“Panama Papers” and the POPI Act
Content provided by IACT Africa, specialist business consulting company with a focus on assisting organisations to add strategic value to IT Governance and IT Management.
The disclosure of confidential client information in the case of the so-called “Panama Papers” emanating from the files of Mossack Fonseca’s Panama City offices raised a heated debate about the public’s “right to know” compared to the rights of individuals and companies to have a “right to privacy”. As part of that debate it is worth pausing to consider how the revelation of such confidential details as client names and investments might have been treated if all the provisions of the Protection of Personal Information (POPI) Act were fully in force and the new Information Regulator (let’s use the term POPI Regulator for this article) were already in operation in South Africa. For the purposes of this article let’s also assume Mossack Fonseca were based in South Africa, and therefore subject to the POPI Act’s provisions.
There seems little doubt that there was a breakdown in the security arrangements concerning the client files which resulted in public disclosure of personal information of Mossack Fonseca’s clients. Condition 7 of the POPI Act specifically addresses the need for security safeguards in protecting personal information. This applies to both living individuals as well as juristic entities (such as trusts and companies). Failure to ensure such protection opens up several possibilities for action by affected parties (Data Subjects in terms of the POPI Act).
First, civil claims could be raised against the Responsible Party (in this case Mossack Fonseca) by any of the affected Data Subjects (clients) who believe their right to privacy has been compromised (section 99 of the POPI Act). Second, those same Data Subjects could combine their interests and take up a class action (where multiple claimants pursue a common goal) against the Responsible Party for failure to comply with the POPI Act (specifically Condition 7). Those same individuals could approach the POPI Regulator to lodge a complaint as provided for in sections 73 to 75 of the POPI Act.
In addition the POPI Regulator may have decided to take action without receiving a formal complaint (as provided for under section 89 of the POPI Act), with a number of possible resulting actions by the Regulator, including the imposition of monetary penalties and in the most severe case, a custodial sentence (section 107).
There is also a clear requirement in the POPI Act (section 22) for notification to relevant stakeholders and other appropriate actions where there has been a security compromise, such as in the Panama Papers case. These actions should include an investigation as to the circumstances of the security compromise (data breach is the common term used internationally) as well as the preparation of remedial actions to mitigate the impact of the breach and steps to avoid a recurrence.
One aspect of the Panama Papers case does not seem to be a point of disagreement in the debate over the rights and wrongs of data privacy: that is the reputation damage which so often has followed such well-publicised data loss or security compromise situations. The maximum financial penalty for any single case of non-compliance with the POPI Act is R10 000 000. For many large organisations this would not be the most burdensome penalty to pay for a “Panama Papers Scenario”.
The loss of reputation and damage to stakeholder confidence may far exceed any short term financial penalty imposed by the POPI Regulator. This represents possibly a far stronger motivator (reputation protection) for POPI Act compliance than any threat of action by the POPI Regulator. Only once the level of penalties reaches those now contemplated in the new General Data Protection Regulation due to come into force across the European Union member states in May 2018 (a percentage of global turnover of the guilty party) will financial penalties imposed by the POPI Regulator in SA be the primary concern to large organisations, whether in the public or private sector.
Note: The views expressed here are the personal opinion of the author and do not constitute legal advice.
Author Dr Peter Tobin, petert@iact-africa.com
This article also appears in My Office Magazine, August 2016