Cecil Kilpin | December 2020 Newsletter

The letter asked that as governments devise massive stimulus packages in the wake of the pandemic they prioritize clean air, clean water, and a stable climate – in ways that build resilience to future health crises while at the same time creating more sustainable jobs. According to a report published by the International Renewable Energy Agency, while COVID-19 may suppress carbon dioxide emissions in 2020, a rebound would mean reverting to energy-related carbon dioxide emissions that have increased by 1% annually on average since 2010. However, an increase in investment in renewable energy now could quadruple the number of jobs in the sector by 2050, according to the report; related recovery measures following the COVID-19 crisis could include flexible power grids, electric vehicle charging, energy storage, and efficiency solutions.

In many parts of the world, the crisis magnified the potential shortcomings of current business models and supply chains. In terms of food, in particular, COVID-19 and its secondary effects exposed many people to added deprivation. In April 2020, the World Food Programme warned that unless swift action was taken to tackle the pandemic, the number of people in low and middle-income countries with livelihoods under severe threat would nearly double to 265 million from 135 million. Sub-Saharan countries such as Somalia and South Sudan imported more than 40 million tons of cereals during 2018 to plug gaps in local food production, according to the report, leaving them extremely vulnerable to price swings during a global crisis like COVID-19. Many people in the US also suffer from a lack of food security; as of 2018, 37.2 million people in the country lived in food-insecure households, according to the US Department of Agriculture. However, urban farming could be one means of addressing not just future food resilience, but also environmental and health issues in a post-pandemic world.

For the full transcript of “The Great Reset” follow this LINK.

“The decision by Fitch and Moody’s to downgrade the country further is a painful one. The downgrade will not only have immediate implications for our borrowing costs, it will also constrain our fiscal framework. There is, therefore, an urgent need for government and its social partners to work together to ensure that we keep the sanctity of the fiscal framework and implement much-needed structural economic reforms to avoid further harm to our sovereign rating.” Minister of Finance, Mr Tito Mboweni, said.

Rating agencies have indicated that South Africa’s rating strengths include a credible central bank, a flexible exchange rate, an actively traded currency, and deep capital markets, which should help counterbalance low economic growth and fiscal pressures.

Sub-investment grade implications – what does it mean for the average South African

The Covid-19 pandemic shock hit South Africa at a difficult time. Recent downgrades saw South Africa reaching its lowest credit rating levels from the ‘big three’ rating agencies since 1994. Economic growth has continued to decline irrespective of the attempts to reduce structural constraints.

Financial strain to the government caused by the pandemic, weak economic growth, high wage bill as well as continuous support to the financially weak State-owned Companies have weakened public finances and led to government accumulating debt. Currently, government has accumulated debt stock of nearly R4 trillion and spends approximately R226 billion on interest costs.

If the cost of borrowing money for government increases, it means that government will have to either cut back on social spending or increased taxes. Further downgrades will extend the impact of lockdown restrictions. These restrictions led to many workers being laid off from work since companies were temporarily closing doors and cutting back on operational costs. Continuous rating downgrades will translate to unaffordable debt costs, deteriorating asset values (such as retirement, other savings and property) and reduction in disposable income for many.

Rating downgrades associated with Covid-19 have also resulted in many small businesses closing down and laying off a number of workers. Operational costs together with borrowing costs are expected to increase, supporting the motive to pass through the costs to consumers or further laying off workers.

The recent rating outcomes means that South Africa needs to fast track growth-enhancing strategies in order to rectify the accumulation of debt and minimize the costs associated with negative sentiments.

We can clarify what is meant by ‘personal information’ even further, by dividing it into categories, as follows:

Personal Data (General)
This includes information about a person’s:

• Age, colour, race, gender, sex, pregnancy, marital status, biometric information
• National, ethnic or social origin
• Sexual orientation, personal opinions, preferences or views of the Data Subject and/or the views or opinions of another person about the Data Subject
• Physical or mental health, wellbeing, disability
• Religion, conscience, belief, culture, language and birth
• Education, medical, financial, criminal or employment history
• Identifying number, symbol, email address, physical address, telephone number, location information, online identifier
• Correspondences sent by the Data Subject that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence
• The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

Sensitive Data

POPIA provides for a separate category of information called ‘special personal information’ which
includes all information relating to:

• A persons religious or philosophical beliefs
• Race or ethnic origin
• Trade union membership
• Political persuasion
• Health or sex life
• Biometric information (fingerprints or blood type)
• Criminal behaviour (that is alleged or any proceedings relating to any alleged offence of the Data Subject, or the disposal of such proceedings)

The Data of Children

POPIA also specifically regulates the personal information of a child.

In what follows, we will briefly expand on the requirements for the lawful processing of the General Personal Data and thereafter take a brief look at the additional requirements imposed by POPIA for the lawful processing of Special Personal Information, and of Children’s Personal Information.

Lawful Processing of Personal Information (General):

The 8 Conditions for the lawful processing of personal information by or for a Responsible Party are the following:

1. Accountability

• Responsible Party must comply with these 8 Conditions

2. Processing limitation

• Personal Information should only be obtained by limited and lawful processing that does
  not unnecessarily infringe privacy
• Section 11 deals with the concept of consent, under Condition 2. Basically, personal information can only be processed if the Data Subject (or a competent person on behalf of a child), expressly consents to it. In addition, the Responsible Party bears the burden of proof for that consent. There are certain instances where consent is not required, and personal information may be processed lawfully – such as when it is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is party; or the processing complies with an obligation imposed by law on the Responsible Party; or it protects a legitimate interest of the Data Subject; or it is necessary for the
  proper performance of a public law duty by a public body; or it is necessary for pursuing the legitimate interests of the Responsible Party or of a third party to whom the information is supplied. The Data Subject may withdraw his, her or its consent at any time

3. Purpose Specification

• The purpose for which the personal information is collected must be specific, explicitly defined and lawful

4. Further processing limitation

• Further processing must be compatible with the purpose for which personal information is collected

5. Information Quality

• Reasonably practicable steps to ensure personal information is complete, accurate, not misleading and updated

6. Openness

• Advise the Data Subject of certain mandatory information in respect of collection

7. Security Safeguards

• The integrity and confidentiality of the personal information must be secured

8. Data Subject Participation

• The Data Subject has certain access rights, including a right to request its deletion

Note that these conditions are not applicable where specifically excluded, or are specifically exempted by the Information Regulator (for example, where an exemption from having to comply with these conditions is deemed to be in the public interest or for the benefit of the Data Subject).

Codes of Conduct for particular Sectors:
Certain Codes of Conduct may be developed in order to clarify how the 8 Conditions are to be applied within a particular sector.

Lawful Processing of Special Personal Information (Sensitive Data):
A Responsible Party is prohibited from processing sensitive data, unless certain additional and specific criteria, are met- which are clearly set out in clauses 27 to 33. For example, where the processing is necessary to comply with an obligation of international public law. The Information
Regulator may also grant a specific authority (for example it being in the public interest). Should such criteria be met, then the information may be processed, but also subject to the 8 Conditions listed above.

Lawful Processing of Personal Information of a Child:
The processing of the Personal Information of a Child, is also prohibited by POPIA, unless certain criteria are met, which are listed in clause 35. One such requirement is that the processing is carried out with the prior consent of a competent person. Again, should the specific criteria laid out on Section 35 be met, then the information must also be processed in accordance with the 8 Conditions listed above.

Lawful Processing of Personal Information for Direct Marketing purposes:
Section 69 states that the processing of personal information of a Data Subject for the purpose of direct marketing by means of any form of electronic communication including automatic calling machines, faxes, SMS’s or email is also prohibited unless the Data Subject has given his or her consent to the processing or is a customer of the RP (subject to certain conditions).

The Rights of Data Subjects:

Data Subjects have certain rights, and these are set out in the Act.

1. To have personal information processed in accordance with the 8 Conditions set out in POPIA
2. To be notified that personal information about them is being collected in accordance with Condition 6 (Openness)
3. To be notified that personal information about them has been accessed or acquired by an unauthorised person, in accordance with Condition 7 (Security Safeguards)
4. The right to establish whether a Responsible Party holds personal information of that Data Subject, and to request access thereto, in accordance with Condition 8 (Data Subject Participation)
5. To request, where necessary, the correction, destruction or deletion of his, her or its personal information, in accordance with Condition 8 (Data Subject Participation)
6. The right to object, on reasonable grounds relating to their particular situation, to the processing of his, her or its personal information in terms of section 11(3)(a)
7. The right to object to the processing of his, her or its personal information if it is for the purposes of direct marketing
8. The right not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except where he, she or it has given his consent or is a customer of the Responsible Party (subject to certain requirements)
9. The right not to be subject to a decision which is based solely on the basis of automated processing of his, her or its personal information intended to provide a profile of such person
10. The right to submit a complaint to the Information Regulator regarding alleged interference with the protection of personal information of any Data Subject, or in respect of a determination of an adjudicator
11. The right to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information

When must a Responsible Party obtain Prior Authorisation from the Information Regulator?

There are certain instances where a Responsible Party is required to obtain prior authorisation from the Information Regulator, before it is able to process certain information.

These instances where prior authorisation is required, are set out in more detail in Sections 57, as follows:

1. Where unique identifiers of data subjects will be processed for a purpose other than the one for which the identifier was specifically intended at collection, and with the aim of linking the information together with information processed by other Responsible Parties
2. Where criminal behaviour or unlawful or objectionable conduct information on the Data Subject is processed on behalf of third parties
3. Where information is processed for the purpose of credit reporting on the Data Subject
4. Where special personal information (sensitive data) or the personal information of children is to be transferred to a third party in a foreign country that does not provide an adequate level of protection for the processing of this information

• The Information Regulator may include other types of information processing by law or regulation if the processing thereof carries a particular risk for the legitimate interests of the Data Subject
• Where a specific sector is subject to a Code of Conduct in terms of Chapter 7 of the Act, then this requirement will not apply to that sector

What is the process for obtaining this Prior Authorisation?

The Responsible Party is required to notify the Information Regulator of its intention to process the information and must not proceed with doing so, until the Information Regulator has completed its investigation, or the Responsible Party has received a notice that the more detailed investigation will not be conducted.

The Information Regulator will have 4 weeks after the notification to inform the Responsible Party as to whether it will conduct the more detailed investigation or not. Should the Information Regulator notify the Responsible Party that it intends conducting a more detailed investigation, it must do so within 13 weeks. Upon conclusion thereof, the Information Regulator must issue a statement concerning the lawfulness of the processing. Should a Responsible Party not receive the Information Regulator’s decision within the time limit specified, it may presume a decision in its favour, and continue with its processing.

The Responsible Party need only obtain prior authorisation once and not each time that personal information is received or processed, except where the processing departs from that for which it was initially authorised.

What if a Responsible Party does not comply with this requirement?

Should a Responsible Party fail to provide a notice to the Information Regulator or should the Responsible Party fail to suspend processing until the Information Regulator has completed its investigation – the Responsible Party will be guilty of an offence, and may be liable to a fine or imprisonment for a period not exceeding 12 months, or both.

Sincerely,