Information Regulator Quarterly performance

Meeting report

Information Regulator quarterly performance report

Introductory remarks

Adv Pansy Tlakula, Chairperson: Information Regulator, said that the Regulator had not been able to achieve some of the targets it had set. An insufficient budget and weak human resource capacity had constrained the entity’s ability to execute its (already) heavy workload. There were two points she wanted to make -- firstly, since the inception of the Protection of Personal Information Act (POPIA), the workload had increased, and the staff were not coping; and secondly, the entity had noted an increase in data breaches in the country.

A few weeks ago, the Regulator had submitted a report to Parliament through the Speaker and the Chairperson of the National Council of Provinces. The report had been compiled in terms of section 40 of the Information Regulator Act, and it related to the management of personal information during the National State of Disaster (NSOD). The Regular had requested Parliament to take the matters addressed in the document into consideration.

The Chairperson said that the Committee had approved the appointment of the part-time commissioner and was awaiting ratification from the House, which would be completed in the next two weeks.

IR briefing

Mr Marks Thibela, Chief Executive Officer: IR, briefed the Committee on the entity’s strategic objectives for the 2019/20 financial year, and the first quarter performance report for the 2020/21 financial year.

Operational overview and key highlights included:

• It was able to recruit staff for the vacant and funded phase two posts;
• A stakeholder engagement strategy plan had been developed; and
• The readiness plan for the implementation of the Promotion of Access to Information Act (PAIA) had been drafted.

2019/20 fourth quarter performance

Referring to the fourth quarter performance for the 2019/20 financial year, Mr Thibela indicated that the original budget of the Regulator – which was R28.907 million – had been increased to R31.323 million by the Department of Justice and Constitutional Development (DOJCD). However, this amount had not been enough for the Regulator to carry out all of its functions efficiently.

The total expenditure incurred for the year was R22.435 million, which represented 72% of the budget. Under-expenditure had totalled R8.888 million, with under-spending on compensation of employees sitting at R7.178 million.

The strategic objective of the Education and Communication Committee had been to develop and implement educational, awareness and stakeholder management programmes which would promote the protection of personal information. The Regulator was able to meet two out of three of its quarterly targets, but it had not been able to develop a communication and branding strategy, as there were delays in the procurement process.

The strategic objective of the Legal, Policy, Research and Information Technology Analysis Committee had been to make guidelines for the codes of conduct and to produce a manual for the POPIA. The Regulator was unable to meet any of its three targets, as it had inadequate human resource capacity.

The strategic objective of Compliance and Monitoring Committee was to develop a process for the handover of PAIA functions from the South African Human Rights Commission (SAHRC). A memorandum of cooperation had been signed and implemented, so this target had been achieved.

The strategic objective of the Complaints and Investigations Committee was to handle complaints related to the alleged violations of the protection of personal information. There was one target which had not been met. He explained that the complaints management process, standard operating procedures and manual were approved, but they had not been piloted due to inadequate human resources.

The strategic objective of the Corporate Services Committee was to fully establish the Regulator’s administration, to enable delivery on its mandate. Four of the five targets were achieved. The delegation of authority framework had been developed but was not approved, due to inadequate human resources.

2020/21 first quarter performance

The Regulator reported under-spending of R1.905 million on goods and services, as procurement could not take place due to the lockdown. There was also under-expenditure of R929 000 on machinery and equipment -- also caused by the lockdown -- and R3.368 million on the compensation of employees.

In Programme 1 (Protection of Personal Information Act), the Regulator was able to achieve five out of six of its targets, but it failed to meet its target of drafting the PAIA guide to incorporate the POPIA. The reason was that the PAIA guide had not yet been updated, as the PAIA functions were still being performed by the South African Human Rights Commission (SAHRC) until June 2021.

In Programme 2 (Promotion of Access to Information Act), the Regulator planned to develop processes for the handover of PAIA functions from the SAHRC. It was able to achieve both targets that it had set out.

In Programme 3 (Education and Communication), the Regulator planned to develop and implement educational awareness and stakeholder management programmes, which were aimed at promoting the protection of personal information. It had been unable to meet the three targets that it had set because of the national lockdown. These targets were:

• Three planned public awareness sessions to be held;
• To develop the communications and branding strategy plan; and
• To hold 20 stakeholder engagements.

In Programme 4 (Legal, policy, research and information technology analysis), the Regulator had set out the objective to develop and approve a research strategy and plan that was aimed at ensuring the protection of personal information. It was able to achieve its target of developing a research strategy plan.

In Programme 5 (Administration) the Regulator set out the objective to fully establish its administration, to enable it to deliver on its mandate. It had been able to achieve four out five targets, but was unable to develop prioritised finance policies and guidelines. This was largely due to inadequate human resources’ capacity.

He commented that the Regulator required an increased budget, otherwise it would not be able to fulfil its mandate.

Discussion

Mr S Swart (ACDP) thanked the IR for the report. He raised his concern that Justice O’Regan would not have effective powers to protect data privacy during the NSOD. He asked whether the Regulator was still concerned about data privacy during Covid-19, especially with the government using apps to track and trace patients.  

The Committee had noted that the transfer of the PAIA functions from the SAHRC to the Regulator would occur in the following year. He asked the Regulator to provide an update on the progress made thus far, and for it to clarify the mechanisms it had put in place to ensure that the functions were transferred by the following year, bearing in mind the financial and human resource constraints that the regulator had faced while taking up this task.

He asked whether the Regulator had discussed with the SAHRC whether its PAIA budget would accompany it once the functions had been transferred, and recommended that the Committee look into that possibility. The Committee had been previously informed that both entities would share accommodation.

While there was recognition that the country’s fiscus was constrained, it was important that the Committee look at the issue of limited budgets for entities.

In light of the fact that new leadership would have to be appointed at the entity next year, he recommended that the Committee should consider discussing when it planned to start the process, as it had taken some time to replace the part-time commissioner.

He concluded by thanking the board members for their exceptional work under difficult circumstances.

Mr W Horn (DA) observed that in previous briefings, the Committee had been informed that a discussion between the Deputy Minister of Justice and the Deputy Minister of Finance would be facilitated regarding the financial challenges faced by the entity. He asked whether the meeting had taken place, and if there had been progress thus far.

Due to the lockdown, the Regulator had been granted an extension to compile and submit its annual financial statements (AFS). He asked how far the entity was in finalising its annual report, and whether it would be undergoing a separate audit from the one performed by the Department of Justice and Constitutional Development (DOJCD), considering that it received its budget from the Department.

There had been a continual delay in the operationalisation of the Regulator, but when the Committee met the board before the lockdown, it had seemed that the entity was ready to operationalise its functions. He asked whether they had looked at redrafting their readiness plan, and what changes would be made.

As there was a danger of exploitation by firms who claimed to be able to assist firms and institutions in their compliance with PAIA regulations, he asked whether the entity had been monitoring their progress in compliance. Furthermore, had the entity assisted in capacitating them?

Adv G Breytenbach (DA) asked how the data leaked from Experian had landed up on a Swiss website, especially given the fact that the credit bureau had guaranteed that the leak had been contained.

Mr X Nqola (ANC) said the report had shown that several targets had not been achieved by the entity because of inadequate human resource capacity. This issue had also led to the under-spending of the budget in the entity. It had been mentioned in the presentation that all 31 vacant posts had been filled, but the entity had still recorded under-spending for the compensation of its employees. He asked if they could clarify what the vacancy rate in the Regulator was.

Out of 20 planned stakeholder engagements, the entity had been able to hold only three. The entity had indicated that this was due to the lockdown, but during and after the lockdown most companies and government institutions had moved their operations online, so why had the entity not moved its engagements with its stakeholders to be held virtually?

With the allegations that TransUnion might have leaked data, he asked what role the entity played in the protection of the citizen’s private information.

Ms Y Yako (EFF) asked that the IR provide a list of the jobs in their key performance indicators (KPIs) that needed to be filled, and for it to explain why they had not been filled.  

Ms W Newhoudt-Druchen (ANC) asked what the entity meant when it mentioned that it had inadequate human resources, and whether the entity had incurred any Covid-19 related expenditure and if so, what the total sum spent was.

South Africans had a right to information, but it was concerning that during the lockdown there had been a significant amount of fake news released, which had caused the public alarm and created paranoia. She asked what the role of the entity was in combating the spread of fake news.

She suggested that greater cybersecurity was needed in the country, and wanted to know whether the entity had a role to pay in this regard.

Ms J Mofokeng (ANC) asked if the IR had planned around the digital economy and the incoming 4th Industrial Revolution (4IR). If not, how would they plan to add to the process? What lessons had it learned during the Experian data leak, and had that experience led to them looking further into the conduct of credit bureaus in the country? In addition, was it aware of the number of credit bureaus that posed a danger to society?

Response

Adv Tlakula said that after their previous engagement with the Committee, the entity had convened a meeting with Justice O’Regan to discuss her mandate and role – and how it could work with her on the work she was doing. During their discussions, Justice O’Regan had indicated that she had a narrow mandate which related only to the protection of personal information used by the government apps to track and trace individuals infected with Covid-19. She had been of the view that if the method of tracing and tracking were not used by government, her role would not be fulfilled.

She confirmed that the entity was concerned by possible data breaches/leaks during the National State of Disaster. It had recently submitted a Section 40 report to Parliament, and she asked whether it had reached the Committee as well. In the report, the entity had raised its concerns around privacy and the protection of personal information during the NSOD. In addition, it had also looked at what would happen to the data collected after the conclusion of the NSOD.

The IR had noted that the Department of Health (DOH) had access to a large amount of personal information. This information had to be de-identified to the extent that it could not be reconstructed, as required by the POPIA Act. The report also indicated that during the NSOD, there had to be a correction of personal information and that security measures had to be put in place to prevent hacking. The entity had recently written to the Director-General of the DOH to gain clarity on the measures they had put in place to ensure that the personal information of South Africans would not be compromised. The entity would continue to monitor these developments.

Referring to the transfer of functions, she said that Section 114 referred to the transfer of PAIA functions. The amended PAIA gave power to the Minister of Justice to make and amend regulations, whereas the POPIA Act gave power to the Regulator to either make or amend regulations. A list of the various rules and regulations that needed to be amended by the Minister of Justice had been compiled by the Regulator. Whilst it recognised that the Department would have to make/amend the regulations, it believed it to be important that it was seen to be proactive. Furthermore, it wanted to ensure that there were no contradictions in the regulations of the two Acts. To clarify this point, she provided the example that the complaints handling process fell under the POPIA Act, whereas under the PAIA, it was the Minister who was responsible

Adv Lebogang Stroom-Nzama, full-time member of the Information Regulator, said that the PAIA functions would come into effect on 1 June 2021. During its quarterly meetings, the entity had resolved that a plan of action had to be formulated and rolled out as soon as possible, to ensure that it was able to take over the PAIA functions from the SAHRC.

Adv Tlakula said that sum total of the budget that the SAHRC uses for the implementation PAIA functions was R1 million. However, once the functions had been transferred, there would be an unfunded mandate, as the SAHRC no longer had the funds.

She said the transitional phase of filling of leadership vacancies in the entity was for the Committee to discuss, and she could provide no further comment.

The meeting between the two Deputy Ministers had not occurred. The Regulator had written to the Minister of Finance and had recently had a meeting with officials from Treasury. The officials had sought clarification on the previous presentation made to them by the IR on additional funding. The entity was hopeful that there would be positive developments in this regard.

Mr Thibela said that the entity had been granted an extension of up to 31 October to submit its annual report. It would be audited by the DOJCD.

There had been an engagement between the entity and Treasury officials on 24 August 2020 and the Regulator was hopeful that the Minister would announce in his Medium Term Budget Policy Statement (MTBS) there would be additional funds for them. 

In its 2019/20 annual report, the Regulator had identified 13 vacancies that had to be filled as part of phase 1. The process of filling vacancies had been a long one. However, the positions had been filled by 31 March 2020. There were 18 vacancies identified for filling in the 2020/21 financial year for phase 2, and 13 had been filled to date. The remaining five positions remained unfilled because the pool of candidates had not met the requirements set by the entity, so it had had to readvertise the positions. These positions were for the Executive for Education and Communication, the Senior Manager for Complaints and Investigations (POPIA), the Senior Manager for Monitoring of PAIA, the Public Awareness Manager and the Communications Manager.

Adv Tlakula said that the quality of applicants they had received was not up to standard. The entity had to advertise the position of Executive for Education and Communication twice, as it had not found the right candidate. It decided to head hunt a candidate through a recruitment agency instead. As POPIA was highly specialised, the entity had found it difficult to find suitable candidates. It had to ensure that it attracted the right candidates, as it anticipated that the private sector would challenge it in court. It had decided that whoever was employed by the entity should be able to defend the Regulator in the court as well.

While compiling its readiness plan, the Regulator had identified certain documents that it required to include, which would assist public and private bodies to comply. It had hosted several webinars on compliance, mainly with private bodies. It had also had to reprioritise many of the issues it had highlighted in the plan, to accommodate some of the challenges made by private bodies. There had been several guidelines provided by the regulator to private bodies on compliance.

Mr Sizwe Mtuze, a part-time member of the IR, indicated that it had recently adopted a strategy to host its engagements with stakeholders online. It had engaged with several departments and private bodies on a weekly basis. It had embraced technology and had been proactive in educating both the public and the private sector on matters of compliance.

Adv Tlakula said that government departments had started to ask the Regulator for guidance on how to process the protection of private information. It had noted that the private sector had taken compliance very seriously and continuously sought advice. All private and public bodies had been informed that the period to put compliance processes in place was between now and 31 June 2021.

Last Friday, the Regulator had had a meeting with the Minister of Communications to raise the issue of the digital economy and the implementation of the 4IR. During the discussions, the Regulator had been able to clarify its functions in regard to both matters. It was the role of the Department to set policy, whereas the Regulator had to ensure that the policy was compliant with the rules and regulations.

Mr Mtuze said that the Regulator had engaged with Experian to find out what had happened and how it had happened. It had appointed an independent forensic consultant, Mr Jason Jordaan, to assist it with understanding how the breach had occurred. It had decided to conduct its own investigation after the breach was reported by the media. There had been several other data breaches that had occurred in the country, and the Regulator had been monitoring them.

Cybersecurity was at the centre of data protection. Sections 19, 20 21, 22 indicated that the Regulator provided the regulatory role in data protection. The Regulator had had several meetings with stakeholders to deal with cyber breaches. It had also issued directives to Experian on how to notify data subjects that may have been affected by the breach, on how their data had been breached and how they could defend themselves. The regulator had been proactive in cybersecurity.

As many of the document-sharing applications and websites were foreign based, it was easier for the perpetrator of a breach to drop the information on a foreign website -- in this case, a Swiss website. If the perpetrator were to place the information on a South African website or application, it would be easily identified by the authorities. There needed to be greater seriousness about cybersecurity and data protection. For the Regulator to assist, it required additional resources and specialised individuals.  

Adv Tlakula said that the IR had written to the Swiss Federal Data Protection and Information Commissioner, as the breach included a cross-border flow of information. Experian had communicated with the Regulator regularly.

Adv Collen Weapond, a full-time IR member, said that the Regulator was investigating the allegation of a breach at TransUnion. It had written to the credit bureau to verify the allegations. It was also looking at different sources to verify whether the information provided was reliable.  

The Regulator had received 52 breaches from its inception to date. In the year under review, it had reported 29 breaches. From June of this year to date, it had reported 25 data breaches. This concerned the Regulator, and it was investigating the reasons for the high number of breaches. It was preparing to analyse the data breaches and look at the extent of where they had occurred, as some of them had occurred in SA, and others outside of the country. South Africans were victims of data breaches and their personal information had been obtained. The Regulator was committed to provide Parliament with a report on the causes for the data breaches. It had recognised that human error was usually related to data breaches and the remedy for this would be the detailed training of individuals. It had been working on a new system that would accommodate the analysis of data breaches in future.

Adv Tlakula said that the entity had begun working virtually only after the end of the first quarter. Some of the engagements it had scheduled with its stakeholders had been cancelled. For instance, it had organised engagements with the Offices of Premiers in various provinces to inform them on the PAIA Act. However, the engagements had been cancelled -- all by the stakeholders, and not the entity.  

Mr Thibela said that the regulator had spent R18 000 on Covid-19, which included deep cleaning and the purchase of personal protective equipment (PPE).

Explaining what was meant by the inadequate human resources, he said that the Regulator had filled critical appointments at a late stage. As a result, it had struggled to fulfil all of its functions. In addition, board members had had to take over several functions of the executive.

Adv Tlakula also added that the board members had had to conduct the work of the executives because of the lack of personnel.

Mr Mtuze said that the issue of fake news had created a new legal problem. It was those in the media and individuals who had access to the internet that perpetuated fake news. The use of personal information had been used as a mechanism to disseminate fake news in other countries. However, personal information that was leaked did make the public more susceptible to fake news, as people could target others. Parliament should consider a law pertaining to the criminalisation of fake news.

Adv Tlakula disagreed with his suggestion. Regulating fake news was not straight forward, as the line between what was fake and what was not fake was not clear. If such a Bill were enacted, it could compromise both the freedom of expression and the flow of information. The Regulator would continue to have engagements on how to curb the spread of fake news.

Adv Stroom-Nzama said that the Credit Bureau Association (CBA) had been the first to approach the Regulator to inform them on their code of conduct. The Regulator had received complaints relating to data catching and the selling of it by credit bureaus. The National Credit Regulator (NCR) had approached the Regulator, and it would engage with them to look at this problem further, as it was a thriving business.

Adv Tlakula said there had been a meeting between the CBA and the NCR following the Experian data breach, and the CBA had requested the Regulator to consider the exemption of the bureau industry from the conditions of processing of personal information in terms of sections 36 to 38 of the POPIA. During the discussion, the Regulator had mentioned that they were not prepared to do so yet, but would be willing to have further engagements on the matter.

The Chairperson said that all questions that were not responded to should be responded to in writing. The Committee was pleased with the work done by the Regulator, particularly under the difficult circumstances. He would inform them on whether he had received the letter they had sent to the Speaker.

He suggested that in future presentations of performance reports, the officials should include a column that provided real-time information on recent developments in the entity, as the quarterly reports provided only the historical performance of the entity.

The Chairperson commented that based on interviews conducted on the previous day, most people did not have an understanding of the credit bureaus, as there was no available information on them. He suggested that the Regulator communicate through the Department of Communication and Digital Technologies, as they had cheaper forms of communication. It would be important that the Regulator made its presence known to the country. Also, they should make preparations for the coming local government elections, as many data breaches could occur.

The Committee would ensure that there was a seamless transition of the board members in the following year. He was pleased that the board members had assisted the newly appointed executives with their work.

The meeting was adjourned.