The Appointment of the Information Regulator: An important step in protecting the right of privacy
As it turned out, shortly prior to Dene’s death, I called her to tell her of the announcement of the shortlist for the position of Information Regulator, a development that we both welcomed despite it being long overdue. Since then, on the 19th and 20th April 2016 the nominees for posts within the office of the Information Regulator have been interviewed and the announcement of who will be charged with this extremely important constitutional responsibility should be made in the near future. Those responsible will then have the task of establishing, from scratch, the Office of the Information Regulator. There are many factors that will influence how long this will take as there is much to do, including the drafting of regulations governing, among other things, how responsible parties and data subjects will interact with the Regulator.
There are also several issues that will influence the functionality of the Regulator, not least of which will be the education of its principals and persons employed in the administration of the Act. One also hopes that parallel to the education of persons employed by the Regulator in their powers, duties and functions will be the education of citizens in their rights as data subjects. It is not an accident that Section 40 of the Act, which details the powers, duties and functions of the Regulator, has as the very first duty that of education.
Given the failure of senior persons within government to recognise the importance of this constitutional right and the resultant delays in the implementation of the Act, the Regulator could do worse than starting the educational process with the Executive within the South African Government. As the Constitutional Court has emphasised, an understanding of the Constitution and the protections it provides to its citizens is fundamental to good government. Government holds and is responsible for the security of the largest repository of personal information of South African citizens and it has a significant task if it is to set the example and fulfil its obligations in processing personal information lawfully. In order for it to do so, it will have to address the issue of information security with greater energy than has been the case up to now. It is an unfortunate truth that many government information and communications technology systems lack appropriate information security management.
The appointment of the Information Regulator also demands of processors of personal information in the private sector to now commence their efforts to comply with the long-existing constitutional obligation to protect privacy as facilitated by the Act. There are lamentably few entities which have taken this responsibility seriously to date. In my experience those that have been proactive in addressing compliance with the Act have realised significant benefits not only in the protection of personal information but in refining the management and the security of their information and communications systems.
Many organisations, particularly larger processors of personal information, who have not begun to address compliance with the Act and to understand the importance of the implementation of good information management and information security disciplines, will realise that these cannot be developed overnight. They may find themselves in difficulty in fulfilling their compliance obligations, even considering the transitional periods which are established in the Act.
What South Africans also need to be mindful of is that while government have once again been delinquent in not respecting its obligation to uphold constitutional rights of citizens and is directly responsible for the avoidable delays which have occurred, the rest of the world has made quantum leaps in the protection of privacy. These international developments, which demonstrate how seriously the right of privacy is regarded and the steps that are being taken to protect the security of personal information globally, will be addressed in the next article that is to be published by Privacy Online.
©Mark Heyink 2016