On Tuesday, the Information Regulator asked to meet with insurance firm Liberty over its data breach. This comes after Liberty was hacked last week, and although the company insists its clients' policies are not at risk, it is not clear exactly how much data was stolen.
But what exactly is the Information Regulator, and what does it do?
The Information Regulator, according to its website, exists to monitor and enforce compliance by public and private bodies with the Protection of Personal Information Act (PoPIA). The regulator consists of the chairperson, Pansy Tlakula, and four other people, one of whom must be a lawyer.
According to global law firm Linklaters, some aspects of PoPIA came into effect by presidential proclamation in 2014. This is mainly the establishment of the Information Regulator. But others have not, and companies will have a one-year grace period in which to implement the new law once it is gazetted.
At a PoPIA workshop in July 2017, media-law expert Dario Milo explained that the act is designed to make sure people's personal data is protected. It affects anyone who collects the personal information of others. Only certain categories of people are exempt from it, including government surveillance agencies, the media, and information gathering for literary or artistic purposes.
PoPIA requires anyone collecting personal information, like banks, to get "informed, explicit consent" from clients to gather their data. People need to made aware of exactly what the company intends doing with their information, and where it will be stored.
Gone are the days when fine print in heavy legal jargon constituted informed consent. Anyone processing personal data, including civil society organisations, will have to clearly explain their privacy policies.
Writing for MoneyWeb, Wayne Clarke, managing editor of Metrofile Records and Information Management South Africa, said PoPIA places the onus on companies that hold personal information to protect it. This includes information such as ID numbers, private conversations such as those between a representative and a client, and biometric information such as blood type.
Noncompliance with PoPIA can result in fines of R10-million and up to 10 years' jail time. He said that South Africans are legally obliged to keep records such as AGM reports and accounting records for seven years. But after that, it is best to get rid of them responsibly, he said, as this is the most effective way of ensuring the information is not stolen or leaked.
In a 2013 interview with Tech Central, Milos said that some of the problems for companies are that the act prohibits the transfer of data across borders if the receiving country's data protection laws are inadequate. Another tricky issue is the fact that the law covers natural persons as well as juristic persons, which means that correspondence between companies would also be covered by it.
But despite the promulgation of certain parts of PoPIA in 2013, its implementation has been slow. As reported by Daily Maverick, Tlakula told Parliament earlier this year that her office is bogged down by bureaucratic hurdles.
The Right2Know campaign reportedly said there was very little awareness about the Information Regulator, and said there had been a "deafening silence" by its office regarding national issues related to the leaking of personal information.
And despite receiving 180 complaints to date, Tlakula and her team cannot enforce and settle complaints yet.