Menu Close

Massive reform needed to protect our personal information

Add to my bookmarks

Share This Article:

By Michele van Eck and Samantha Huneberg

South Africa, like many other countries in Africa and the world over, has in recent years seen an amplification of discourse around the fourth industrial revolution (4IR). While the flurry of

conversations around 4IR have helped awaken the consciousness of people, questions remain about whether, and to what extent, we are actualising its currency, in terms of the opportunities and benefits it brings while mitigating the risks associated with it.

A common way that the technological developments of 4IR bring is its promises to revolutionise the way we do business and address socio-economic challenges, especially in developing countries like ours.

Closely linked with this is the developments of 4IR in big data, which was initially coined by Roger Mougalas in 2005. It can be described as the process of collating significant amounts of information from various sources to provide “decision-making insights”.

Big data is opening a whole new world of data analytics and is fast becoming one of the most valuable commodities in the world today, and has arguably revolutionised entire industries (such as the insurance sector). Big data is literally changing the way in which the insurance industry (and other industries) is operating and has the potential to change lives for the better by providing more personalised and affordable cover and service offerings to consumers.

Yet, for all these opportunities, South Africa continues to struggle in protecting existing data, both in the public and private sectors. This hinders the country’s ability to fully embrace the advanced data models prevalent in 4IR developments.

It is frightening to start listing some of the numerous media accounts of data breaches, because of the gravity of the risk it left consumers exposed. The 2016/2017 Ster Kinekor data breach, for instance, exposed between 6-7 million records, while the preceding cases are even scarier. The 2017 South African Master Deed’s data breach exposed approximately 60 million records, the 2017/2018 Liberty Life, the 2020 Experian data breach (approximately 24 million records), the 2022 TransUnion data breach (approximately 54 million records), and the recent Dischem data breach (approximately 3 million records), to name but a few.

Millions of South African’s data and personal information have been compromised, totalling more than 147 million records in the last 6 years. This placed the average South African at risk of being victims of criminal conduct and being exploited. As a result, the question is not how much data has been exposed, but rather how much data and personal information of South Africans have not been exposed.

The Protection of Personal Information Act 4 of 2013 (POPIA) is a welcome relief in the protection of personal information in South Africa. The Act provides for several consequences for the failure to comply with the provisions of POPIA, such as penalties and administrative fines (chapter 11 of POPIA).

In addition, POPIA provides some, albeit limited, remedies for individuals whose personal information have been exposed or their rights under POPIA have been breached. These remedies include lodging a complaint with the Information Regulator (section 74) and instituting a civil action (section 99). Thus notwithstanding, these protections under POPIA do not provide a holistic solution for the ordinary South African and fails to provide practical tools to protect against the risk of already compromised data.

The current legislative framework could, however, be bolstered and improved by providing more meaningful remedies for individuals, which (we suggest) can be found in educational campaigns and a new form of compulsory insurance for companies that use data and personal information.

Educating the public (both formally and informally) as to the data that is protected and used to navigate the difficulty of existing data breaches is a necessary first step in mitigating the risk of already compromised data and personal information of South Africans. Many scams and fraud may originate from leaked personal information due to data breaches, but the greater risk sits with individual ignorance of the risk and the manner of dealing with such risks.

South Africans require proper training to identify, avoid and mitigate such risks. An educational campaign, spearheaded by both public and private sector stakeholders, in both formal and informal education is necessary to prepare individuals for the data intensive world we are currently living in and thereby equipping South Africans to identify potential risks and further how to avoid them.

This is a necessary first step to protecting the interest of South African, especially considering the millions of records of South Africans that have already been compromised to date.

However, approaching this in solely an individualistic manner is short-sighted and may require more pervasive interventions, which may be found in the insurance industry.

A feasible mechanism may be introduced which is aimed at corporate entities (who collect, use and store data and personal information) to procure a specialised and compulsory type of insurance that aims to protect and indemnify individuals from data and personal information breaches. This specialised type of insurance would be compulsory to allow individual’s financial reparations for loss or damage resultant from a data breach.

This principle is not something new, as corporates are familiar with insurance products like directors’ and officers’ liability insurance.

It is suggested that a specific type of liability insurance be developed and held by corporates (that collect, use and store data and personal information) in order to protect individuals from possible breaches of their data and personal information. Liability insurance undertakes a considerable financial role in the distribution of risk and most notably in the burden of civil liability and has the indirect benefit of requiring better data safeguards due to the financial implications for the failure of doing so.

As far as the object of liability insurance is concerned, this refers to the interest of the insured in not incurring liability towards third parties and this suggested structure would be permitted under the current insurance legislative regime (take for instance, in terms of table 2, Schedule 2 of the Insurance Act 18 of 2017, the liability class is distinguished and various liability sub-classes, such as, public liability is listed in the Schedule which allows for cover of another person’s liability).

This regime may be expanded to allow for a liability insurance product aimed at the protection of data and personal information of customers. However, for this to be effective such insurance

requirements must in some way, shape or form become a compulsory cover for parties that collect, store, or use data and personal information of South Africans.

As 4IR is changing the way in which businesses operate, it is also necessary to change the way we address the risks associated with technological developments.

A more active approach towards educating South Africans and requiring organisations (that use data and personal information) to procure and maintain certain minimum insurances to the benefit of individuals may provide the necessary protection to South Africans to allow us to navigate the tides of uncertainty that technology brings and may pave the way in preparing South Africa for the necessary measures required to secure data in the 4IR era.

After all, data is becoming the most valuable commodity in the current era and beckons the need to introduce pervasive preventative measures that exceeds the ambit of POPIA to inhibit and prevent the purloin of data and personal information of individuals.

Dr Michele van Eck is a senior lecturer and head of the Department of Private Law at the University of Johannesburg and Dr Samantha Huneberg is a senior lecturer in the Department of Mercantile Law at the same university.

The views expressed in this article are those of the authors and not the University of Johannesburg.

This article is original to The African. To republish, see terms and conditions.