Data is the new oil, they say, and in the 21st century, protecting our personal data is more important than ever.
Enter Protection of Personal Information Act (Popi), a new piece of legislation designed to ensure that everyone’s personal info is protected. But how does this affect the world of activists, who regularly keep data about their networks or people they work with in communities?
Speaking at the Civic Tech Innovation Network information session Dario Milo, a media law specialist at Webber Wentzel, addressed the attendees on what Popi means specifically for civic tech organisations.
What does it do?
Popi is supposed to protect people from having their personal data exposed or exploited. The act allows for just 8 scenarios in which information can be processed lawfully.
Popi affects everyone in the business of processing or collecting personal information. There are very limited exceptions, which include the media, government surveillance agencies, and information gathering for literary or artistic purposes.
But Popi also goes further, requiring not just consent, but “informed, explicit” consent. In other words, a bank needs to explain to its customers in plain, clear language what it intends to do with its information. Fine print in difficult to read legal jargon will not be considered informed consent, for example.
What do civil society organisations need to be aware of?
The consequences of non-compliance can be severe, and you can be held criminally liable and spend up to ten years in prison in the most extreme cases. Fines up to R10 million can also be imposed.
But ultimately, Milo points out that the biggest risk to people and especially companies and organisations whose currency is public trust, will be reputational damage.
What this means for civil society is that they will need to have clear privacy policies, visible on their websites, which explain in detail what they intend to do with their community’s information.
Organisations are already taking steps to protect the data of their activists. Luke Jordan from Grassroot told the participants that activists are confronted with intimidation and violence on a daily basis. If their details are vulnerable to hacking from state or corporate interests, they could face even more danger.
Grassroot is an organisation which creates digital tools to help communities organise around issues that affect their lives.
In the case of Grassroot, their database is hosted by a cloud service in Ireland, where legislation there provides them with more protection from the prying eyes of governments than other states.
However, many organisations at the event pointed out that they did not know where their database was hosted, and often, service providers did not provide them with the option to choose.This is just one of the technological questions that needs to be solved, not just for the purposes of Popi, but for ethical reasons
Most importantly, civics needs to solve technical questions like this to ensure they do not lose the capital they trade with: trust.
Amandla.mobi said they only collect very limited information, although this becomes a problem where government requires more detailed information in order for a petition to be recognised. Where a third party asks for information gathered by Amandla, they will redact the information to protect the identities of the participants in their campaigns.
The organisation uses cellphones to support activists and campaign for social justice issues. Recently, they ran campaigns seeking to ensure care for rape survivors at all health facilities, as well as a campaign that put pressure on Naspers to pay its dues for its role in apartheid.
Ultimately, the golden rule, says Milo, is consent, with minimal exceptions like accessing information for legal reasons. In other words, if you have the person’s explicit, informed consent to use their information, you can consider yourself on the side of caution.