This sparked a train of thought related to publicly available personal information which has been a concern of mine for some time now. As most people in South Africa know, anyone (with no actual reason to ask for it) can ask for and get the following information from the CIPC:
- Company name and registration number,
- Directors names and nationality
- Director’s ID number
- Director’s home address
- Directors postal address
- Directors age (either from the ID number or explicitly stated)
- Directors gender (either from the ID number or explicitly stated)
Similar information can be obtained from the Deeds office when asking for ante-nuptial contracts or for title deed information.
The Companies Act no. 71 of 2008 in section 24(5) further (indirectly) legitimises the collection of the ID number of a director (and by extension their date of birth and gender) as this is required information that must be disclosed (in terms of s26(2)) to any person who cares to ask for it (irrespective of the reason that it is being requested for).
Of course what this raises is real questions about how the Protection of Personal Information Act (POPI) can be implemented when dealing with public records? Can it really be said that simply by becoming a director of a company, getting married or owning property that I automatically relinquish any expectation of privacy regarding my identify number and home address?
As many people already know POPI has been in the legislative wings for some time now. While it has finally become an Act and the sections empowering the Information Regulator have been enabled, there is great uncertainty about how companies must protect personal information and even more uncertainty about whether companies can use that personal information if it is freely available from places like the CIPC.
While the position of private companies and individuals is also interesting, for the purposes of this article I want to focus on how the CIPC should approach POPI.
As can be seen from the sections of the Companies Act above, the CIPC is mandated to provide various information to any member of the public on request (for a small fee). Unsurprisingly POPI seeks to restrict any intrusion into the privacy of a data subject (and this includes company information) and this includes the provision of personal information for unnecessary / irrelevant purposes. We are left then in a situation where you have two competing interests – the privacy of the individual (director) versus transparency of corporate information. As soon as we arrive at any conflict the first thing we need to do is refer back to s3(2)(a) which contemplates such a conflict and reads:
This Act applies, subject to paragraph 3(2)(b), to the exclusion of any provision of any other legislation that regulates the processing of personal information and that is materially inconsistent with an object, or a specific provision, of this Act.
Section 3(2)(b) is essentially irrelevant as it essentially says that if there is another Act that gives a person more privacy rights then it will prevail.
Of course this is concerning for government organisations such as the CIPC as this section suggests that the Companies Act would be overridden by POPI.
Fortunately there is some relief for state institutions as s3(3)(b) introduces a measure of sanity in requiring that POPI should not, “…prevent any public or private body from exercising or performing its powers…”.
What this essentially means it that the CIPC, the deeds office and all other government departments have their work cut out for them. Each departments needs to go back to their enabling legislation to determine whether – notwithstanding their enabling legislation – more privacy should be accorded to data subjects than is currently provided.
In the case of the CIPC I would argue that – as a minimum – the CIPC must require all persons requesting the information to disclose their purpose for obtaining the CIPC data. This in turn would allow for a director to be able to lodge a complaint about a breach of POPI with the Information Regulator as the director would be able get a list of all requests on the data and be able to see what purpose was disclosed by the requestor. If his PI was used for another purpose then it is likely (but not inevitable) that his privacy was breached.
What this means in practice is that the CIPC would need to change its current system to:
1) Have a log of all the persons who requested the CIPC data (both directly and indirectly through resellers of CIPC data), and
2) Require that the purpose for which the PI was requested is disclosed.
At first blush disclosing the purpose when requesting a record may seem to be a novel thing to include. However requiring that a purpose is disclosed is already part of our law in Regulation 18 of the National Credit Act. This regulation sets out acceptable reasons for requesting a credit bureau record, and credit bureaux (and their resellers) have already implemented this logic within their business systems.
All this leads me to wonder whether government entities have truly considered the real impact that POPI will have on their systems, as it seems to me that they may have even more work to do than the private sector.