‘No excuses’ for POPI non-compliance, says Tlakula

Advocate Pansy Tlakula serves as chairperson of the Information Regulator.
Advocate Pansy Tlakula serves as chairperson of the Information Regulator.

Local organisations have no excuses when it comes to complying with the Protection of Personal Information (POPI) Act, SA’s data protection law, within the stipulated timeframe.

So said advocate Pansy Tlakula, chairperson of the Information Regulator, speaking to ITWeb following last week’s announcement that more sections of the POPI Act will come into effect as of 1 July.

“The Act was passed in 2013, so nobody has an excuse,” states Tlakula. “They [organisations] probably thought the Act will never come into operation. Remember that it was passed in 2013 and nothing happened.

“In December 2016, we were appointed and we've been preaching, telling people to comply as this Act is there and not going anywhere. There are Acts that were cast for many years, which have not been brought into operation, so maybe they thought the same with this Act.

“We pushed very hard for the Act to be brought into operation…they can’t tell us they can't comply because we have been engaging since the beginning of 2017.”

Despite Tlakula’s assertions, a 2019 Sophos-commissioned study to determine the state of POPI Act compliance within South African companies showed that only 34% of survey respondents felt their organisation was going to be ready to meet the POPI requirements.

Furthermore, the majority of respondents (77%) believed their organisation would suffer reputational damage if fines for non-compliance were imposed.

Tlakula emphasises that everyone − public and private bodies − still have a period of one year from 1 July to put compliance processes and mechanisms in place, to ensure they comply and conform to the Act.

“Those who have practices that do not comply with the Act will have to ensure they change those practices and bring them into conformity with the Act.

“Between now and the first of July next year, for instance, we can’t take any action against anyone because people have a one-year grace period to comply.”

Excessive surveillance

Over the next year, Tlakula said the Information Regulator will be looking into how the Act applies to accessing of personal information by security companies in office buildings, complexes as well as CCTV platforms, to determine what is and is not allowed.

More cities across the country are seeing a surge in CCTV surveillance, with organisations like Right2Know raising concerns over the legalities and ethics of this on private citizens.

In terms of office spaces, for instance, Tlakula explained that the issue is determining whether they are in compliance with the Act when collecting information from an individual.

“A big issue that we need to interrogate is whether the information they require is excessive or not.

“The excessiveness is the main issue because they have to take information, collect it for the purpose they need it and they should not collect more than they need − those are the rules.

“The question that we then have to ask is if you enter a complex, is it excessive or not for the owners of that building to want to your name, your address, your ID and driver’s licence? They scan your driver’s licence, they scan the disk on your car, and we will have to ask if that is excessive or not?

“Just off the cuff, I think it is excessive,” she adds. “For me, the thing that they should be looking for is the plate number for the car. I don't see how they need my ID because it contains a lot of information. Once you have my ID, you have everything about me. Do they need that information and for what purpose, how do they store it, where do they store it, is it secure where it is, what do they use it for?

“We don't know where they store that information, what if their systems are breached where they store it, and do they sell it? We don't even know.

“For now, between now until next year, we’ll just be engaging these people to say we are worried about 1, 2 and 3 in the way that you process personal information, so fix it.”

COVID-19 challenge

Tlakula revealed her office has also been adversely affected by the COVID-19 pandemic, which has seen the country remain under lockdown while other areas of the economy slowly begin to reopen.

“Our budget is very small as it is and COVID-19 has worsened everything.

“With COVID-19, the economy and the lack of money, it's going to be very difficult but we have to do what we have to do until such time that the economic situation improves.

“I’ve told my colleagues that we cannot sit and say we don’t have money. Yes, we don’t have money but with the little that we have, we must at least do something.”

Despite the challenges, Tlakula believes there are areas of opportunities for young people to be data protection activists.

“We have freedom of expression activists everywhere but I don’t see data protection activists. This is an opportunity for specialisation in an area that no one is an expert in now because it's all new.

“It’s a new area of work and specialisation that people should take advantage of and acquire new skills,” she concludes.