- ‘protection of personal information for South African Law Firms’.
- ‘Information Security for South African Law Firms’.
- ‘Electronic Signatures for South African Law Firms’.
The Internet: A massive force for good
The Internet has revolutionised our society, changing our commercial and social activities far more rapidly than any changes in human history. It promises to be a massive force for good in the world, democratising knowledge, revolutionising education, increasing political and business transparency, creating completely new economies (and jobs) and facilitating time and cost efficiencies in existing economies unthought of ten years ago.
Our increasing dependence on information and communications technologies has, at the same time, brought new risks, which simply cannot be ignored by anyone in our information society. This article confines itself to the issue of risk to personal information and the duties of lawyers in this regard. We have an important role to play but regrettably South African lawyers have been, at best, reticent in embracing the information revolution and the benefits that it holds for us as a profession. As importantly, we have been apathetic in accepting responsibility for and have largely failed to discharge our professional duty to take the measures necessary to ensure the confidentiality and integrity of client information processed in electronic form.
The threat to privacy of personal information
The right to privacy is a fundamental human right, enshrined in s 14 of our Constitution. The ever accelerating ability to process increasingly large volumes of information about individuals has long been seen as one of the major threats that the information revolution holds to our society. For decades there have been privacy directives and privacy legislation published globally, aimed at establishing appropriate protections against the abuse of personal information. Today privacy is the most burning jurisprudential issue globally and pervades the political, economic, societal and technological landscape, shaping approaches to existing and new law in the information society at every turn. Aside from its purely jurisprudential importance data privacy has been identified, by the Harvard Business Review, as one of the issues business cannot afford to ignore in 2015. Protecting personal information is not only our duty as lawyers but is simply good business.
Why are South African lawyers ignoring privacy?
The threat to our privacy already affects us and our loved ones profoundly, it adversely affects our clients, and it threatens to adversely affect our practices unless we wake up to the reality of the 21st century. The question that must be posed to South African lawyers is why we are ignoring this threat? In assessing compliance with our professional and statutory duties we must make the effort to understand these jurisprudential developments that are critical to legal practice in the 21st century.
Without understanding the legal requirements governing data messages (electronic communications and electronic records), established in the Electronic Communications and Transactions Act 25 of 2002 (ECT Act), and the conditions for lawful processing of personal information established in the Protection of Personal Information Act 4 of 2013 (POPI), as well as the background to these legislative instruments, it is simply impossible to understand the threats to personal information in cyberspace or to determine how to combat them.
My experience is that very few lawyers in South Africa have read the provisions of these Acts, let alone tried to understand them. Despite this failure, lawyers who have chosen not to understand the laws and practices governing the digital world, typically still use information and communications technologies on a daily basis to process their clients and their own business information, with little regard to their professional obligations of maintaining confidentiality and integrity in the information. This approach is simply irreconcilable with practising law in the 21st century.
Duties of lawyers
Some lawyers are happy to remain in the dark about their duty to protect client information. Some may point to the fact that the operative parts of POPI have not been proclaimed to have commenced. I doubt though that any will seriously dispute their obligation to uphold the Constitution. The point being that rights to privacy do not derive from POPI but from the Constitution and the obligation to safeguard personal information has already long been regarded as a corporate obligation globally. Indeed s 76 of the Companies Act 71 of 2008 requires that we conduct our businesses with the degree of care, skill and diligence that may reasonably be expected of us. If we use information and computing technology (ICT) we should be mindful of the risks of doing so and are obliged to take appropriate measures to guard against harm that the risks threaten (the reasonable man test).
The rights that our clients have in this regard are already firmly established in our law. POPI merely provides the framework for the enforcement of these rights with particular relevance to the processing of personal information and establishes offences applicable when processing violates this constitutional principle. We also need to acknowledge that while the purpose of POPI is to establish the safeguards for the confidentiality and integrity of personal information, its stipulations correspond directly to and reflect our professional obligations to maintain the confidentiality and integrity of our client’s information, an obligation which has been established for centuries.
As lawyers, we have always dealt with paper and text (and continue to do so) and have developed appropriate safeguards to the protection of confidentiality and integrity. These safeguards will still apply as POPI is not confined to electronic information but covers information in paper and text as well. Similarly we have to develop, establish and maintain appropriate safeguards to the processing of information in electronic form.
It is accepted that most lawyers will, through their general understanding of law and a careful reading of appropriate legislation be able to deal with the legal principles applicable to the protection of personal information. However, this understanding has to be expanded to incorporate appropriate information security principles, which are the foundation for safeguarding of electronic communications and records.
The basis of appropriate information security is to be found in information security standards (many of which are internationally recognised) that may be generic or apply to a particular sector, profession or industry. While law societies and Bar associations in many jurisdictions provide guidelines in this regard (as does the Law Society of South Africa (LSSA)), there are no specific standards that are obligatory to the legal profession. This having been said, the International Standards Organisation provide a comprehensive framework for information security and in particular ISO27001 (which deals with the establishment of an information security management system) and ISO27002 (which deals with the control measures that need to be considered in protecting information) these are a good starting point from which the ‘how’ of protecting personal information needs to be considered. Measuring our conduct against these established practices is what is contemplated in s 19 of POPI, which requires the implementation of generally accepted information security practices.
The issue of information security has for some time been regarded as a legal obligation and the report entitled ‘The emergence of cybersecurity law’ prepared for the Indiana University Maurer School of Law in February 2015 examines the growing field of cybersecurity law. It stresses the importance of lawyers practicing in ICT and related law to properly understand cybersecurity and the law which is developing around cyberspace.
As information and communications technologies increasingly impact on numerous areas of substantive and administrative law, it is critically important that aspiring lawyers are properly educated in the appropriate disciplines to prepare themselves for practice in the 21st century at tertiary level and that greater efforts are made to assist in the education of practising lawyers through practical legal training and other forms of education. Certainly, for any lawyer who professes expertise in privacy, the protection of personal information and ICT law generally, the failure to understand the reality of how we safeguard information in the 21st century is a yawning hole, which renders the ‘legal’ advice provided by these lawyers as, deficient at best, and quite probably dangerous.
The first issue for any conscientious lawyer to consider is how he or she complies with the obligations to ensure the confidentiality and integrity of client information. Certainly if they cannot do this within their own organisations, providing advice to their clients would be inappropriate. To do so lawyers must understand relevant law, which entails at the very least proficiency and understanding of the ECT Act, POPI and the Promotion of Access to Information Act 2 of 2000. They will also need to understand what technologies are appropriate in the processing and safeguarding of client information, what processes have to be established (in the form of policies, procedures, standards and guidelines) governing the proper use of the technologies employed by them and ensure that their people are properly trained and can adhere to these processes. Unless an appropriate organisational infrastructure (often referred to as an information security management system) is established, complying with POPI and achieving appropriate levels of security will, at best, be difficult, and in all likelihood, impossible to achieve.
From a business perspective it must be recognised that not only are lawyers responsible parties in respect of their clients’ personal information, but most practices will also be instructed by institutions (responsible parties) and be expected to act as operators in the processing of personal information. In this regard there is a statutory obligation on responsible parties to enter into written agreements with operators that require minimum levels of information security be established safeguarding the processing of personal information. Lawyers who fail to meet this minimum threshold may find themselves losing clients as a result.
While not a statutory requirement of POPI, from a practical perspective, the use of advanced electronic signatures (or digital signatures which provide a commensurate reliability) are one of the practical steps that can be taken in safeguarding electronic information, both in its communication and storage. It is beyond the scope of this article to deal with electronic signatures in any detail but guidance to this important issue can be found in the Guideline on Electronic Signatures for South African Law Firms published by the Law Society of South Africa (see www.lssa.org.za).
The reality is that neither the professional bodies nor legal practices generally have paid much attention to their obligations in terms of POPI. This failure poses considerable risk to the personal information of clients, individual legal practices and the reputation of the profession as a whole.
The LSSA can and has begun to address the issue, but there is a significant amount of work, which is still required by our professional bodies. Lawyers who might see this as an excuse for their own failure to comply with POPI, are mistaken. It is critical that they develop the core competencies required to comply with their professional duties and, as importantly, to provide the advice that client’s will seek from them.
The Law Society of South Africa Guidelines
The question may be asked what has the Law Society of South Africa (LSSA) done relating to the protection of personal information?
Despite the apathy of the profession, in 2013 the LSSA organised and presented a road-show to deal with the protection of personal information, which was held at six different centres though the country. This was not as well attended as one would have expected considering the impact POPI has on both the practice of law and the advice that we will be expected to provide to our clients.
The LSSA has also commissioned and has published on its website (www.lssa.org.za), among others, guidelines addressing the:
These guidelines are intended to create a foundation on which initiatives by lawyers to address these issues can be based. They also provide extensive references to materials that will be of assistance.
More recently the LSSA’s Executive Committee commissioned a report on its information and communications technology obligations in fulfilling its mandate in terms of the new Legal Practice Act 28 of 2014. Among the issues addressed in the report (and highlighted as a priority) is assisting lawyers in discharging their legal obligations in terms of POPI. This will result in a far better understanding of information management, information security and the protection of personal information.
It should also have the ‘knock-on’ effect of ensuring the accuracy and value of advice provided by lawyers to their clients in this regard, particularly relating to the information security interventions that are a non-negotiable facet of the protection of personal information.
It was also recommended that the LSSA and the provincial law societies collaborate with one another in developing a code of conduct, as contemplated in POPI, defining the specifics of what is required in the normal course of practice in the protection of information generally and personal information in particular. This will establish a minimum threshold that, if achieved, will allow lawyers to demonstrate compliance with their professional obligation to safeguard confidentiality and the integrity of client information, which to a large extent is, by definition, personal information.
Of course the LSSA and provincial law societies are themselves also subject to POPI and it is essential that in this transitional period compliance with POPI is addressed by the National Forum of the legal profession looking forward to the future governance of the legal profession under the Legal Practice Council.
After reporting to the LSSA’s Executive Council a further meeting with the directors of each of the provincial law societies and those responsible for their administration, was held. While the discussion encompassed issues in addition to compliance with POPI, the importance and urgency of engaging with lawyers to facilitate appropriate approaches to compliance with POPI, was stressed.
University of Stellenbosch Legal Aid Clinic and 15 others v Minister of Justice and Constitutional Development and 17 others(Western Cape High Court 16703/14).
Deeply indebted consumers must prepare for yet more pain after the Reserve Bank decided to increase the repo rate by 25 basis points pegging the rate at 6%.
Neil Roets, CEO of debt counselling firm, Debt Rescue, said the increase comes at a time when electricity tariffs and the fuel price are near all-time record highs.
“Deeply indebted consumers are incredibly vulnerable to any price increases and the escalation in the cost of borrowed money is going to have a very real impact on them.
“Home owners with bonds to repay can expect a significant increase in their monthly repayments. It is also going to have a direct impact on the cost of all goods and services.”
He said the fact that total consumer debt now tops R1.427 trillion – according to the latest figures released by the reserve bank – shows that consumers are having a very hard time.
“We know from figures released by the National Credit Regulator and Statistics South Africa that the majority of indebted consumers already owe 75% of their monthly pay to creditors. More than half are three months or more behind in their debt repayments.”
Inflation accelerated by 0.1 of a percentage point to 4.7 percent year on year in June from 4.6 percent year on year in May, Statistics SA data showed on Wednesday.
“This is well within the reserve bank’s target of three to six percent. However, there are concerns that inflation is set to rise in the next few months.” Roets said.
Pensioners with investments will welcome a rate increase but with toll roads, an increased fuel prices and rising food costs, many consumers will be feeling the pain.
“We are seeing growing numbers of indebted consumers knocking on our doors as a last resort to try and get out from under their mountain of debt by going under debt review.
“This remains the best way from deeply indebted consumers to pay off their debt in smaller instalments over a longer period of time whilst enjoying full legal protection. None of their assets may be attached by debt collectors while they are under debt review,” Roets said.
IF WE do not find jobs for the poor, South Africans are fond of repeating, they will turn on us and burn SA down. But what if we are already doing much worse to the poor than failing to provide them with work?
What if we are using the most august institution we have — our courts of law — to rob millions of poor people blind?
This is the essence of the revelation contained in a High Court judgment handed down earlier this month invalidating garnishee orders on the salaries of 12 Stellenbosch wine farm workers.
Here is what has happened in the past few years to as many as 3-million low-wage South African workers. A person of little means is offered credit at an exorbitant rate of interest. She falls behind on her repayments. Some unpleasant people come around to her home brandishing a piece of paper that she must sign. On committing her signature to paper, she consents to have regular deductions placed on her salary, the amount to be determined by a magistrate.
But no magistrate is ever involved. The debt collectors are in league with innumerable court clerks littered throughout the country, who summarily issue garnishee orders on the debtors’ monthly salaries. No evaluation of the debtors’ capacity to pay is made. Some of the farm workers involved in the case had more than half of their salaries deducted each month. There were reports of others who had 90% of their earnings taken from them in this way.
On an industrial scale, a vast process of redistribution is under way. A machine designed to trap millions is sucking the salaries of the poor directly into the accounts of moneylenders and their lawyers. Large organisations have evolved to oil the wheels of this machine. One of the defendants, a law firm called Flemix, reported to the court that there were 150,000 active cases on its books.
That a nationwide system has been rigged to take from the working poor is the least of it. The scandal is that institutions at the heart of SA’s legal order have been reconditioned to do the dirty work. Indeed, the scam borrows the authority of the law; that is what makes it all possible.
Optimists might argue that this month’s judgment vindicates our legal order. After all, the scam has been exposed and a judge has issued a remedy.
I am not so sure. The order Judge Siraj Desai handed down declares parts of the Magistrate’s Court Act unconstitutional. But several components of the scam are already unlawful under the existing act and so rewriting the law is no guarantee at all.
Dismantling this dark system and ensuring that it does not return requires a legal order that exercises permanent vigilance over itself.
Such vigilance has not been much on display. One might have expected the Department of Justice, on discovering that the court system under its watch has been used for such despicable purposes, to jump into action. And yet, sadly, the justice minister is a defendant in this case, his name appearing in the judgment alongside the moneylenders and their lawyers.
One might also have expected trade unions to join the fray. That the working poor are being cheated in their millions is surely union business. And yet unions have had no involvement in this case at all.
I am not sure that it is understood quite how much is at stake. A basic contract has been broken. The most elevated of our formal institutions has been used to prey upon the weak. Who now has the moral authority to demand that striking workers refrain from violence? Who has the authority to tell a person in debt not to steal?
Only reparation can mend this broken contract. Hundreds of thousands, probably millions, of active garnishee orders are now unlawful. The Department of Justice ought to commit itself to ending them all.
It ought to call upon the legal profession to staff a national bureau, pro bono, which any South African beholden to a garnishee order can approach.
It would be a huge undertaking. But it is the only reparation I can think of that is worth its name. The legal order has failed millions of people. It needs to win back their confidence.
• Steinberg teaches African Studies at Oxford University and is a visiting professor at the Wits Institute for Social and Economic Research
Cape Town - Justice Department has urged creditors and their attorneys to study a judgment declaring emolument attachment orders (EAOs) against a group of Stellenbosch workers illegal and unlawful, and to rescind EAOs that have been obtained illegally.
The department also urged employers to be proactive and negotiate with creditors to withhold the orders until the Constitutional Court ruled on the validity of clerks of the court to issue EAOs without judicial oversight.
An EAO is a debt recovery legal instrument that allows for a portion of a debtor’s salary to be deducted and paid directly to the creditor.
Earlier this month Western Cape High Court Judge Siraj Desai struck a blow for poor people exploited by microlenders when he declared EAOs against a group of Stellenbosch workers unlawful.
The Stellenbosch University Legal Aid Clinic took up the case of the group of low-income earners in and around Stellenbosch.
Some had had almost half their salaries deducted, some were charged up to 60 percent interest and some of the loans were in contravention of the National Credit Act.
The EAOs of the workers had been obtained in magisterial districts as far away as Kimberley and Winberg, which Desai said was illegal.
Desai said part of the Magistrate’s Court Act, which allowed for clerks of the court to issue EAOs without judicial oversight, was inconsistent with the constitution.
Clinic director Kruger van der Walt last week brought an application to the Constitutional Court to both rule on the constitutionality for clerks of the court to issue EAOs without judicial oversight, and on the constitutionality of a debtor to consent in writing to the jurisdiction of a magistrates’ court other than that in which that debtor resides or is employed.
Van der Walt commended the department for urging creditors and their attorneys to consider the judgment.
Spokesperson Mthunzi Mhaga said the department was finalising amendments to the Magistrate’s Court Act in an attempt to curb abuse in the recovery of debt.
This bill would be available on the department’s website for further consultation before it was submitted to Parliament for consideration and enactment, Mhaga said.
“This comes after the University of Stellenbosch Legal Aid Clinic, on behalf of several debtors, brought a court application to have certain provisions of the Magistrate’s Courts Act declared unconstitutional and invalid because they do not provide for judicial oversight over the authorisation and issuing of EAOs,” Mhaga said.
“The court was also asked to give clarity on whether section 45 of the act permits a debtor to consent to the jurisdiction of a court other than that in which the debtor resides or employed in respect of the enforcement of a credit agreement to which the National Credit Act applies.”
YOUR editorial, "Abusive creditors must be reined in" (July 15), refers.
In the case of the University of Stellenbosch Legal Aid Clinic versus the minister of justice, the court decided that emolument attachment orders were unlawful. The court went so far as to say there must be judicial oversight before any such order can be granted and that a magistrate must bear in mind that the underlying rationale is the protection of the consumer.
This case becomes all the more important as it deals with execution orders that are made against the salaries or wages of individuals in order to satisfy judgment debts. The consequences of the emolument attachment orders are enormous and they certainly do infringe on the right of debtors and their families, as well as their rights to access healthcare, food, education and housing. The risk seen was that the attachment orders are open to abuse by unscrupulous creditors.
It is vital that our courts fully understand that they do need to protect consumers and they must bear in mind individual circumstances before an attachment order is granted. Although the judgment given by Judge Siraj Desai might go on appeal, we are indebted to the court for bringing this issue to the fore. It is clear many companies are now starting to investigate the indebtedness of their employees. Already, Anglo American is investigating every claim made against employees’ earnings and it was shown that about 26% of the platinum workforce was heavily indebted.
I would go so far as to say that much of the trouble we saw at Marikana was due to emolument attachment orders. Many, if not the majority, of the employees on the platinum belt see a large percentage of their salaries deducted before they receive anything.
I think this judgment will be a game-changer for industrial relations and for the way human resource departments view employees and the need for basic necessities. It must be said that without the drive and assistance of businesswoman Wendy Appelbaum this matter would not have been brought to the courts so effectively. We need to applaud this effort.
Michael BagraimCape Town
IT REMAINS to be seen whether the report of the Farlam commission of inquiry into the Marikana massacre will have significant political repercussions, or result in meaningful reforms to the way the police service operates. However, it is clear from developments last week that the 2012 tragedy is already causing ructions in the financial services sector, especially the market for unsecured loans.
That is because it became apparent in the aftermath of the police shootings that socioeconomic factors — specifically atrocious living conditions and severe over-indebtedness — were among the drivers of the unprotected strike at Lonmin’s Marikana mine, which the police opted to break through the use of force on that fateful day.
Subsequent investigations by the media and civil society organisations showed that in addition to loan sharks operating with impunity in the Marikana community in violation of the National Credit Act, there was widespread abuse of emolument attachment orders by rogue debt collectors acting in concert with corrupt court officials.
Many of the striking miners were not only living in squalid shack settlements on the periphery of the mine property due to a lack of formal housing provided by either Lonmin or the local authority, but were up to their eyeballs in debt, with little left of their take-home salaries after repayments had been deducted.
One consequence of this gross overindebtedness, which the National Credit Act is supposed to prevent, has been a marked step-up in the activity and visibility of the National Credit Regulator, which came under fire for resting on its laurels prior to Marikana.
The regulator, which is tasked with policing the act, has since cracked down severely on money lenders that do not comply with the law, especially with regard to practices such as charging usurious rates of interest and demanding that borrowers surrender their bank cards and PIN numbers so that repayments can be withdrawn the moment weekly wages register in bank accounts.
Last Thursday, shares in retail company Lewis Group fell more than 7% when it emerged that the regulator had asked the National Consumer Tribunal to impose an unspecified fine on the company for mis-selling credit insurance. Lewis, 70% of whose sales of furniture and appliances are on credit to lower-income consumers in small towns such as those on the platinum belt, is alleged to have indiscriminately sold such policies to pensioners and self-employed customers who could not be retrenched or become redundant and, therefore, had no hope of being able to claim for loss of employment.
In addition, the regulator has submitted draft recommendations to the Department of Trade and Industry for drastic changes to the maximum prescribed interest rate that can be charged on unsecured credit transactions. The regulator proposes that the current 32.65% rate be slashed to 24.78%.
The proposals have been published for public comment.
The mining industry has also been compelled by the fallout from Marikana to intervene to tackle the issue of employee indebtedness, especially since as employers they have had little choice but to comply with emolument attachment orders ostensibly issued by courts.
However, last week’s Cape High Court ruling declaring parts of the system unconstitutional on the basis that they lead to the abuse of borrowers’ human rights and limit their right to dignity, will make it easier for companies to refuse to deduct excessive amounts from workers’ wages.
In addition, a case brought by Anglo American Platinum against excessive fees charged by bad debt administrators will have been boosted by the ruling.
Johannesburg - Anglo American Platinum (Amplats) locomotive driver, Sarah Motuku, 44, who was trapped in a cycle of debt because of garnishee orders against her monthly salary, on Friday welcomed a court ruling that emolument orders were invalid.
Amplats took debt administrator Hannetjie van der Merwe and the HVDM administrator to court for charging exorbitant fees, which had impacted the finances of its employees.
Western Cape High Court Judge Siraj Desai on Wednesday declared that deductions that had been made by debt collectors were “invalid” and “unlawful”. In his judgment, Desai found that Flemix & Associates were obtaining judgments against the applicants in courts far from places of work and in places where they could not hope to reach.
Their right to approach the court was jeopardised if not effectively denied.
150 000 cases
Flemix & Associates does debt collection for 45 credit providers countrywide.
According to court papers, the firm has 150 000 active cases, and is trying to recover R1.6 billion in outstanding debt for credit providers.
Judge Desai ruled that the Law Society of the Northern Cape should investigate whether Flemix & Associates had breached their ethical duties relating to the securing of emolument attachment orders.
A garnishee order allows a creditor to secure repayment of a debt directly from the wages of the indebted individual. Before a garnishee order can be granted, the borrower has to have defaulted on repayments or appeared in court to admit liability for the debt. The court will then agree on a repayment schedule with the borrower and the lender and will grant a garnishee order on this basis.
Amplats spokesperson Mpumi Sithole, said the company hoped to clarify the law regulating administrators, and to hold accountable administrators that it considered to have overstepped the bounds of the law, or to be exploiting ambiguity in respect of their entitlements.
Over-indebtedness among mineworkers was one of the underlying issues that led to the wildcat strike at Lonmin’s Marikana mine in mid-August 2012 and to the killing of more than 40 people.
Motuku, a mother of three, said of her R8 000 monthly salary, she used to take home around R2 000. “My payslip would show that the garnishee orders people got to my money before I touched it. I was sick. I went to doctors and psychologists because there was no happiness in my life,” said Motuku. She said Amplats had helped her cut down debt repayments.
Amplats launched a programme to help employees with affordable debt repayment plans. It has helped employees cut debt repayments to 26 percent, giving employees an extra 27 percent of their net income.
South Africans are struggling with crippling debt, as the country was ranked as having the world’s biggest borrowers according to the World Bank’s 2014 Global Findex Database study.