Cape Town – Company executives who fail to secure data in South Africa may face jail time, the Protection of Personal Information Act, known as Popi says.
However, while the act specifies prison time for people who fail to keep personal information confidential, SA has not yet fully implemented the legislation.
“Until the Act is implemented it is difficult to know what such conditions could be, particularly in light of the fact that similar laws in the UK and Australia do not prescribe custodial sentences for breaches,” Wayne Mann, director of Group Risk at The Unlimited, told Fin24.
Popi legislation specifies penalties of jail time up to 10 years and R10m for contravening sections related to data protection.
“If one breaches the following sections of the Act, 100, 103(1) and 104(2), 105(1) and 106, which deal, among other things with the powers of the Regulator to enforce compliance with its provisions, obstructing the Regulator in the performance of the Regulator’s duties, the selling, disposing or processing of a person’s account number in a manner not authorised by the Act, a prison sentence of up to 10 years can be imposed,” Mann said.
The legislation demands that people who “knowingly or recklessly, without the consent of the responsible party” share personal data are guilty of an offence in terms of the act.
Mann, though, argued that outright fraud was more likely to result in jail time than contravening Popi.
“In our view the offences that overlap with our common law crimes such as fraud and theft, for example the unauthorised selling of a person’s account number, are more likely to be frowned upon by society and it is these offences that could result in prison sentences being imposed.”
Popi, which was modelled on European legislation, was intended to give citizens the right to protect their reputations, said an attorney.
"Popi is modelled on Europe’s EUDPD [EU Data Protection Directive]. Popi gives ‘data subjects’ (SA citizens) control over their personal information relating to criminal activity or negative and damaging behaviour they may have committed in the past or are suspected to have committed," specialist technology attorney Russel Luck told Fin24.
“Popi categorises this type of personal information as ‘special personal information’ under S26 of Popi and can only be processed by a “responsible party” in certain circumstances,” he added.
In the UK, the Data Protection Act was passed in 1998, but compliance took more than a decade and SA may face a similar situation.
“The Act does provide for a 12 month compliance period from the date that certain provisions become effective – which is only likely to happen once the office of the Information Regulator is established (which has commenced). Given the length of time that the act has been in the public arena, our view is that it is very unlikely that the 12 month compliance period will be extended, said Mann.
- Follow Duncan on Twitter