III. Privacy issues
South Africa has a well-developed financial system and banking infrastructure. Despite the sophistication of the financial sector, the privacy of financial information was weakly regulated by a code of conduct for banks issued by the Banking Council. Adherence to the Code is voluntary and it is expressly declared to be not legally binding. Financial institutions subscribing to the Code undertook not to share personal information of their clients without consent except where the public's or the banks' interests require disclosure. Information may be disclosed to third-party credit risk management services with prior consent, or after notice to the client.
Important new legislation, the National Credit Act 34 of 2005, has introduced sweeping changes in this area.1 The Act has a three-phase implementation process, coming partly into force June 1, 2006 and September 1, 2006. The Act came into force in its entirety on June 1, 2007.
The National Credit Act is consumer protection legislation aiming to regulate the market in consumer credit principally by improving access to credit and preventing unfair business practices. The Act's reforms occur against a background of an unprecedented expansion in the provision of consumer credit in South Africa. But this success has brought attendant social ills. Occasionally reckless credit extension by credit providers has led to the over-indebtedness of consumers who are often poorly informed if not deliberately kept in the dark. In addition, there are historically deep-rooted divisions in the South African credit market. High-income groups (about 15% of the population) can obtain credit from a wide range of mainstream providers, including banks, at regulated interest rates. Low-income groups have little access to conventional credit products such as mortgages, credit cards or overdraft facilities. Instead they are relegated to non-bank credit, informal sector loans and other marginal providers. The data protection provisions of the National Credit Act are in Part B of Chapter 4. Most of the provisions of this Part commenced September 1, 2006.
Section 68 of the Act creates a right to confidential treatment of "confidential information" received, compiled, retained or reported in terms of the Act. Confidential information is defined in s. 1 as "personal information that belongs to a person and is not generally available to or known by others." The confidentiality of such information must be protected by its holder and must be used only for a lawful purpose, must be disclosed only to the person to whom it relates or to a third party where required by law, by court order or order of the Consumer Affairs Tribunal created by the Act or "as directed by . . . the instructions of the consumer."
The other privacy provisions of the Part provide specific regulation of credit bureau information. The particularly stringent regulation of the credit bureau industry by the Act is justified as follows by the DTI Policy Document. According to the DTI, "There is immense frustration with credit bureaus and with credit bureau information amongst black South Africans, and with the practice of so-called blacklisting."2 The purpose of the regulation is therefore to tightly regulate the flow of credit bureau information, to improve its accuracy and reduce the scope for discrimination in decisions about credit. Sections 70 - 73 of the Act impose several duties on credit bureaus in relation to "consumer credit information" (consumers' personal details, financial history, employment and educational history). Notably, bureaus are required to allow consumers free access to their credit information for purposes of verifying and challenging it. There is a duty to take "reasonable steps to verify the accuracy of consumer credit information (s 70(2)(c))." Access to and use of credit bureau data is limited to persons requiring it for a "prescribed purpose or a purpose contemplated in this Act (s. 70(2)(g))." Data retention is regulated by several provisions and by s. 73 of the Act which allows the Minister to prescribe maximum retention period for the holding of credit information by credit bureaus. The regulations, issued on May 31, 2006, prescribe varying periods ranging from 1 year (for adverse qualitative information on consumer behavior) to 10 years (unrehabilitated sequestrations) to indefinitely (corporate liquidations).
When compared to the draft data protection legislation of the South African Law Reform Commission described above, what is immediately evident about the data protection provisions of the National Credit Act is their stringency. By contrast, the Commission's draft Protection of Personal Information Act is relatively easy-going, and turns on the principle of reasonable processing of personal information rather than on the consent of the data subject. There is nothing in the current draft of the general Act that compares to the detailed and specific provisions regulating credit bureau information in the National Credit Act. The effect of the general Act on sector-specific legislation like the National Credit Act is one of the considerations of the Law Reform Commission in its formulation of its final proposals. What may well emerge from these considerations in the final version of the general Privacy Act expected in 2007 is a special chapter on credit bureaus along the lines of s. 70 - 73 of the National Credit Act or a provision allowing for the continued operation of these sections of the Act.
The Financial Intelligence Centre Act 38 of 2001 (FICA) is aimed at preventing money laundering. It was passed by Parliament in 2001 and the bulk of its provisions came into effect in 2003. Along the lines of similar legislation in other jurisdictions, the Act creates the Financial Intelligence Centre, a supervisory and investigative body that receives and analyzes information regarding suspected money-laundering activities supplied to it by financial institutions, and disseminates reports to the criminal investigative authorities, the intelligence services and the revenue service. Banks and other financial institutions are required to verify the identity of their customers, to maintain a considerable body of information about customers and their transactions, and must report suspicious transactions to the Centre. The bulk of customers would have to provide FICA-related information until September 2005. Non-compliance will bring restrictions on clients' ability to transact on their accounts.
The Cabinet approved a plan in March 1998 to issue a multipurpose smart card that combines access to all government departments and services with banking facilities. In the long term, the smart card was intended to function as passport, driver's license, identity document and bankcard, and was to be linked to fingerprint information.3 In 2003, a commission recommended major changes to the project. In February 2004, the report of the transaction advisors on the feasibility of procuring the new identity document through a public/private partnership recommended against the partnership. In 2005, the Department of Home Affairs awarded a contract for the cleaning of its database as the next step towards the rollout of the Hanis identity card system. It is expected that the first smart ID cards will be issued by the end of 2006. The first recipients of the cards will be beneficiaries of the state social development grants. A similar project has already been started by the South African Post Office (wholly government-owned) in the North West Province where social pensioners are provided with a Postbank account for receiving their social services grant. The account is linked to a smart card containing the thumbprint and ID photo of the pensioner in encoded form.4
In 2004, the Department of Home Affairs began a pilot program to issue 30,000 smart cards to refugees (persons granted political asylum). In the Department's view, this program is an initial step towards a planned rollout of six million smart cards per year over a five-year period. The full program entails the conversion of 30 million paper-based sets of records into the Department's electronic document management system. The government agency aims to eventually produce "an integrated biometric database of all people the Department deals with - citizens, residents, refugees, illegal foreigners."5
- 1. http://www.dti.gov.za/ccrdlawreview/policyjune2005.pdf
- 2. See para 3.12 of the policy document above.
- 3. "Smart Cards to Replace ID Books in SA in 2001," Africa News, February 1, 2000.
- 4. http://free.financialmail.co.za/innovations/05/1125/linn.htm
- 5. Deputy Minister of Home Affairs, Malusi Gigaba: Home Affairs Department Budget Vote 2004/2005.