Privacy and Data Protection laws in South Africa

The South African Bill of Rights states that everyone has the right to privacy which includes the right to not have their person, home or property searched, their posessions seized or the privacy of their communications infringed (South African Government, 2009).

The same Bill of Rights states that everyone has the right of access to any information held by the state and “any information that is held by another person and that is required for the excersize or protection of any rights” (South African Government, 2009).

South Africa also has the “ECT Act” (Electronic Communications and Transactions Act), which covers personal information that has been obtained through electronic transactions, which defines a set of rules between the person the information is about and the person/organisation (“data controller”) who is holding that information. This act states that the data controller must abide by all of the following points:

“(1) A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law.

(2) A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.

(3) The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.

(4) The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.

(5) The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.

(6) A data controller may not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the data subject.

(7) The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of any third party to whom the personal information was disclosed and of the date on which and the purpose for which it was disclosed.

(8) The data controller must delete or destroy all personal information which has become obsolete.

(9) A party controlling personal information may use that personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles or statistical data cannot be linked to any specific data subject by a third party.” (South African Government, 2002).

In contrast to the UK, South Africa does not specifically have a Data Protection Act, if we look at the Data Protection Act 1998 for the United Kingdom (United Kingdom Government) we see that it’s section on “Rights of access to personal data” are almost the same as South Africa’s but contains a much more comprehensive overview on the subject.

Interestingly enough the U.S does not have a specific Data Protection Act. They have the “Privacy Act of 1974” and the “Computer Matching and Privacy Act” but both of which only apply to personal information held by the government and does not include other entities. The U.S has another act, “The Privacy Act” which can be described as follows: “The act set forth some basic principles of “fair information practice,” and provided individuals with the right of access to information about themselves and the right to challenge the contents of records. It requires that personal information may only be disclosed with the individual’s consent or for purposes announced in advance. The act also requires federal agencies to publish an annual list of systems maintained by the agency that contain personal information.” (Stratford & Stratford, 1998).

References

South African Government (2009) Chapter 2 – Bill of Rights [Online]. Available from: http://www.info.gov.za/documents/constitution/1996/96cons2.htm#14 (Accessed: 14 November 2010).

South African Government (2002) Electronic Communications and Transactions Act, 2002, No. 25 of 2002 [Online]. Available from: http://www.internet.org.za/ect_act.html (Accessed: 14 November 2010).

Stratford, J.S & Stratford, J (1998) ‘Data Protection and Privacy in the United States and Europe’, IASSIST Conference, 21 May, Yale University. New Haven, Connecticut: University of California.

United Kingdom Government (1998) Data Protection Act 1998 [Online]. Available from: http://www.legislation.gov.uk/ukpga/1998/29/contents (Accessed: 14 November 2010).