The Protection of Personal Information (PoPI) Act can only come into play once the Information Regulator that the Act envisions as its enforcer is fully operational. This could be anywhere between now and the 1st December 2018, which is fairly soon if all goes according to the Time Table of Activities on the Regulator’s website. This particular piece of legislation is designed to protect personal and identifiable information by regulating the collection and processing thereof by private and public bodies.
However, there is a level of concern in the security industry that the rights granted to individuals over their information will have a hampering effect on surveillance operations, but this is misdirected concern. While this Act is likely to impact how video footage records are stored and processed, it is not likely to prevent entities from using CCTV surveillance in their place of operation for the purposes of law enforcement and post-incident security management.
Keep calm and carry on
“There has been a fair amount of panic around PoPI, due to the fact that it is possible to argue that video surveillance is essentially creating a record of an individual’s unique identifier – their face,” says Laurence Smith, Executive at Graphic Image Technologies, “As a result, people are worried that this would mean, for example, if they’d been a victim of crime in a shopping centre, PoPI would prevent them from obtaining the CCTV footage to ascertain the identity of the perpetrator,” Smith explains.
“This is not necessarily the case,” explains Alan Alhadeff, Director and Attorney at Alhadeff Attorneys, “The PoPI Act is concerned with transparency and accountability in how an individual’s personal data can be used, and who can access that data.” Alhadeff makes it clear by stating that while the Act gives individuals rights over their personal information (including the right to request access to that information and to have that information removed and destroyed) that right is not directly affected by CCTV surveillance operations.
He adds, “Nor is the right to privacy, which is governed by the Privacy Act and which allows for surveillance in certain places and under specific circumstances, as long as the cameras are clearly visible and there is a distinct clear notice informing the public as such.”
CCTV not an infringement of rights
“Now if I fall victim to a pickpocket in a shopping mall, as the case may be, and I were to request to see the CCTV footage at the security control room, the manager would have to refuse me access to this footage, but not for the reasons most people think,” Alhadeff notes.
“If a crime has taken place, this needs to be reported to the proper authorities straightaway and the footage cannot be shown to third parties before it has become part of the official police record. This would tarnish the evidentiary record, and as part of a criminal case, the prescribed process needs to be followed,” Alhadeff says, making it clear that the inability to disclose footage to a third party has nothing to do with PoPI itself, but hinges rather on criminal procedure and privacy law. “We have to believe in the judicial process,” Alhadeff maintains, “and this is not a case where individuals should be allowed to take justice into their own hands, especially in light of the ‘innocent until proven guilty’ principle.”
So what impact is PoPI likely to have on security surveillance?
Every conversation around PoPI at this point is speculative, until we know what the Regulator looks like and how it will enforce the Act. “Right now, we’re advising our clients to examine how the Act’s requirements will affect their CCTV operations, from a practical perspective,” Smith says, “since responsible parties as defined by the Act, will have one year’s grace to achieve compliance.”
This means that individuals, businesses and state entities that have CCTV cameras in operation will have to examine their cybersecurity, hosting, storage and their data access, retention and destruction policies to bring them in line with the Act, and they’ll have 12 months to do so.
“Even though it’s a ‘best effort’ undertaking, it’s advisable to start sooner rather than later,” warns Alhadeff, “Once PoPI is in effect, compliance services will skyrocket, and it has been my experience that rolling out a comprehensive compliance programme can take anywhere from six weeks to six months ,” he stresses.