The Protection of Personal Information Bill (“the Bill”) is new legislation in the parliamentary pipeline aimed to, inter alia, bring South Africa’s personal information and data protection in line with international standards and to accordingly give effect to the right to privacy contained in section 14 of the Constitution. The Bill is likely to be promulgated into law sometime in 2013.
The Bill follows an international trend towards standardization of personal information protection, based on the international consensus of the ambit of such protection. However, South Africa has favoured the European concept of personal information and data protection and the South African Law Reform Commission (SALRC), in their recommendations on the Protection of Personal Information Bill, chose to conform to the EU model for data protection.
Incorporation of such personal data protection principles into our law has, however, been a long process. Many iterations of the Bill have been debated and re-drafted, which has produced a fairly lengthy twelve chapter Bill. It is submitted, however, that through this process some basic interpretation difficulties in the EU policies have been adopted. One such difficulty, which is the subject of this article, is the application clause in section 3 of the Bill, and meaning of the qualifying term ‘filing system’ in respect of manual data.
In the international standardization process, many countries were wary of the inclusion of ‘manual data’ (typically contained in paper-documentation handled by hand) under their data protection laws, as opposed to automatic data (typically in the form of electronically stored/processed data). When the European Directive on Data Protection (“the EU Directive”) was being formalized, many countries such as the UK, Denmark and Ireland were opposed to the inclusion of structured manual files in its scope. This inclusion, originating from the German Federal Data Protection Act (Bundesdatenschutzgesetz), was, however, provided for on the rationale that, inter alia: exclusion may be used to circumvent data protection measures, a discentive may be created against new technologies and data subject’s rights may be limited by the manner of processing information rather than the processing itself. Accordingly, manual data was included under the EU Directive. However, this was limited in the EU Directive to “filing systems, not unstructured files; whereas, in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data”.
In 2003, the SALRC raised the question of whether South Africa should include manual data under in data protection laws in its Issue Paper 24. Respondents unanimously supported SALRC’s view that information protection legislation should incorporate both manual and electronic files, in accordance with the EU Directive. It was noted, however, that caution should be exercised when making reference to ‘automatic’ and ‘manual’ files as all information which is saved in files, is saved by way of prior instructions given manually. By way of example, any automatic electronic system will have had prior manual programming. Furthermore, a manual file is handled by hand, but the definition does not preclude some sort of automatic processing to compile a manual file. The SALRC Discussion Paper commented that these phrases are therefore inappropriate.
Nonetheless, fairly compounded terms and definitions were inserted into the Bill in its definitions and application clause contained in sections 1 and 3, respectively. In this regard, the Bill will apply to the processing of personal information which is:
- entered into a record by or for a responsible party by making use of automated or non-automated means; and
- provided that when the information is not processed by automated means, it forms part of a ‘filing system’ or is intended to form part thereof.
It is submitted that the primary application hurdle in section 3 of the Bill surrounds the requirement that manual information must form part of a ‘filing system’ or be intended to form part thereof, in order for the Bill to apply. A ‘filing system’ is defined in the Bill as any structured set of personal information, whether centralized, decentralized or dispersed on a functional or geographic basis, which is accessible according to specific criteria. In the UK, similar terminology has already been shown to be problematic, as was shown in one of the few cases on the subject: Durant v Financial Services Authority (“the Durant case”). In the Durant case the Court of Appeal took the view that the UK’s Data Protection Act, 1998 (“the DPA”) intended to cover manual files “only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system”.
The Court of Appeal stated that any manual filing system “which, for example, requires the searcher to leaf through files to see what and whether information qualifying as personal data of the person who has the made the request [for access] is to be found there, would bear no resemblance to a computerised search.” Such information would not be deemed to form part of a “relevant filing system”.
The Court of Appeal further held that:
“a ‘relevant filing system’ for the purposes of the [DPA], is limited to a system:
- in which the files forming part of it are structured or referenced in such a way as to clearly indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it under section 7 [of the DPA] is held within the system and, if so, in which file or files it is held; and
- which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.”
This decision therefore takes a very narrow view of the term ‘relevant filing system’, as defined in the DPA. This narrow view of the application of the DPA is in contrast with other European countries, and accordingly the UK data protection authority issued a guidance of the Durant Case to soothe the disparities.
Although it is submitted that the South Africa’s definition of ‘filing system’ is far wider than that contained in the DPA, it is maintained that our courts will still be forced to indicate the ambit of the Bill, if promulgated in its current form, and indicate whether a narrow or wide interpretation will be followed. South Africa does not have any other legislation strictly dedicated to the protection of personal information, and gaps in the current Bill will ultimately fall to common law or a piecemeal application of section 14 of the Constitution. Take, for instance, the circumstance where a disorganized administrative staff member, Mr. Y of company ABC, for whatever reason holds a single printed document containing the personal banking details of Mr. X. Mr. Y keeps such information in a disheveled pile in a drawer along with the various other personal information documents of ABC’s clients. When Mr. Y’s employer asks for a specific document, Mr. Y is able to find the document, but no other staff member is capable of doing the same. Is Mr. X’s personal information accessible according to ‘specific criteria’, as required by the definition of ‘filing system’? Consider that, for the duration of Mr. Y’s employment with ABC, his employer is able to access and utilize such documents with little effort. Alternatively, does this argument fail due to the ‘filing system’ requirement?
It is submitted that courts will have to carefully consider the implications of a narrow interpretation in order to avoid limiting a person’s rights, on the basis of purely mechanical requirements.