POPI Shields the Public from Misuse of Information
In a recent matter between Black Sash Trust v Minister of Social Development and Others (CCT48/17)  ZACC 8, the subject of ownership and use of personal information were explored by the courts as an ancillary issue. Gildenhuys Malatji Attorneys had the pleasure of acting on behalf of the Information Regulator – a new regulator that has been created by Section 39 of the Protection of Personal Information Act (POPI Act).
SASSA Case Background
The crux of the SASSA matter, as it is more commonly referred to, questioned the South African Social Security Agency’s ability to pay 17 million beneficiaries in a lawful manner that is in line with constitutional rights and values. SASSA had previously outsourced the said obligations to Cash Paymaster Services (CPS), and intended to take over the payment of social grants on 1 April 2017, at which point the court’s supervisory obligations would lapse.
lack Sash Trust, who had brought the application in the public interest and in the interest of the beneficiaries, sought the reinstatement of the Constitutional Court’s oversight role to ensure that SASSA complies with its constitutional obligations. Black Sash expressed a deep concern that SASSA was in no position to take over the role of CPS of paying social grants by April 2017, nor to award a competitive and lawful tender timeously. Consequently, due to the urgency with which the matter had to be solved, and social grants distributed, SASSA had to enter into a renewed agreement with CPS without a competitive tender as required by Section 217 of the Constitution. Black Sash’s concerns were exacerbated by unlawful deductions which would continue to be made from grants. Accordingly, Black Sash requested that the Constitutional Court re-establish its oversight over the process of social grant payments.
The court declared that SASSA and CPS were under a constitutional obligation to ensure the payment of social grants to beneficiaries from the 1st of April 2017, for a period of 12 months, after which the contract between SASSA and CPS may be declared invalid – or more accurately, the suspension of the contact’s invalidity shall be lifted.
The POPI Effect
POPI’s Information Regulator was the Seventh Respondent in the SASSA case and was represented herein by Tebogo Malatji of Gildenhuys Malatji Attorneys. The Information Regulator’s sole involvement concerned the protection of the personal information of social grant beneficiaries. Accordingly, the Regulator opposed only the relief sought in clause 5(b) and 11(b) of Black Sash’s Notice of Motion, wherein Black Sash required that any contract concluded between SASSA and CPS must provide that the personal information of grant beneficiaries becomes the property of SASSA.
In challenging the relief sought by Black Sash, the Regulator brought the court’s attention to the words “data subject” and “personal information” in Section 1 of POPI which unequivocally determines that ownership of personal information cannot be vested upon a person to whom it does not relate. The personal information which Black Sash sought to declare in the court order to be the property of SASSA, belongs to the grant beneficiaries and there was no basis in law to divest them of that ownership and vest the ownership upon SASSA.
Furthermore, the Regulator cautioned that if the personal information was to become the property of SASSA, SASSA may deal therewith as it deems fit without reference to the grant beneficiaries. The seventh respondent concluded that the law does not make provision for the order sought by Black Sash Trust and it cannot be declared so by a court order. Additionally, such an order would be to the detriment of grant beneficiaries as their personal information would not be protected and would be susceptible to be sold and misused in a multitude of manners, most of which are unacceptable.
After considering the argument of the Regulator, the court agreed that the order sought in paragraph 5(b) and 11(b) of its Notice of Motion was misconceived. It confirmed that the contract must protect various aspects of the personal privacy, dignity and autonomy of grant beneficiaries. The court went on to order that the terms and conditions of the renewed contract between SASSA and CPS must:
(a) contain adequate safeguards to ensure that the personal data obtained in the payment process remains private and may not be used for any purpose other than payment of the grants or any other purpose sanctioned by the Minister in terms of section 20(3) and (4) of the Social Assistance Act 13 of 2004.
(b) preclude anyone from inviting beneficiaries to “opt-in” to the sharing of confidential information for the marketing of goods and services.
In achieving this judgment, the Information Regulator acted in accordance with its statutory duty and ensured that the ownership of the personal information of grant beneficiaries remains vested in the grant beneficiaries, and is protected from misuse and exploitation.