What duties does the business owner have when dealing with the personal information of clients, suppliers and other contacts? Can you keep the information for ever? Can you sell it to telesales companies?

Information is becoming ever more central to a modern business, and as a result, businesses are holding more and more information about the people that they deal with. The law has been quite slow to regulate how we deal with this kind of information, but that is changing and it is very important to keep abreast of developments in this area. When a strict privacy law was enacted in the United Kingdom, many people were caught off guard by the hoops they were expected to jump through!

Privacy is afforded limited protection in South Africa at the moment by the constitution, and there has also always been a common-law right to privacy where one can could damages if one suffered loss as a result of an infringement of one's privacy. There is also limited protection for personal information afforded by the Electronic Communications and Transactions Act. South Africa has clearly not yet gone the full distance in implementing comprehensive protection for personal information.

If one looks at developments in the rest of the world, it is clear that protection of personal information is being taken increasingly seriously. The most important jurisdiction for our purposes is that of Europe, where the European Union has for some time been subject to the Data Protection Directive. Each member of the EU has to implement legislation in line with this directive. In the United Kingdom, this takes the form of the Data Protection Act.

So why should this be of any interest you? Business expediency demands that acceptable procedures are in place when a business deals with personal information. Many countries, including those making up the EU, take a dim view of their citizens "exporting" data to countries whose laws on privacy are not as strict as their own, because in that way personal information could be compromised. In fact in the EU it is a criminal offence to send personal information to any country whose data protection laws are not at least as strict as those contemplated in the EU Data Protection Directive. This is one of the reasons why the South African call centre industry has failed to blossom: it is difficult to get the appropriate information from the EU to the call centre operators due to our limited privacy legislation. It is possible to get special permission to export personal information to this country from the EU, but only if you can show that your company’s procedures and policies are in sync with the EU Data Protection Directive.

Here’s another reason to take this issue seriously - these laws will soon be available at a parliament near you. The South African Law Reform Commission is working on a statute which will bring us into line with our trading partners, especially the EU. It is called the Data Protection Bill (it will be an Act when passed), and is unfortunately still in its relatively early stages. It is clear from the drafts that have appeared so far however that the EU model is being followed, and therefore it makes sense for South African businesses to begin to manage their data in a way which is consistent with the methods used in the EU.

These principles are very simple and are set out as follows:

• You must collect and use personal information fairly and lawfully – no tricking people into parting with their contact details.
• You must only obtain personal information for lawful reasons that you specify to the client and you must not make further use the personal information for anything other than the specified use.
• Any data that you collect must be relevant to its use; you should not collect more personal information than you need for the purposes.
• The personal information that you collect must be accurate and kept up to date when necessary.
• You must not keep personal information for any longer than is necessary; when the purpose that you collected the data for is fulfilled, you must destroy the relevant records.
• Ensure that appropriate security measures are in place to ensure that personal information is not lost or accessed by people who have no business of seeing it.

Andrew Marshall: http://www.nicciferguson.com/article...nt-information