the Bill was not consent-driven. If it was felt that clause 11 was creating problems, the subparagraphs (b) to (f) could be used. If consent was then withdrawn this would not be a problem. Clause 11(2)(b) also contained a qualification which would ensure that processing would not be affected by the withdrawal of consent.

Mr Craig Burton-Durham, Head: Legal Services, CMS, repeated that CMS strongly supported the Bill, but did have some technical reservations. There were hundreds of thousands of transactions processed daily. He noted the opinions of the State Law Advisers, and would engage with these opinions. The primary concerns were that the member schemes must be compliant with the legislation. He believed that the amendments proposed were consistent with the legislation's aims and objectives. However, more clarity was needed. There was often a situation where lawyers debated matters endlessly. The proposed amendments would, in his view, make the Bill “crystal clear”. The complexities should not emerge only after the Bill was enacted. He wanted to see the industry fully compliant.

Mr J Gunda (ID, Northern Cape) asked if Members would have the opportunity to engage with CMS. The CMS had made an important statement that it had the interests of beneficiaries at heart. He asked how often the member schemes were found to be not providing the stated benefits, or schemes were found to be not compliant.

Mr Burton-Durham said that there was ongoing monitoring of compliance over a wide range of issues. The provisions of the Bill would be invaluable in protecting members of schemes. There were certain issues that had been dealt with. Schemes had to account to the Regulator on a regular basis.

Mr Danie Kolver, Head of Accreditation, CMS, said that in relation to regulatory oversight, there was a similar situation to the financial sector. The CMS practised a mixture of prudential and market oversight. A member contracted with the scheme on behalf of him or herself, and dependants. Administrators and brokers had to comply with certain rigid standards to retain their accreditation. Given the flow of information and the manner in which schemes contracted, this could be with management schemes or administrators. The standards included financial soundness. Medical schemes were subject to regular financial and other reporting. There was a risk-based framework. It was not uncommon to meet with the schemes, based on their risk category. By and large, all schemes submitted quarterly financial statements.

Mr Gunda added to his question. He asked if CMS monitored the policies of schemes. He asked what CMS did when a beneficiary's personal information was released to the media through a scheme, saying he had evidence of this happening.

Mr A Matila (ANC, Gauteng) said that the disappearance of children of all ages was a grave concern, and they might then be registered as dependents of their abductors. There was a fraudulent situation in the financial sector that might impact on the medical schemes. The Bill was trying to address these areas. CMS was concerned about the financial implications. In relation to clause 114, the period of one year was incorporated to assist medical schemes to get their houses in order. This period could not be open-ended. He suggested that perhaps CMS did not check on individual applications. Members of Parliament, for instance, were on an expensive scheme, with a minimum having to be paid for any medical visit. Most of the money went into administrative costs. Some schemes were at fault. There was a large scale of unlawful transactions in the financial sector, and he considered medical schemes to be part of this sector. CMS needed to “tighten the screws” in its monitoring. Schemes had different policies and CMS might not have the capacity to monitor the policies. Girls of thirteen years of age could fall pregnant, and might want an abortion without parental consent. The parents might withdraw benefits, without the consent of the child. While CMS was protecting the schemes, he asked who was protecting the members. He asked if there was a holistic approach.

Mr B Nesi (ANC, Eastern Cape) said that he personally was happy with the Bill. He had heard about challenges experienced by the community, and CMS was raising the same issues. He agreed with Mr Gunda that the focus of CMS was on the medical schemes rather than the members. He shared his experience of the consequences of an accident he had suffered, when the scheme he had belonged to at the time, linked to municipalities, could not cover his medical expenses. He had had to buy his first wheelchair himself, with the assistance of the Eastern Cape Legislature. The Road Accident Fund was paying its share, but POLMED (his current insurer)was refusing to pay theirs. He had not been paid the benefits due when he became disabled. He had only realised that he was entitled to claim this benefit after the possibility of a claim had prescribed. Less fortunate people could not even afford to make a telephone call to enquire about their problems. He doubted that CMS was present because of their concerns for the beneficiaries, but had no doubt it was attempting to protect the schemes.

The Chairperson noted the concerns of the Members, but they were not relevant to the Bill. He urged Members to discuss the issues privately with CMS.

Department of Justice workshop on the Bill
Mr du Preez said that DoJCD had responded to the submission of Blue Moon Investments in writing. Some of the issues raised there would be discussed as part of this workshop.

Mr du Preez said that some of the issues were straightforward. There were many countries with privacy and data protection. It was essential for South Africa to come in line. There was an African Union Convention being prepared, dealing with cybersecurity and the protection of personal information. There were already eleven African countries with such legislation, while another 27 were busy with this legislation.

Mr du Preez said that the right to privacy was protected in terms of Section 14 of the Constitution, and the common law. Protection was still not adequate. There was a small overlap with the Promotion of Access to Information Act (PAIA), but the bulk of the principles were not included. The key aspects of the Bill were the introduction of a framework for privacy, applicable in both the private and public sector, covering both automatic and manual systems, and covering both natural and juristic persons.

Mr du Preez said that Annexure 1 of the workshop summary dealt with Chapter 3 of the Bill. This was divided into three parts. Annexure 1 dealt with all responsible parties, both public and private. Eight conditions had to be complied with. An important aspect was the issue of exemptions, exclusions and exceptions. The exceptions were in the conditions for the lawful processing of personal information. The European experience was that information could only be processed when collected from a data subject. There were various exceptional cases where the provision could not be complied with. These exceptions were wide, as this was framework legislation. Where a responsible party could not comply with the legislation, there were justifiable exceptions provided for.

Mr du Preez said that in relation to exclusions, clause 6 was relevant. This set out the circumstances where a responsible party did not need to comply with the Bill.  This included the use of such information for personal reasons only. On exemptions, a responsible party might aim to comply with the conditions. The party could approach the Information Regulator (IR or the Regulator) to apply for an exemption. Those provisions were in clauses 37 and 38 of the Bill. They also provided an indication, specifically clause 37(1), of public interest.

Mr du Preez described how the conditions for lawful use could be complied with. There were eight conditions, and they amounted to good business practice. There was sector specific legislation, and there were also Codes of Conduct. Supervision would be through the Regulator. The Codes of Conduct would be applied by adjudicators appointed by the specific sector. He reminded Members that the Bill introduced framework legislation. The Regulator could issue regulations, which would provide more specific detail on the conditions. An important second aspect was that sector-specific legislation could be promoted by Parliament. Codes of Conduct were useful tools. They would be issued by the Regulator, with sector specific rules. The Code would be recognised as subordinate law. Where there was such a code, an adjudicator would be appointed to settle disputes resulting from the application of the Code of Conduct for that sector.

Mr du Preez pointed out three important aspects pertaining to the Regulator. These were the structure, the powers and enforcement. The establishment of the IR was dealt with in Chapter 5 of the Bill, at clauses 39 to 54. In short, the IR would be established as a juristic person accountable to Parliament, appointed by the President on the recommendation of the NA. There would be five persons: a Chairperson, two full time and two full or part-time members. The IR would be divided into two sectors, one taking responsibility for POPI Bill and the other for PAIA.

Mr du Preez said that there would be a Chief Executive Officer (CEO) for the IR, taking all administrative responsibilities. Provision had been made for the IR to request the secondment of civil servants to assist with the establishment of the office of the IR. An independent regulator was needed, so these secondments would be of a temporary nature. There would also be specialist consultants appointed for investigations or to assist regarding specific matters being dealt with by IR. Committees could be established. One of these would be an enforcement committee. Clause 50 dealt with the establishment of this committee, and how the membership should be composed. The Chairperson should be a judge or have a legal qualification. Provision was also made for other committees, comprising both members of IR and outside persons.

Mr du Preez said that the other provisions of that Chapter reflected other pieces of legislation. Clause 41 dealt with the appointment, terms of office, and removals of members of IR. Clause 42 dealt with vacancies, and clauses 46 and 47 provided for remuneration and allowances.

Mr du Preez added bluntly that the IR would have many functions to perform. It would be there not just to enforce compliance. It would also have a supervisory function, and would ensure that responsible parties complied with the Bill. There would be two levels, both by the IR and by information officers. These officers would be heads of public bodies, and as stipulated by PAIA, the heads of private bodies. The POPI Bill reflected PAIA provisions in this regard. Information officers would ensure that their bodies complied with the Act, and would deal with requests received in connection with the Bill. This was not a new concept.

Mr du Preez said that the IR would play an important role for both this Bill and PAIA. The IR could issue regulations and provide more details on the implementation on the Bill. Prior authorisation would be an important tool for the IR. It would be important to note that there was no registration process for responsible parties. This would remove one possible criticism over red tape. Responsible parties processed personal information. Where there was a greater risk of information being misused, prior authorisation would be needed to ensure that the Bill was followed. This was stipulated in clauses 57 to 59. Clauses 60 to 68 dealt with Codes of Conduct. The different codes should speak to each other.

Mr du Preez said that the IR would be empowered to carry out assessments. The responsible party would have the assurance that their practices were in line with the Act. Assessments could be conducted at the discretion of the IR, or at the request of the party concerned. He felt that this was an excellent tool for responsible parties to use to ascertain their level of compliance. Apart from Codes of Conduct, the IR could also issue guidelines. Sectors could use these guidelines in drafting their own Codes of Conduct.

Mr du Preez said that in terms of PAIA, certain additional functions had been assigned to the South African Human Rights Commission. The IR would take over these functions.

Mr du Preez said that the next section dealt with enforcement. There were three categories, namely administrative, criminal and civil court process. Where there was interference with personal information, there were two processes that the subject could follow. He or she might approach the IR with a complaint. If damages had been incurred, the complainant could introduce civil action. A number of criminal offences were also created in clauses 57 and 100 to 106. These included obstruction of the IR, breaches of confidentiality, obstructions of investigations and interference with witnesses, amongst others. The National Assembly (NA) had already approved these provisions. The technical committee had recommended the inclusion of these provisions in relation to account numbers.

Mr du Preez said that the administrative processes were essentially complaints driven. A complaint must be submitted to the IR on the breach of confidentiality or a breach of the Code of Conduct. The IR would need to appoint an adjudicator, but provision was made for an appeal to the IR to consider the matter afresh. The IR would be empowered to issue an administrative fine, or refer the complaint to another regulatory body. IR might decide to take no action regarding the complaint. This decision, however, could not be taken arbitrarily as there were clear guidelines on when it would apply. The IR might also endeavour to reconcile the parties through mediation, possibly with some form of settlement.

Mr du Preez said that when a complaint was submitted, the IR could issue an Information Notice to the relevant body. When the answering information was received, the IR would be able to issue an Enforcement Notice, if deemed necessary, which could remedy the situation. A responsible party served with an Enforcement Notice could launch an appeal. If there was no appeal, and the responsible party continued to fail to comply with the enforcement notice, then criminal proceedings might ensure. This could result either in a criminal conviction or an administrative fine. These were mutually exclusive possibilities. These were the points raised in the Blue Moon Investments submission. Failure to pay such a fine would lead to criminal prosecution.

Mr du Preez said that the issue of adequacy was extremely important. International instruments required that adequate protection of personal information should be provided. All responsible parties must comply with legislation and conditions for the processing of personal information at every stage of the information cycle. This started with the collection of personal information. This might be stored, used, and often distributed to other responsible parties, and might be archived. The cycle only ended with the destruction of information. A separate entity for the enforcement was required, and this would be satisfied by the IR. Clause 72 dealt with the transfer of personal information across the national borders. Where this happened, the responsible party must ensure that there was a system in place in the destination country to ensure adequate protection.

Ms Louw said that a Regulator should look at systems rather than act as a policeman. Proper systems needed to be in place, which would ensure that millions of people would be assured that their information was handled correctly, rather than dealing with one complaint at a time. What was also important was to regulate, and not stop, the flow of information. Where prior authorisation was concerned, the presence of a Code of Conduct would make this unnecessary. There were Codes of Conduct for all major sectors in place overseas, irrespective of the various exceptions and exemptions. In order to comply, the Bill often referred to adequacy. This should be determined at each stage for all parties concerned. Compliance did not mean compliance with the first section only, but also with qualifications and exceptions. Adequacy was also important regarding cross-border transfers. It was very easy to do business electronically, and information could often be processed in countries without adequate protection.

Ms Louw said that the criminal and civil processes were not available under PAIA. Investigations were complaint driven.

Mr Francis Cronje, Legal Advisor, franciscronje.com, said that in some Asian countries there was legislation regarding cross-border data transfers. In Europe, there was a 'white list' of countries with adequate protection. New Zealand had been busy with protection legislation for some time, but had only been added to the 'white list' in 2012.

Ms Louw added that there were a number of prescripts on the transmission of information to South Africa that would fall away when the Bill was enacted. It was not just the European Union (EU) driving the process, but there were also other bodies such as the United Nations and African Union. The principle was being accepted across the spectrum, and it was almost impossible not to abide by the legislation.

Discussion
The Chairperson asked why there had only been agreement on one of two issues with the Financial Service Board (FSB).

Mr du Preez said that there had been engagement with FSB. There was now an agreement on clause 72, which would now have to be amended. He asked the Committee's permission to do this at a later date.

Mr du Preez noted that the issues raised in relation to clause 38, it was important to note that the issue had been debated between the parties for nearly two and a half years. Both in the Technical and Portfolio Committees (PC), there had been submissions from the FSC but neither of these committees was satisfied on the points that FSB was requesting, and the Portfolio Committee had expressed hits concern that what was requested for clause 38 was too vague, and requested a specific clarification of the activities envisaged. That would not be possible given the wide issues raised. The DoJCD had raised similar concerns. It would be nonsensical to include such wide terms, in legislation, for activities which could not be complied with. DoJCD was not entirely opposed to amending Clause 38, but felt that any amendments must relate to specifics. The character of the clause should remain the same. There were already some wide exclusions and exceptions. Clarification had been received the previous week on the proposed amendment of Clause 72.

Ms Louw said the question was how the FSB would be prevented from conducting certain activities, in terms of the Bill. There might be more clarity in the Codes of Conduct, and an exemption to the Act should be considered for Clause 38. It was not good enough to say that there might be a problem some time in the future. It was not possible to include another wide exception.

Ms Jeannine Bednar-Giyose, Director: Financial Sector Legislation and Regulation, National Treasury, said that there was now more agreement on the particular functions that could not be performed. Proposed wording was submitted earlier in the week to provide more scope to clause 38. A formal response had not yet been received. The most recent information had also not yet been acknowledged. She had not had sight of any other proposed amendments to the clause.

Ms Nonku Tshombe, Head of Department: Legal Department, FSB, said that the agreement on Clause 72 was struck between FSB and DoJCD on 4 March 2013. She noted that clause 38 had been inserted into the Bill in order to allay concerns raised by FSB. It would look at the exemptions that could be placed in the Act to ensure that financial services regulations could be catered for. The technical committee had called for engagement with DoJCD. It was clear that the exceptions did not cater for the activities of the financial regulator.

Ms Tshombe said that the mandate of the FSB was to ensure compliance with financial regulations. It had to have access to financial information in order to do this. The provisions of clause 38 were not unhelpful, but it assumed that for an exemption to be occur there would be some event that contravened the law. The activities of the FSB were not solely based on such events, since it was proactive in many aspects of its work. It depended on having access to information to ensure that there was adequate compliance with the law.

Ms Tshombe said that the Committee had to balance the rights of data subjects to the right of privacy. Another challenge was balancing data subjects that were the users of financial services. It was a fine balance. At no stage had FSB and National Treasury not appreciated the usefulness of this legislation, but it was important to balance the intentions with the appropriate rights.

Ms Tshombe had heard indications in the presentations on the need for adequate protection. In its engagements with DoJCD, FSB had proposed a regimen that would adequately protect information, which would mirror the Bill. There would then be room to include the core financial activities in Clause 6. On this point, there had not yet been a response from the DoJCD.

Ms Louw put forward an example to describe how the Bill would work. She used the example of compliance to traffic rules. Rules were needed to deal with traffic. Although the rules were in place, the intention was not to keep all the cars in the garage. The Bill was not meant to be a hindrance in passing information, but was only intended to regulate the passing of information. Notwithstanding the rules of the road, an ambulance might have to contravene the rules in an emergency. She asked why the FSB was seeing itself as an ambulance rather than as a normal road-user. The majority of cars on the road were assisted by the rules, not hindered by them. The Bill made for good business practice. If there was already such a practice, not much would need to be done. There were no draconian prescripts. This was where the problems in the discussion lay. It was up to FSB to show why it should be given exemptions in the course of its duties.

Ms Annah Manganyi, Senior Manager, FSB, said that FSB was confident that it had made out a good case. There was an agreement on exemption from clauses 11, 12 and 15. The issue regarding clause 38 was that specific exceptions had been provided, but the ability of the FSB was being limited in terms of other functions. The FSB was a non-banking financial regulator, and was a member of international bodies. Clause 38 was limited to cases where FSB protected members of the public. However, FSB had other roles to fulfil, including investigating the conduct of financial managers. These were core functions of the FSB, but the exceptions to clause 38 would only be allowed for protecting the public. FSB would, for instance, be looking at aspects of market conduct and prudential regulations. Regulations on banks would soon be split into these two functions. FSB had to be able to exchange information with the Reserve Bank to ensure a stable economy and fair market conditions.

Mr Sisa Makabeni, State Law Adviser, Office of the Chief State Law Adviser, felt that the current wording of clause 38 did already allow for proactive actions by FSB. The provisions could be used in a reactive way. Ms Manganyi had not convinced him with her argument.

Ms Manganyi said that in the exchange of information with other regulators, personal information was exchanged on a daily basis. This included overseas regulators. An application might be received by someone wanting to be a financial advisor in the United Kingdom, for example. The FSB would then ask for relevant personal information, such as an identity number, to investigate whether that person was fit and proper to perform the function. In all the requests, it was standard procedure to have safeguards, in terms of a Memorandum of Understanding, that no information would be disclosed to a third party without approval.

Ms Bednar-Giyose added that it had been noted that key considerations to be understood in ensuring a stable financial situation included the focus on the financial standing of institutions. Market conduct regulation was designed to ensure that internal business and interaction with the public ensured stability and confidence in the financial system. Without this assurance, the stability of the system could be severely compromised. It was necessary, at times, to share information on companies and individuals. There was an international move for increased engagement between regulators. A model on this information sharing had been proposed in Europe. The way Clause 38 was framed captured a number of aspects regarding market conduct and consumer protection, but did not really address how business processes could be monitored, nor the integrity of financial conduct. In Europe it was recognised that there had to be some exemptions on the exchange of information. The aspects of prudential and market related regulations could be incorporated. A clause had been drafted for the FSB Act to balance the rights to protection with allowing financial regulators to exchange information rapidly and on an ongoing basis. These were critical functions for the regulator.

Mr Kolver said that brokers would be accredited on dual regulatory provisions. CMS granted accreditations, and in doing this, there was daily engagement with the FSB. There were about 9 000 financial advisers who had to be declared fit and proper by the FSB. One of those entities or individuals might be found to be not fit and proper, and the FSB could impose a legal sanction such as suspension or withdrawal of a licence. FSB and CMS found themselves in a similar situation. If an entity was allowed to function despite being not fit and proper there would be negative consequences. The exchange of information between regulators enabled CMS to impose severe legal penalties where warranted. CMS relied on the information offered by the FSB when it decided on accrediting service providers.

Mr du Preez asked Members to consider what Mr Kolver had said. When he referred to the functions performed by CMS, which was a creature of statute, the functions were performed in terms of legislation. There were at least three pieces of legislation empowering CMS. He asked if those functions being performed were in accordance with a function imposed on CMS by law.

Mr Kolver replied that they were imposed by law, in terms of the statutes. The classification of 'fit and proper' was the subject of daily exchanges.

Mr du Preez said that the support given to the FSB was based on an exclusion from four provisions under clause 38. In respect of clause 11(c), he asked why CMS would need an exemption if it performed its functions in terms of statutory requirements.

Mr Matila asked if this matter had been raised in the debate in the NA, and if so, what answers had been given. At present Members were feeling excluded from the discussion.

Mr J Bekker (DA, Western Cape) said that he was learning from the discussion. Other people looked at the letter of the law. He felt that the parties should go back and sort out the clause.

Mr Makabeni said that the exchange of information within the country was already covered.

The Chairperson said that there was a need for further engagement between FSB and DoJCD. It would therefore have to be determined by the Committee, with the assistance of Parliamentary legal advisers, how to deliberate further.

Ms Louw said that the SALRC had looked at regulators world-wide. She had some examples. The Australian counterparts were bound to comply with their privacy legislation. In the UK, the authority also followed the Data Protection Act. In Hong Kong, the independent body there pledged to meet standards of personal data regulation in compliance with its ordinance. She also had an example from France. The data protection legislation in those countries formed the basis for this Bill. She asked why the FSB could not simply comply with the Bill, as was done overseas.

Mr Matila said that some of the investigations must be done by the Committee. One question to be asked was how relevant information was transmitted by the overseas agencies quoted by Ms Louw. He had hoped that Parliament's own legal staff would have provided this information.

Ms Manganyi replied that the agencies quoted did comply with privacy regulations. FSB was in daily contact with these bodies. She asked how this could be done in the absence of a privacy law in South Africa. While these regulators might comply with privacy laws, they might also have exemptions.

Proposed Amendments
Mr du Preez submitted a list of proposed amendments, many of which were correcting spelling mistakes. In clause 6 there was a technical amendment. In clause 18, there were two technical amendments. There was a spelling error in clause 40. In clause 44, it must be reflected that the NA had changed the word 'principles' to 'conditions'.

The proposed amendment to clause 72 was the result of the agreement between DoJCD and National Treasury, following the debate in the NA. He pointed out that, in clause 72, it was intended to insert the word ‘or’ after  'rules' in line 7. The reference to a memorandum of understanding in lines 6 and 7 would be deleted. Sub clause (2) would be deleted. Paragraph (a) would be deleted. There would be consequential renumbering of the paragraphs. A new sub-paragraph (v) would be inserted into the Schedule, after line 60 on page 59.

Mr du Preez said that most of the other proposed amendments were of a technical nature. Many of these were replacing the date of 2012 with 2013, in the Schedule.

Mr du Preez said that DoJCD had also responded to comments made by the Committee Content Adviser, Mr Kinnes. In Clause 24, a correction should be affected to use ‘as soon as was reasonably possible’ rather than specifying a time limit. This would ensure a balanced approach, and would accommodate individual cases. An amendment would be prepared on this point.

The second issue was raised in relation to clause 33(1) which dealt with prosecution, but the comment was that clause 33(2) was too wide. Sub clause (2) was part of the original Bill. This part of the Bill had since been changed. Criminal convictions were not regarded as criminal behaviour, and therefore sub clause 33(2) could be deleted.

Mr du Preez returned to clause 38. There had almost been a fatal mistake made here, by referring to the whole of Clause 11. Sub clause 11(1) was the enabler, providing the authority to process personal information. A person could not be excluded from these provisions. The focus should be on subclauses (3) and (4), which dealt with objections to the processing of personal information.

The Chairperson asked DoJCD to prepare the amendments, and to make a further attempt to find common ground with the FSB. Failing this the Committee would have to make a decision on the point.

Mr Matila said that National Treasury should capture the relevant information in other Bills.

Mr Chuene said he had not heard any interaction with his presentation.

The Chairperson said that all proposals would be considered by the Committee.

Mr Burton-Durham said he had only received very short notice on the proposals, and requested the opportunity to make a written response.

Mr du Preez said that he was not at liberty to speak to this point. However, he did want to point out that the process had started more than ten years previously, following an investigation by SALRC. There had been wide consultations, followed by extensive public hearings. This Bill was now the oldest one still in Parliament, having been tabled in 2009. He needed guidance on how many more inputs could be tolerated.

Mr Gunda said that DoJCD must abide by the instructions of the Committee. Mr Burton-Durham had simply asked why the amendments had been put forward at such late notice.

Mr Matila confirmed that the Department must abide by the directions of the Committee.

The meeting was adjourned.
 

Share this page: