Our Blog

Last week we published an article on the phenomenon of personal data as a commodity where we cautioned individuals on what they need to know before sharing personal data online. Now that you are familiar with cookies, personal data, and data breaches – it is time to consider the laws surrounding data mining and how you can protect yourself against data breaches.

The Right To Privacy

Section 14 of the Bill of Rights guarantees the right to privacy. Section 14(d) provides that everyone has the right to privacy, which includes the right not to have the privacy of their communications infringed.

According to University of Pretoria law lecturer, Dr. Lukman Adebisi Abdulrauf, the right to data privacy considers an individual’s right to control his personal information, control who accesses it, and what it can be used for. Excessive influence on people’s privacy has the potential to both, directly and indirectly, limit the free development and the exchange of ideas.

Because of rapid advances in technology that threaten to infringe on this right and data mining which allows companies to turn our personal information into a useful commodity, the government has a duty to ensure the protection of the right to privacy. This duty also extends to private actors, individuals, and private business entities as it obligates them to not infringe on this right.

POPIA

The conversation around data privacy has resulted in the enactment of data legislation that acts to deter infringements on the right to privacy. The most noteworthy being the Protection of Personal Information Act (POPIA). POPIA comes into effect on July 1 and provides for a 12-month grace period for companies to be compliant.

According to the preamble of the Act, POPIA is premised on the following principles:

1. Promote the protection of personal information processed by public and private bodies.
2. Introduce certain conditions aimed at establishing minimum requirements for the processing of personal information.
3. Provide for the establishment of an information regulator.
4. Provide for the rights of persons regarding unsolicited electronic communications and automated decision making.
5. Regulate the flow of personal information across the borders of the Republic.
6. Provide for matters connected to what the Act stands for.

POPIA provides much needed conditions for the lawful processing of personal data of South Africans. The Act recognises that the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.  

Since the allowance to process data is so wide – it is imperative to understand your rights as the data subject.

Rights Of The Data Subject

Section 5 of the Act is the provision for the rights of data subjects and provides that a data subject has the right:

1. To be notified that personal information about them is being collected, provided or has been acquired.
2. To request access to their personal information from the holder
3. Where necessary, to request the correction, destruction, or deletion of their personal information.
4. To object, on reasonable grounds, to the processing of their personal information
5. Not to be subject to a decision solely based on automated processing of their personal information.
6. To submit a complaint to the Regulator regarding an alleged interference
7. To institute civil proceedings regarding an alleged interference with the protection of personal information

For the lawful processing of personal data, the Act provides eight conditions to companies, namely:

1. Accountability
2. Processing limitation
3. Purpose specific processing
4. Further processing limitation
5. Information quality
6. Openness
7. Security safeguards
8. Data subject participation.

Compliance With The Act

To make sure companies are compliant with the principles of the Act and in turn, the right to privacy – the Act provides that they must:

• Obtain consent before collecting data.
• Only collect data needed for a legitimate purpose.
• Take reasonable steps to protect the integrity of the information.
• Store the information only for as long as it is required.
• Provide access and corrections to data subjects’ information.
• Create policies to notify the Information Regulator about your privacy policy (see the Career Wise Privacy Policies).

Direct Marketing

Nowadays complaining about the persistence of telemarketers has become a regular part of many conversations. Direct marketing means approaching a data subject, either in person or by mail or electronic communication for the direct or indirect purpose of either promoting or offering to supply goods or services or requesting a donation of any kind. One of the most relevant aspects of POPIA is that it provides South Africans with rights regarding direct marketing.

As per section 69 of the Act, companies are permitted to engage in the processing of personal information for direct marketing only if the data subject has given consent or they are a customer of the company.

Conclusion

POPIA is expected to ensure fair, ethical, and safe data processing. Companies need to make sure they are compliant and we, as data subjects, need to stay clued up on the law to guard against any form of exploitation.  

“This website uses cookies to remember you and improve your experience. To find out more see our Privacy Policy.” Wait, what are cookies, and why are you consenting to them?

What are cookies?

Everyone who uses the internet is familiar with the “cookie policy” that pops up when visiting a new website. What everyone is not familiar with is what these cookies are and the implications they present.

Cookies are small files used by websites to monitor and remember certain information about us. This information includes general information like what we have stored in our e-commerce shopping carts as well as personal details like names and birth dates, our login details, and locations. It is a common occurrence for people on social media to remark on how they have searched a product on Google and then saw the same product being advertised to them on Instagram straight after. The cookies allow companies the convenience of following you around the internet and easily keeping up with consumer demands.

According to Recode, cookie policies are a symptom of an emerging commodity known as personal data. Every time you use online services such as internet search, email, social media, messenger apps, and cloud storage you pay for them using your personal information and through advertising companies convert your data into money. We are inundated by ads that follow us around the internet because of third-party cookies placed by advertisers to see what we are interested in. Simply put, every time we interact with companies online, they are recording our personal information and storing it for their business purposes which is sometimes in the form of tailor-made ads to entice us to buy the company’s products.

The sensitivity surrounding personal data cannot be understated. In a world where our personal information is becoming a social commodity – it is imperative to understand what exactly personal data is, how companies use it and how one can protect themselves from the exploitation of this resource.

What is personal data?

Personal data refers to our information as the site user. This can be biographical information such as age, race, marital status or religion, education, financial, location or medical information – it even extends to personal views.

When you log in to a bursary services website (i.e. online application) such as Career Wise, there is certain information that you share with the website in order to have a user-friendly experience that points you directly to the bursary that might be best suited for you. Without your personal information, Career Wise cannot assist you adequately in your search and the interaction would prove futile for both parties. Sharing personal information on the internet is sometimes necessary – but it is important to monitor where and how we share it.

Data Breaches

A data breach occurs when confidential, sensitive, and protected information is exposed to an unauthorised person, without permission. Most times, data breaches occur due to technology and user behaviour.

In the past 5 years, the country has experienced some notable data breaches and leaks. In 2016 there was a security flaw in eThekwini Municipality’s eServices website which allowed any web browser to view the municipal account information and personal records of 98, 000 residents of the municipality. The personal records included names, birth dates, genders, ID numbers, passwords, phone numbers, physical addresses, and utility bills. In addition to this, in 2018 there was a Facebook data breach that saw close to 60 000 South Africans’ data leak in the Cambridge Analytica saga. Another noteworthy data breach happened in 2020 when the personal data of 24 million South Africans and over 700 000 businesses was breached and leaked onto several public websites.

It goes without saying that we need to carefully consider sharing information that can be used to distinguish and trace our identity online. However, it is sometimes necessary and the only way to move forward is to understand what companies can and can’t do with the personal information available on these websites.

Companies Obligations

The idea of companies selling our private information online sure raises some concerns, but it is completely legal and data breaches are not frequent occurrences. What is important is for us, as consumers, to be knowledgeable on what companies can and cannot do with our personal data. The first step is to familiarise yourself with the privacy policies (see Career Wise Privacy Policy) of websites you share personal information with. Let’s be honest – no one actually reads these policies but when you are consenting to a big corporation to use your personal information to “remember you and improve your experience” – your safest bet is knowing exactly what these words entail. These policies are there to protect you from corporate exploitation as they limit what companies can and cannot do with your data.

So, before you allow cookies to store your ID number, date of birth, and location on another online platform – make sure you have familiarized yourself with that website’s privacy policies.