- ‘protection of personal information for South African Law Firms’.
- ‘Information Security for South African Law Firms’.
- ‘Electronic Signatures for South African Law Firms’.
Why are South African lawyers remaining in the dark with POPI?
The Internet: A massive force for good
The Internet has revolutionised our society, changing our commercial and social activities far more rapidly than any changes in human history. It promises to be a massive force for good in the world, democratising knowledge, revolutionising education, increasing political and business transparency, creating completely new economies (and jobs) and facilitating time and cost efficiencies in existing economies unthought of ten years ago.
Our increasing dependence on information and communications technologies has, at the same time, brought new risks, which simply cannot be ignored by anyone in our information society. This article confines itself to the issue of risk to personal information and the duties of lawyers in this regard. We have an important role to play but regrettably South African lawyers have been, at best, reticent in embracing the information revolution and the benefits that it holds for us as a profession. As importantly, we have been apathetic in accepting responsibility for and have largely failed to discharge our professional duty to take the measures necessary to ensure the confidentiality and integrity of client information processed in electronic form.
The threat to privacy of personal information
The right to privacy is a fundamental human right, enshrined in s 14 of our Constitution. The ever accelerating ability to process increasingly large volumes of information about individuals has long been seen as one of the major threats that the information revolution holds to our society. For decades there have been privacy directives and privacy legislation published globally, aimed at establishing appropriate protections against the abuse of personal information. Today privacy is the most burning jurisprudential issue globally and pervades the political, economic, societal and technological landscape, shaping approaches to existing and new law in the information society at every turn. Aside from its purely jurisprudential importance data privacy has been identified, by the Harvard Business Review, as one of the issues business cannot afford to ignore in 2015. Protecting personal information is not only our duty as lawyers but is simply good business.
Why are South African lawyers ignoring privacy?
The threat to our privacy already affects us and our loved ones profoundly, it adversely affects our clients, and it threatens to adversely affect our practices unless we wake up to the reality of the 21st century. The question that must be posed to South African lawyers is why we are ignoring this threat? In assessing compliance with our professional and statutory duties we must make the effort to understand these jurisprudential developments that are critical to legal practice in the 21st century.
Without understanding the legal requirements governing data messages (electronic communications and electronic records), established in the Electronic Communications and Transactions Act 25 of 2002 (ECT Act), and the conditions for lawful processing of personal information established in the Protection of Personal Information Act 4 of 2013 (POPI), as well as the background to these legislative instruments, it is simply impossible to understand the threats to personal information in cyberspace or to determine how to combat them.
My experience is that very few lawyers in South Africa have read the provisions of these Acts, let alone tried to understand them. Despite this failure, lawyers who have chosen not to understand the laws and practices governing the digital world, typically still use information and communications technologies on a daily basis to process their clients and their own business information, with little regard to their professional obligations of maintaining confidentiality and integrity in the information. This approach is simply irreconcilable with practising law in the 21st century.
Duties of lawyers
Some lawyers are happy to remain in the dark about their duty to protect client information. Some may point to the fact that the operative parts of POPI have not been proclaimed to have commenced. I doubt though that any will seriously dispute their obligation to uphold the Constitution. The point being that rights to privacy do not derive from POPI but from the Constitution and the obligation to safeguard personal information has already long been regarded as a corporate obligation globally. Indeed s 76 of the Companies Act 71 of 2008 requires that we conduct our businesses with the degree of care, skill and diligence that may reasonably be expected of us. If we use information and computing technology (ICT) we should be mindful of the risks of doing so and are obliged to take appropriate measures to guard against harm that the risks threaten (the reasonable man test).
The rights that our clients have in this regard are already firmly established in our law. POPI merely provides the framework for the enforcement of these rights with particular relevance to the processing of personal information and establishes offences applicable when processing violates this constitutional principle. We also need to acknowledge that while the purpose of POPI is to establish the safeguards for the confidentiality and integrity of personal information, its stipulations correspond directly to and reflect our professional obligations to maintain the confidentiality and integrity of our client’s information, an obligation which has been established for centuries.
As lawyers, we have always dealt with paper and text (and continue to do so) and have developed appropriate safeguards to the protection of confidentiality and integrity. These safeguards will still apply as POPI is not confined to electronic information but covers information in paper and text as well. Similarly we have to develop, establish and maintain appropriate safeguards to the processing of information in electronic form.
It is accepted that most lawyers will, through their general understanding of law and a careful reading of appropriate legislation be able to deal with the legal principles applicable to the protection of personal information. However, this understanding has to be expanded to incorporate appropriate information security principles, which are the foundation for safeguarding of electronic communications and records.
The basis of appropriate information security is to be found in information security standards (many of which are internationally recognised) that may be generic or apply to a particular sector, profession or industry. While law societies and Bar associations in many jurisdictions provide guidelines in this regard (as does the Law Society of South Africa (LSSA)), there are no specific standards that are obligatory to the legal profession. This having been said, the International Standards Organisation provide a comprehensive framework for information security and in particular ISO27001 (which deals with the establishment of an information security management system) and ISO27002 (which deals with the control measures that need to be considered in protecting information) these are a good starting point from which the ‘how’ of protecting personal information needs to be considered. Measuring our conduct against these established practices is what is contemplated in s 19 of POPI, which requires the implementation of generally accepted information security practices.
The issue of information security has for some time been regarded as a legal obligation and the report entitled ‘The emergence of cybersecurity law’ prepared for the Indiana University Maurer School of Law in February 2015 examines the growing field of cybersecurity law. It stresses the importance of lawyers practicing in ICT and related law to properly understand cybersecurity and the law which is developing around cyberspace.
As information and communications technologies increasingly impact on numerous areas of substantive and administrative law, it is critically important that aspiring lawyers are properly educated in the appropriate disciplines to prepare themselves for practice in the 21st century at tertiary level and that greater efforts are made to assist in the education of practising lawyers through practical legal training and other forms of education. Certainly, for any lawyer who professes expertise in privacy, the protection of personal information and ICT law generally, the failure to understand the reality of how we safeguard information in the 21st century is a yawning hole, which renders the ‘legal’ advice provided by these lawyers as, deficient at best, and quite probably dangerous.
The first issue for any conscientious lawyer to consider is how he or she complies with the obligations to ensure the confidentiality and integrity of client information. Certainly if they cannot do this within their own organisations, providing advice to their clients would be inappropriate. To do so lawyers must understand relevant law, which entails at the very least proficiency and understanding of the ECT Act, POPI and the Promotion of Access to Information Act 2 of 2000. They will also need to understand what technologies are appropriate in the processing and safeguarding of client information, what processes have to be established (in the form of policies, procedures, standards and guidelines) governing the proper use of the technologies employed by them and ensure that their people are properly trained and can adhere to these processes. Unless an appropriate organisational infrastructure (often referred to as an information security management system) is established, complying with POPI and achieving appropriate levels of security will, at best, be difficult, and in all likelihood, impossible to achieve.
From a business perspective it must be recognised that not only are lawyers responsible parties in respect of their clients’ personal information, but most practices will also be instructed by institutions (responsible parties) and be expected to act as operators in the processing of personal information. In this regard there is a statutory obligation on responsible parties to enter into written agreements with operators that require minimum levels of information security be established safeguarding the processing of personal information. Lawyers who fail to meet this minimum threshold may find themselves losing clients as a result.
While not a statutory requirement of POPI, from a practical perspective, the use of advanced electronic signatures (or digital signatures which provide a commensurate reliability) are one of the practical steps that can be taken in safeguarding electronic information, both in its communication and storage. It is beyond the scope of this article to deal with electronic signatures in any detail but guidance to this important issue can be found in the Guideline on Electronic Signatures for South African Law Firms published by the Law Society of South Africa (see www.lssa.org.za).
The reality is that neither the professional bodies nor legal practices generally have paid much attention to their obligations in terms of POPI. This failure poses considerable risk to the personal information of clients, individual legal practices and the reputation of the profession as a whole.
The LSSA can and has begun to address the issue, but there is a significant amount of work, which is still required by our professional bodies. Lawyers who might see this as an excuse for their own failure to comply with POPI, are mistaken. It is critical that they develop the core competencies required to comply with their professional duties and, as importantly, to provide the advice that client’s will seek from them.
The Law Society of South Africa Guidelines
The question may be asked what has the Law Society of South Africa (LSSA) done relating to the protection of personal information?
Despite the apathy of the profession, in 2013 the LSSA organised and presented a road-show to deal with the protection of personal information, which was held at six different centres though the country. This was not as well attended as one would have expected considering the impact POPI has on both the practice of law and the advice that we will be expected to provide to our clients.
The LSSA has also commissioned and has published on its website (www.lssa.org.za), among others, guidelines addressing the:
These guidelines are intended to create a foundation on which initiatives by lawyers to address these issues can be based. They also provide extensive references to materials that will be of assistance.
More recently the LSSA’s Executive Committee commissioned a report on its information and communications technology obligations in fulfilling its mandate in terms of the new Legal Practice Act 28 of 2014. Among the issues addressed in the report (and highlighted as a priority) is assisting lawyers in discharging their legal obligations in terms of POPI. This will result in a far better understanding of information management, information security and the protection of personal information.
It should also have the ‘knock-on’ effect of ensuring the accuracy and value of advice provided by lawyers to their clients in this regard, particularly relating to the information security interventions that are a non-negotiable facet of the protection of personal information.
It was also recommended that the LSSA and the provincial law societies collaborate with one another in developing a code of conduct, as contemplated in POPI, defining the specifics of what is required in the normal course of practice in the protection of information generally and personal information in particular. This will establish a minimum threshold that, if achieved, will allow lawyers to demonstrate compliance with their professional obligation to safeguard confidentiality and the integrity of client information, which to a large extent is, by definition, personal information.
Of course the LSSA and provincial law societies are themselves also subject to POPI and it is essential that in this transitional period compliance with POPI is addressed by the National Forum of the legal profession looking forward to the future governance of the legal profession under the Legal Practice Council.
After reporting to the LSSA’s Executive Council a further meeting with the directors of each of the provincial law societies and those responsible for their administration, was held. While the discussion encompassed issues in addition to compliance with POPI, the importance and urgency of engaging with lawyers to facilitate appropriate approaches to compliance with POPI, was stressed.