The Information Regulator reported that it had been cited as the seventh respondent in the Black Sash v Minister of Social Development case. A series of engagements have since ensued with the South African Social Security Agency, Cash Paymaster Services and South African Post Office. The engagements were to assess the veracity of dispersal of personal information and what measures the parties were putting in place to ensure that the leaking of such information does not happen again. The Regulator has found that it does not have the powers to settle complaints because Sections 73 and 111 of the Protection of Personal Information Act are not yet operative. Yet, Section 112(2) empowers the Regulator to make Regulations that were adopted by Parliament after public hearings.
The Information Regulator became aware of four cases where there was a leaking of personal information. Letters were written to the parties involved to ascertain the veracity of the reports and enquire about the steps taken to avoid any further breaches. Facebook was one of the companies involved in leaking personal information, where the information of some 60 000 users was shared with a firm called Cambridge Analytica.
The Department of Public Service and Administration had advised that the Information Regulator should be registered as a Schedule 3A entity of the Public Finance Management Act. The Regulator is of the view that Section 48(a) of the POPIA that stipulates that the appointment of a Chief Executive Officer, who also acts as the accounting authority contradicts the PFMA which states that when a board is appointed that board takes up the role of the accounting authority. The Regulator said they are seeking guidance on this matter.
During 2018/19, the Regulator plans to draft phase one of the Public Awareness Strategy and implement the strategy in the same year. A Research Strategy will be developed and it will focus on the processing of information and computer technology that promotes the protection of personal information. Guidelines and Notices for a code of conduct will be developed; the stakeholder engagement strategy will be implemented; corporate services policy and procedures will be developed and the Regulator plans to secure its on accommodation offices. The budget is R27.274 million.
Information Regulator on its 2018/19 Annual Performance Plan
Adv Pansy Tlakula, Chairperson: Information Regulator, said Regulator met with a number of organisations as part of its on-going stakeholder and training programmes in terms of Section 40 of the Protection of Personal Information Act (POPIA). In the Black Sash Trust v Minister of Social Development and Others, the Regulator was cited as the seventh respondent in the case. As such, the Regulator has been monitoring the implementation of the Court Order dealing with the protection of personal information of grant beneficiaries. A series of engagements with the South African Social Security Agency (SASSA), Cash Paymaster Services (CPS), South African Post Office (SAPO), and the Independent Panel of Experts appointed by the Constitutional Court, have been held.
These engagements were about the dispersal of personal information of grant beneficiaries by both CPS and Grindrod Bank and assurance that measures are put in place to ensure that the contract entered into between SASSA and SAPO will contain measures for the protection of personal information of grant beneficiaries. In terms of the implementation of the Court Order, the Information Regulator has submitted two reports to the Independent Panel of Experts in fulfilment of its monitoring obligation. The first report was submitted on 6 February 2018 and the second report on 11 April 2018.
On the management of complaints, the Information Regulator does not have the powers to enforce and settle complaints as Sections 73 to 111 of POPIA are not yet operative. The Regulator has received some 180 complaints, which are dealt with on a proactive basis, but are yet to be resolved. Section 112(2) of POPIA empowers the Information Regulator to make regulations - the regulations were drafted by it and public consultations were held in all nine provinces. The final draft Regulations have been submitted to the Office of the State Law Advisor for constitutional compliance vetting. The Regulations will be tabled by the Information Regulator to Parliament in compliance with Section 113(5) of POPIA upon completion of the vetting process. The Regulator has dealt with material data breaches such as Master Deeds, Facebook and MiWay, in terms of protecting personal information.
When the Regulator became aware of the Master Deeds matter it wrote letters to Jigsaw Holdings, Govault.co.za and Dracore Date Sciences to ascertain the veracity of the report and enquire about the steps they have taken to avoid further breaches. The letters were written to the companies on 20 October 2017. The Regulator received correspondence from Hetzner Pty Ltd on behalf of Govault.co.za and from Dracore Data Sciences lawyers. The Regulator also dealt with a data breach from Facebook, where it was alleged that it breached the personal information of almost 60 000 South African Facebook users. The information was shared with Cambridge Analytica. Letters were written to Facebook seeking information on the breach.
Section 47(1) deals with the establishment of the administration of the Information Regulator. Section 47(5) states that the Regulator must consult with the Minister of Finance in exercising its powers. A meeting was held with National Treasury, who advised that the Regulator should consult with the Department of Public Service and Administration (DPSA) on its organisational structure, despite its powers set out in Section 47(5). The Regulator then met with the Public Service Commission who advised on the documents required for the approval of the organisational structure. The DPSA indicated that the Regulator be listed as a Schedule 3A Entity before its organisational structure can be approved. The Regulator is of the view that there is a contradiction between Section 48(a) of POPIA, which provides for the appointment of a Chief Executive Officer, who is the Accounting Officer and Section 49 of the Public Finance Management Act which provides that if a public entity has a board that board should be the Accounting Authority. The Regulator will be approaching the Minister of Finance to assist with the resolution and contradiction.
Mr Mosalanyane Mosala, Acting Chief Executive Officer: Information Regulator, said the budget for 2018/19 is R27.274 million. The budget allocation is for compensation of employees – R18.5 million, goods and services – R6.212 million and capital assets – R2.662 million.
During 2018/19, the Regulator plans to draft phase one of the Public Awareness Strategy and implement the strategy in the same year. A Research Strategy will be developed and it will focus on the processing of information and computer technology that promotes the protection of personal information. Guidelines and Notices for a code of conduct will be developed; the stakeholder engagement strategy will be implemented; corporate services policy and procedures will be developed and the Regulator plans to secure its on accommodation offices.
Mr W Horn (DA) said the Information Regulator promised in the previous year that it would fill all its vacancies by the end of 2017. He asked for time-frames for when each vacancy will be filled.
Mr N Matiase (EFF) said the Information Regulator is not being prioritised by the government – he said they were being incapacitated on purpose. As such, he enquired whether the Regulator was capable of designing a business model suitable for their organisation because it does not seem they have enough decision-making powers to employ their own personnel that would be properly skilled and competent to do the work. He advised them to consult with the Office of the Valuator General, falling under the Department of Rural Development and Land Reform, on improving their business model.
Ms M Mothapo (ANC) said the Regulator should also look into cases where banks leak the personal information of their clients. She commended the organisation for trying to seek its own accommodation, and asked that the Committee be provided with a progress report on the MiWay matter.
Mr L Mpumlwana (ANC) asked if there were any specific sections in the POPIA that need amending to give the Regulator enough decision-making powers.
Mr G Skosana (ANC) asked if the Complaints Screening Management System has helped in reducing the 180 backlog cases.
Mr M Maila (ANC) asked for feedback on the benchmarking exercise, and whether it was beneficial to it. He enquired if they agreed with the DPSA that they should register as a Schedule 3 entity. He said the Regulator should consult the voters roll to determine whether political parties are not infringing on the rights of the public when they campaign through text messages, and if this is not a violation of the Constitution.
Mr T Mulaudzi (EFF) asked when Sections 73 and 111 of the Act would be promulgated. He asked if the R17.4 million budget would be sufficient to pay its employees in 2018/19.
Adv Tlakula requested that the Information Regulator provides its responses in writing because there will not be enough time to go into detailed responses.
The Chairperson sought the Committee’s approval and it was agreed that the Regulator should respond in writing.
The meeting was adjourned.
Download as PDF
You can download this page as a PDF using your browser's print functionality. Click on the "Print" button below and select the "PDF" option under destinations/printers.
See detailed instructions for your browser here.