The information protection principles intended to regulate privacy in South Africa are encapsulated under chapter 3 of the Protection of Personal Information Act, No 4 of 2013 (POPIA) as conditions for the lawful processing of personal information. One of these conditions is data subject participation, in terms of which persons should be allowed to participate in, and exercise a degree of influence over, the processing of their personal information by responsible parties.
With data privacy in its infancy in South Africa, lawmakers need to look to foreign jurisdictions for guidance. This was the case in drafting POPIA and will continue to apply in respect of privacy enforcement. The provisions of Directive 95/46/EC (EU Privacy Directive) - which will soon be replaced by the General Data Protection Regulation 2016/679 (GDPR) - played a significant role in the development of POPIA. Although judgments by foreign courts will have no direct effect on the application of POPIA, it is accepted that our courts and the Information Regulator (established pursuant to POPIA) will look to foreign judgments for guidance. Decisions of the Court of Justice for the European Union (CJEU) on matters relating to the EU Privacy Directive and the GDPR may serve as valuable indicators of the way in which POPIA is to be applied.
In this context, the case of Peter Nowak v Data Protection Commissioner (Case C-434/16) is of interest. In summary, Peter Nowak, a trainee accountant, had failed an open book examination set by the Institute of Chartered Accountants of Ireland (CAI) on four separate occasions. After the fourth attempt in 2009 and a failed attempt at challenging the veracity of his result, Mr Nowak submitted a request to the CAI in terms of Irish data protection legislation to provide all ‘personal data’ relating to him and held by the CAI. The CAI responded by delivering 17 items but specifically excluded copies of the examination scripts which it advised did not constitute Mr Nowak’s personal data. Mr Nowak challenged this response and eventually submitted a formal complaint to the Data Protection Commissioner (DPC) - being the data protection supervision body in Ireland. The DPC found that the examination script did not constitute personal data to which data protection legislation applies and accordingly that there had been no substantial contravention of the data protection legislation. One of the arguments put forward by the DPC was that if the examination scripts were, in fact, Mr Nowak’s personal data, this would allow a candidate to request rectification of incorrect answers in terms of Article 12 of the EU Privacy Directive. Consequently, the DPC considered the complaint frivolous or vexatious and did not investigate or pursue the complaint further on this basis. Mr Nowak brought an action against the DPC’s decision in the Irish courts.
The Irish SC requested the CJEU to make a preliminary ruling on whether the written answers to a professional examination, and the marker’s comments in relation to those answers, constitute personal data under the EU Privacy Directive in such a manner so as to allow that candidate to request access to his own script in terms of Irish data protection legislation. In her opinion, the Advocate General of the CJEU, noted that, although the EU Privacy Directive will be replaced by the GDPR with effect from 25 May 2018, the GDPR will not affect the concept of personal data and therefore the preliminary ruling would also be important for the future application of EU data protection law.
Article 2(a) of the EU Privacy Directive defines personal data as “any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” Article 12 of the EU Privacy Directive requires member states to guarantee a data subject the right to access his/her personal data processed by a data controller and request rectification, erasure or blocking of data which is not processed in compliance with the EU Privacy Directive. This is transposed into Irish data protection legislation.
The CJEU, drawing credence to the aim of the EU legislature to assign a broad interpretation to the concept of ‘personal data’, dismissed the DPC’s contention that the examination scripts did not constitute Mr Nowak’s personal data on the following grounds:
- Mr Nowak’s recorded answers are a reflection of his knowledge and ability and may be an indication of his intellect, thought processes, and judgement;
- information as to Mr. Nowak’s handwriting, through which he could be identified, is contained in the script;
- the purpose of collecting the answers is to evaluate the candidate’s suitability and ability in respect of the profession; and
- the use of that information to determine the success or failure will have an effect on the candidate’s rights and interests (such as securing a future job).
In addition, the CJEU found that the examiner’s comments reflect the examiner’s opinion of the candidate’s performance in the examination and thus, also constitute Mr Nowak’s personal data. It held that, if, for example, written answers were not construed as personal data, this would mean that the professional body administering the examinations would be under no obligation to ensure the protection against unlawful disclosure of such information. The CJEU also stated that while the rights of access and rectification encapsulated in Article 12 of the EU Privacy Directive may be asserted in respect of the written answers and comments thereto, this right of rectification cannot allow a candidate to correct answers which were incorrect. Such a right may, however, apply in instances where a mix-up in the examination scripts resulted in a different candidate’s answers being ascribed to the concerned candidate or the script is missing a page so that the answers are incomplete. The data subject access request would thus be permissible, notwithstanding the existence of other legislation governing access to examination scripts.
A similar interpretation to that taken by the CJEU is likely to apply in South Africa. In terms of POPIA, personal information is defined to include information relating to an identifiable, living, natural person and where applicable, an existing juristic person. Examples of personal information are included in the definition, such as the personal opinions, views, or preferences of a person, education history and the views or opinions of another individual about the person. Accordingly, a candidate’s answers to an examination and an examiner’s evaluation of those answers would constitute the candidate’s personal information in terms of the definition under POPIA.
Sections 23 and 24 of POPIA provide for rights of data subjects to request access to personal information held about them and furthermore, request rectification of inaccurate or misleading information or deletion of information which is obsolete, obtained unlawfully or is not relevant to the specified purpose. Although the right of access to information is already provided for in the Promotion of Access to Information Act, No 2 of 2000 (PAIA), once POPIA is fully effective, requests of requestors for access to their personal information will be made in terms of POPIA, and PAIA will regulate the right to access all other information. A responsible party may refuse to comply with a request for access to personal information on one of the grounds for refusal set out in PAIA (which differ for private and public bodies) including, in respect of private bodies:
- the protection of privacy of a third party natural person;
- the protection of commercial information of a third party;
- the protection of certain confidential information of a third party;
- the protection of safety of individuals, and protection of property;
- the protection of records privileged from production in legal proceedings;
- if it would reveal the commercial information of a private body; and
- the protection of research information of a third party, and protection of research information of the private body.
Once POPIA is fully effective, a data subject can refer a complaint to the Information Regulator alleging an interference with the data subject’s personal information, which would include a breach of any of the conditions for lawful processing. The Information Regulator is empowered to take certain actions which may ultimately result in a fine, imprisonment and/or civil liability for the breaching party. Organisations are therefore encouraged to take steps towards POPIA compliance if they have not already done so. Furthermore, the extra-territorial application of the GDPR means that South African organisations that process personal data of data subjects residing in the EU (including where a South African organisation monitors the behaviour of EU data subjects or offers goods or services to EU data subjects) will also need to be compliant with the GDPR when it comes into effect on 25 May 2018.