The Information Regulator of South Africa says continuous breaches of processing personal information of a person could lead to the fine of up to R10-million to 10 years imprisonment.
The Regulator is warning people to be careful of how they distribute the personal information of data subjects without their consent.
The personal information of people is protected in terms of the Protection of Personal Information Act (POPI Act). It became law when President Cyril Ramaphosa signed the Protection of Personal Bill into law in November 2019. However the implementation of the Act only kicked in fully on the 1st of July this year.
The Information Regulator says the Act prohibits the distribution of personal information without the consent of the individual identified in the item being distributed.
Picture, personal information
The Regulator says a picture forms part of personal information. It says people should be careful of how they distribute the personal information of data subjects without their consent.
A data subject is a clearly identifiable person. Councillor at the Information Regulator Adv Collen Weapond says the data subject can seek legal remedies for damages if there was a breach of the Act.
“We have to be clear that in this case, the breach would have occurred if the distribution was not purely personal use for journalistic purposes and did not have the consent of the person on the photograph. If those exclusions do not apply, then the person- the data subject has the right to seek civil remedies by instituting legal action for damages suffered as a result of such a breach,” says Weapond.
Weapond says those who continuously breach the POPI Act can face hefty penalties including imprisonment.
“In instances where it is not a once off event and there is continuous processing of personal information in breach of any of the provisions of Protection of Personal Information Act, the Regulator is empowered following processes prescribed in the Act to issue an enforcement notice instructing the party processing the person’s information to change the manner of processing such personal information. If the party failed to comply with an enforcement notice, they are liable for an administrative fine of up to R10-million or a term of imprisonment of up toten years – or both in terms of section 107 of the Protection of Personal Information Act,” Weapond added.
Still awaiting response
The circulation of the pictures of former President Jacob Zuma on social media recently made headlines. They were taken at the Estcourt Correctional Centre when the former President was admitted to serve his fifteen months sentence. This prompted the Regulator to write to the Correctional Services Department requesting that measures be put in place to safeguard and prevent loss and unlawful access of personal information, including photographs of new inmates. Weapond says they are still awaiting the department’s response.
“The Information Regulator has not received a reply from the Department of Correctional Services, but I am certain that the correspondence is receiving the necessary attention. We shall await the opportunity to engage the Department of Correctional Services on this important matter, and ensure that continuous awareness campaign is performed to ensure that further data breaches are prevented,” says Weapond.
The Information Regulator says it’s urging the public to be informed about the rights of individuals which are protected in terms of the POPI Act. It says people should not violate another person’s rights or the provisions of the POPI Act through distribution of personal information without consent of the data subject.
VIDEO: Protection of Personal Information Act comes into effect