If you thought Facebook was interesting...

Posted in Blog

- By Gabriella Razzano

Facebook’s been ‘spying’ on you, and privacy is a farce. For many, these sorts of revelations have been a startling and upsetting reality check, rather than the histrionics of nerds previously ignored. For others, it was a “but of course” moment. For us at the Open Democracy Advice Centre, it has instead been a “and so we must” moment.
 
Personal data and privacy is not just about people knowing about you. The terrifying revelation for many about the role of Cambridge Analytica in the Facebook data leak is how power over data can even extend to influencing you. And the extent of what is known about you may go beyond what you have imagined too – as Dylan Curran, of the Guardian, painfully noted, the data Facebook or Google hold on you could be your movements, your emails, your stickers, information you hold and information you deleted. Not to be put too fine a point on it, they essentially hold your thoughts. And we trust them somewhat unthinkingly to defend this data (though in many senses, we gave it to them to ‘own’ for free). 
 
The Internet in many ways confronts us with new forms of risk we might not feel ready to handle. But the law has been responsive to these threats, which in many ways echo the fundamental way rights have been threatened since the Universal Declaration of Human Rights was declared. And the impact of these risks has been felt directly in South Africa, with data breaches hitting the headlines with almost disturbing regularity. If you use a computer or a smart phone, you should realise that your personal data is not just bits and bytes- and you have to learn how to protect it.
 
In South Africa, the Protection of Personal Information Act (POPIA) was written specifically to defend and protect your personal data. Yet the agency charged with implementing and operationalising this law is not yet fully able to function. South Africa’s Information Regulator knows its own relevance – it wrote a letter to Facebook to question what steps would be taken to comply with POPIA. But as any citizen will tell you, writing angry letters will never be enough. If the Information Regulator was fully operational, fines or even prison time could be on the cards for violators.
 
If you care about the Facebook data breach, or about those annoying phone calls you get on your cell phone (and think how did they get my number? How do they know my name?), you should care about the Information Regulator. But the question then has to be: what can we do to get the Regulator operationalised?
 
When addressing Parliament, the Regulator noted that blame for the failure to be fully able to establish itself lay somewhere between the Department of Public Services and Administration, National Treasury and the Public Finance Management Act. All we know at ODAC is – if you stay in contact with us over the next few weeks – we’ll be doing our best to find practical solutions to getting your data safe, even if the powers that be aren’t prioritising it. 

A call to action for the Information Regulator

Posted in Blog

 

In 2016 the Information Regulator was established in South Africa with the dual mandate of ensuring access to information and protecting personal information for all citizens.

Since it has been established it has appointed five members to the board and set up its offices. However there has been little further action in the past year.

The public must now ask what are the reasons for these continued delays and for how much longer must we continue to wait?

The PAIA Act was written in 2000 and POPI Act passed in 2013 but we are still waiting for the commencement date for these Acts to be proclaimed by the President. This year will have been waiting for PAIA for almost 18 years. And with the European Union’s GDPR regulations coming into effect on the 25 May 2018, POPI can no longer be kept on the back-burner.

Action needs to be taken. It is time for the Information Regulator to fulfil its duties to the citizens of South Africa and start holding companies and organisations accountable to the PAIA and POPI Acts.

In a fair and democratic society the PAIA Act is a vital piece of legislation to facilitate access to information in order to increase the transparency of governmental bodies and public enterprises and to hold them accountable to the people.

As we move further into the 21st Century, cyber-security and threats to personal data are going to continue to be one of the most pressing concerns of people and governments.

Improving citizens’ data security, educating the public about data security and protecting people’s personal information is of paramount importance in modern society.

It is time for the Information Regulator to start encouraging swift and sustainable action in this regard.

As this issue becomes ever more pressing here are 20 questions we as citizens of South Africa want answered by the Information Regulator:

  1. How do I find out which companies have access to my personal data?
  2. How do I find out if my personal data has been compromised?
  3. How do I report a company that I think is abusing my personal information?
  4. What rights do I have with regards to protecting my personal data?
  5. Can I ask companies to tell me how much of my personal data they have?
  6. Can I ask businesses to remove my personal data from their systems?
  7. Do I have a right to claim compensation from companies who abuse my personal data?
  8. What rights do I have with regards to getting information about the purposes for which my personal data will be processed?
  9. Do I have the right to restrict or object to the processing of my personal data?
  10. Do I have the right to object the processing of my personal data for direct marketing purposes?
  11. Will the Information Regulator set-up a complaints channel for people to report data violations?
  12. How do citizens know if organisations are PAIA and POPI compliant?
  13. How will the Information Regulator ensure that companies communicate transparently with people about the processing of their personal data?
  14. How will the POPI Act be regulated and enforced once it is signed into legislation?
  15. What authorisation process is in place to ensure responsible parties can process personal information?
  16. What is the process for gaining access to information from Public and State Owned Enterprises?
  17. What are the criteria for requesting access to information from Public and State Owned Enterprises?
  18. How do we encourage sharing of public information for greater transparency and accountability from Public and State Owned Enterprises?
  19. What is the process for registering an Information Officer with the Information Regulator?
  20. How will the Information Regulator enable compliance with other regulatory bodies, for example the GDPR?

What you need to know about the Information Regulator

Posted in Blog

 


Every day we log in to multiple devices and share our personal information with a multitude of apps, online businesses and service providers. Do you ever think about how much of your personal information is online and where it is being stored? What do companies know about you and how safely are they keeping all your personal information? Can you recall how many services and companies you have given your ID number or credit card details too in order to secure a payment or verify your account? What about your personal address details? In a recent article on Bizcommunity it was noted that data is the biggest trend for 2018 and companies will pay top dollar for consumer data and insights. In a digital world, as we share more and more of our personal data every day, the question of how this data is collected, shared and stored is one of ever increasing concern that needs to be taken seriously.


But perhaps even more importantly, is the question of who monitors the collection and safe and just use of all our personal data?


In 2016 the Information Regulator was set-up in order to establish a governing body in South Africa that would be responsible for regulating the use of consumer data and holding companies to account for that data’s safe storage and protection. Since its establishment it has appointed five members including chairperson Pansy Tlakula, but we have not seen any substantial further action from this body. This government body is key to each and every one of our lives – so why have we heard so little about it?


Introduction to the Information Regulator


The Information Regulator is an independent body that has been established with the dual mandate of;
(1) Promoting access to information in line with the Promotion of Access to Information Act, 2000 (Act 2 of 2000) (PAIA) and
(2) Monitoring and enforcing compliance by public and private bodies of the Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPI).


The Information Regulator was established in terms of Section 39 of the Protection of Personal Information Act 4 of 2013. It is subject only to the law and the constitution and it is accountable to the National Assembly.

The Information Regulator was established in December 2016 and the current members of the Information Regulator are Chairperson Pansy Tlakula (Adv), Adv Lebogang Stroom-Nzama, Adv Collen Weapond, Prof Tana Pistorius and Mr Sizwe Snail ka Mtuze.

The creation of this body means that the public can now approach the Information Regulator to address the following:

1. The facilitation of access to information
2. Protection of information and personal data
3. Reporting on misuse of data

However, the law that creates the Information Regulator is not yet in operation. They have yet to appoint staff, after being in operation for a year.


What could the information regulator do?

The Information Regulator has a dual mandate of ensuring access to information and protecting personal information. As part of this role, it is the Regulator’s responsibility to ensure that data is protected and that personal information is held and secured by responsible parties.

The Information Regulator can also hold responsible parties accountable for not complying with the PAIA or POPI Acts.
The Information Regulator’s responsibilities include:

  • The responsibilities as outlined in Part 4 and 5 of the Promotion of Access to Information Act (PAIA)
  • Monitoring and enforcing POPI compliance by public and private bodies
  • Handling complaints by data subjects in line with POPI
  • Ensuring compliance with the conditions for processing information
  • Ensuring the personal information is processed lawfully by responsible parties
  • Educating responsible parties on the conditions for lawful processing of personal information


Find out more about the Powers, Functions and duties of the Information Regulator here: http://www.justice.gov.za/inforeg/about.html


For some time ODAC have been promoting the use of the Promotion of Access to Information Act 2 of 2000 (PAIA). We have accomplished some great successes with PAIA in not only encouraging the public to use the Act but also using it ourselves in the strategic pursuit of transparency. In the 2012 reporting period, the PAIA Civil Society Network (of which ODAC is an active member) noted that only 16% of requests resulted in the release of requested information, and more disturbingly, 54% of requests simply remained unanswered. As the Information Regulator is now responsible for upholding the PAIA Act it is our hope that this will allow for more freedom of information and greater transparency as clearer processes are put in place to facilitate the sharing of information under the Act.

Why is the Information Regulator important?


The Information Regulator reports to Parliament and has extensive powers to regulate and enforce both the Promotion of Access to Information (PAIA) and the Protection of Personal Information (POPI) Acts. The Information Regulator can also investigate and fine any parties who violate the PAIA or POPI regulations. Under POPI businesses and bodies will be responsible for the protection of the personal and consumer data they gather and will not be allowed to sell consumer data without consent.   Under this law companies could be fined up to R10 million and Directors of companies found to be in violation of the laws could face prosecution and jail terms.


As recently as October 2017 there was a massive data breach reported in which 30 million South African's personal information was compromised, including their names, addresses, ID numbers, genders, ethnicities and email addresses. The breach was blamed on insufficient security measures and is a stark wake-up call that we should all be questioning what measures companies have in place to protect our personal data.


This is one of the numerous data hacks which have occurred over the last few years. Do you know if your personal data has been compromised? If you would like to you, can test and see if your personal information has been compromised here: https://www.thisisme.com/


Under the POPI Act the Information Regulator should be enforcing stricter security measures to prevent these types of breaches and holding those companies who are responsible for security negligence to account.


The Regulator’s appointment promised a new dawn in access to information and protection of privacy in South Africa. However, so far the Regulator has not received sufficient support from the state to ensure its operation. The five members of the Commission are drawing salaries without enough support staff or their own offices to allow them to function. As there is currently no legislation in action they are effectively bound hand and foot.

Questions for the Information Regulator


With the concerns about data security increasing daily here are some urgent questions that need to be asked and answered by the Information Regulator.


1. How will the POPI Act be regulated and enforced once it is signed into legislation?
2. What authorisation process is in place to ensure responsible parties can process personal information?
3. If there is no authorisation process is place, what is the time frame to have this process established?
4. The law according to PAIA automatically designates a person in each organisation as the Information Officer. What is the process for registering an Information Officer with the Information Regulator?
5. How will the Information Regulator enable compliance with other regulatory bodies, for example the GDPR?

The GDPR


Of further concern is the European Union’s passing of the General Data Protection Regulation (GDPR). The European Union (EU), which governs how countries within the EU such as France, Germany, and Italy interact with each other and the rest of the world, has developed a set of rules to protect the personal information of all residents of the European Union called the General Data Protection Regulation (GDPR).


The GDPR replaces the Data Protection Directive and is set to become the ‘gold standard’ for data privacy regulation globally. Under the GDPR, individuals will have expanded rights over their data including; the right to access, the right to be forgotten, the right to data portability, the right to be informed, the right to restrict processing, the right to object and the right to be notified. The rights outlined in the GDPR mean that the conditions for obtaining consent to use personal information are stricter and organisations will have to prove that consent was given before using individual’s personal data. The security of personal data will also become stricter and businesses will need to put adequate security measures in place to guard against data breaches as well as take quick action to notify individuals and authorities if any data breaches occur. In addition it will be imperative that organisations establish procedures for handling personal data to comply with GDPR rights and regulations.

The GDPR enforcement date is 25 May 2018. The EU has stated that any organisations who are not in compliance with the GDPR will face heavy fines. This can have important implications for companies in South Africa who work with EU customers’ personal data as any company that handles personal data from EU citizens will need to comply with the GDPR whether they are situated in the EU or not. Even non-EU established organizations will be subject to GDPR. If a business offers goods or services to citizens in the European Union, then it will be subject to GDPR.

It is also thought that the GDPR will conduct an adequacy assessment of all companies with customers in the European Union. The question of adequacy will be linked to the role of the Information Regulator and the legislation that South Africa has in place with regards to data protection. This makes the POPI Act legislation even more relevant to South African businesses. Will the EU and the GDPR find South African companies adequate if there is no legislation in place to protect personal data?


We as citizens of South Africa need to start holding our government and the Information Regulator in particular accountable for our data security.


How do you contact the Information Regulator?


You can email the Information Regulator with your query at This email address is being protected from spambots. You need JavaScript enabled to view it. or call them on 012 406 4818.
Visit their website for more details: http://www.justice.gov.za/inforeg/contact.html
If you have a question or comment about PAIA or POPI that you would like the Information Regulator to address we suggest you write a formal letter to the Office of the Information Regulator for the attention of Chairperson Pansy Tlakula.

For more information on PAIA and POPI:


PAIA: Promotion of Access to Information Act, 2000 (Act 2 of 2000):


POPI: Protection of Personal Information Act 4 of 2013:


ODAC have put together a guide to assist organisations in engaging with PAIA. Our hope is that as more departments are forced to engage with PAIA though requests, they will be more likely to implement systems to deal with PAIA requests which will lead to more effective and responsive behaviour.

 

Creating A Culture Of Supporting Whistleblowing

Posted in Blog

Do people feel safe to speak up? Is our leadership supportive of our vision of a fair and open society? These questions cut to the core of our prime cause: creating the ideal environment for exposing and managing harmful actions – and protecting those who are brave enough to step forward against these actions. 

Culture of whistleblowing

 

Your Safety Is Our Priority 

Though it is true that many are discouraged from uttering the first word against unlawful and dangerous actions for fear of being victimised, whistleblowing remains a key means of exposing flaws in the system. The more issues are brought to light, the easier it becomes to identify patterns and pockets of corruption, and then doctor them accordingly.

 The Protected Disclosures Act (PDA) exists to shield whistleblowers from any kind of victimisation, from discrimination to unfair dismissal. We are proud of the fact that the recent positive amendments to the PDA are, in part, the result of over 15 years of advocacy by ODAC.

We have been working tirelessly for many years to fight the stigmas around reporting wrongdoing by providing individuals and organisations with access to the right information, and advocating for best practices. 

The second edition of The Code of Good Practice, our easy-to-follow guide to whistleblowing best practices, includes these new amendments, and covers everything one would need to know in order to safely disclose information, what to consider prior to disclosure, and which steps to take in your pursuit of justice.

 Click here to download The Code of Good Practice for free.

Keeping Whistleblowers Safe In The Workplace

Establishing a safe environment for whistleblowing within an organisation gives rise to many benefits. These include nurturing an open workplace culture that naturally rules out wrongdoing, contributing to effectively handling reported incidents, and improving company performance through learning and honest dialogue. This, however, begins with implementing a detailed and considered whistleblowing policy.

A good employer should always ensure that their employees know which whistleblowing policies have been put in place, and that they are protected by the PDA, and supported by the organisation.

Get In Touch To Drive Change From Within

If you would like to ensure that your company has solid whistleblowing mechanisms in place, or require guidance for making disclosure, please contact ODAC.

Whistleblower Helpline:  0800 52 53 52 (toll-free)

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.