Melissa Cawthra is a programme and research officer at the African Policing Civilian Oversight Forum (APCOF).

In the information age, data is valuable currency and South African public officials are sitting on a gold mine.

Most of us are familiar with the Sassa/CPS scandal by now: corruption, fraud and mismanagement within the government’s social security agency leading to the leaking of the personal information of 17 million grant beneficiaries by the company it contracted to make the payments; in turn leading to unlawful and unauthorised deductions from the bank accounts of Sassa grantees by unscrupulous third parties preying on the most vulnerable members of society through airtime, funeral policies and loan schemes.

It’s a cautionary tale about the potential excesses of state power, the extent to which individuals’ right to privacy can be violated when these powers go largely unscrutinised, and the disproportionate impact that lack of oversight and regulation can have on poor and marginalised communities.

The long-awaited operationalisation of the Protection of Personal Information Act (Popia), drafted in 2013, will become a reality on 1 July 2021. The Information Regulator (the custodian of Popia) has published general guidelines on the development of codes of conduct for the processing of personal data on its website. The guidelines are intended as a benchmark for a wide group that includes relevant bodies, stakeholders and the regulator itself. However, they lack detail on the regulation of specific surveillance technologies and concerns remain about the misuse of personal data in the hands of government officials.

Generally, these concerns involve the granting of overly broad powers of discretion to the police and the Department of Home Affairs (DHA) in collecting, processing and storing the sensitive personal information of nationals and non-nationals. Under Popia, the processing of personal data is authorised under certain exceptional circumstances. Exemptions include matters of national security (such as the prevention of crime and terrorism), but are subject to checks and balances to ensure the processing is necessary, justified and proportionate, and that it meets the requirements of international human rights law norms and standards.

The DHA’s draft identity management policy, funded by SAPS and the Department of Justice, proposes that the biometric information captured by surveillance cameras installed in public spaces — which are equipped with facial recognition software — be linked to the DHA’s population register and that this database be shared with the police; ostensibly to improve the efficiency of criminal investigations. While the DHA advances its plans to migrate the database to a biometric system, there is still no legislation regulating police use of facial recognition software.

The draft policy calls for warrant-free searches of suspects and for all personal information — including biometrics — to be made available to the police without a court order, in the interests of national security.

There are currently no clear regulations for CCTV and related surveillance technologies in South Africa; nor is there any coordination between the laws that regulate surveillance. The Information Regulator will need to address this gap by enforcing a set of norms and standards for surveillance operators; offering guidance on how to balance the advantages of this technology as a crime-fighting tool with fundamental privacy rights. Central to this process will be the development of a code of conduct for surveillance systems: a set of legally binding rules with instructions on the installation and conditions of use of specific technologies to ensure compliance with the provisions of Popia and align South Africa with international privacy standards.

The code should include guidelines with respect to facial recognition software, big data and information matching, along with security safeguards for the ethical and responsible use of surveillance technologies. The set of codes developed by the UK’s Surveillance Camera Commissioner and published on its website provide a good benchmark and could be a useful template for the development of a code of conduct for South African surveillance operators. The regulator will also need to clarify the interaction between Popia and existing international and domestic surveillance and privacy legislation.

The proposed policies outlined above are thin on detail and appear to violate the principles of purpose specification, openness, further processing limitation, and security safeguards; meaning that they potentially fail to comply with four of the eight conditions for lawful processing enshrined in Popia.

In addition — and especially against the backdrop of other official measures adopted under the pretext of curbing the spread of the virus (such as the criminalisation of mis- and disinformation related to Covid-19) — they all point to a worrying trend towards state overreach in the processing of the sensitive information of citizens, and in regulating the control and flow of information within SA’s borders more broadly: there are obvious risks with granting the authorities unfettered access to the population register in a country already marred by corruption, police overreach and a long history of illegal state spying.

These are matters that fall within the mandate of the Information Regulator, which must act urgently to give full effect to the law it is required to uphold. While the regulator faces significant challenges with respect to staffing and funding, it no longer has the luxury of neglecting its core mandate, irrespective of internal dysfunction.

If its resources are so constrained as to prevent it from fulfilling its duties, the regulator should explore alternatives, such as seeking to establish strong partnerships with civil society actors to engage on these issues and provide oversight. DM