Background

The South African Social Security Agency (SASSA) is in hot water. If the matter is not handled properly – and quickly, it could result in millions of beneficiaries drowning in financial woes. SASSA’s current contract for the payment of social grants expires on 31 March 2017. Although unlikely, there is a chance that beneficiaries may not be paid after this date.

In 2014 the Constitutional Court declared the contract with Cash Paymaster Services (CPS) invalid but the order was suspended to allow SASSA to make alternative payment plans. In 2015 there was a tender process for a new service provider but the Department of Social Development stated that it did not receive enough bids that complied with all the administrative requirements. SASSA then filed a report on 5 November 2015 stating that it would not award a new contract but intended to take over the payment function from 1 April 2017. Minister Bathabile Dlamini said that she only became aware, in October 2016, that SASSA would not be able to take over the grant payments by 31 March 2017. As SASSA is unable to take over the payment function, it wants to use CPS as its service provider because it says CPS is the only company that meets its requirements for biometric identification. A new contract is already likely to be in place. According to the Minister of Finance, a new contract will be unlawful and uncompetitive and an infringement to section 217 (the procurement provisions) of the Constitution.

Data protection and Privacy

SASSA probably has one of the largest public biometric databases in South Africa (other organisations such as the Department of Home Affairs and the banks also have similar databases). This is because millions of beneficiaries have had their fingerprints, photographs and even their voices captured for an automated payment system that forms part of the contract with CPS. This information is personal information under the Protection of Personal Information Act (POPIA). Net1 UEPS Technologies Inc (Net1), CPS’s mother company, which has partnered with Grindrod Bank and Mastercard has exploited the biometric database to market financial services to the SASSA beneficiaries. Section 69 of POPIA prohibits the processing of personal information for direct marketing by means of any form of electronic communication; this includes SMS and email correspondence. Such marketing is permissible in the following circumstances:
• the data subjects, in this case, the beneficiaries, have consented or are customers of the responsible party;
• the customers have not previously withheld such consent; and
• if the data subjects are not customers, they are approached once.

The Black Sash Trust

The Black Sash Trust is a non-profit organisation mandated to ensure that the poor, vulnerable and marginalised recipients of social grants are treated with dignity. The organisation made an application to the Constitutional Court (The Black Sash Trust v The Minister of Social Development & Others) which seeks to protect the rights of the SASSA beneficiaries. The application seeks amongst others to ensure that payments will be effected to the beneficiaries after 31 March 2017. Further, it provides for protection of the SASSA beneficiaries’ personal information. Black Sash, in its application provides that any new contract between SASSA and CPS must contain adequate safeguards to ensure that personal data obtained in the payment process remains private. This information may not be used for any purpose other than for what it was collected for i.e. the payment of grants, or any other purpose sanctioned by the Minister in terms of sections 20(3) and (4) of the Social Assistant Act 13 of 2004. This purpose specification is in line with section 13 of POPIA. Additionally, the application provides that the personal information collected should remain SASSA’s property. And that once the contract is terminated, personal information must not be retained for longer than necessary. The information must be removed from CPS’ and affiliates’ possession (section 14 of POPIA), as well as precluding a contracting party from inviting SASSA beneficiaries to “opt in” to the sharing of their information for marketing purposes.

Black Sash is no stranger to data protection and privacy rights, it has intervened in a number of cases against Net1. Black Sash has challenged the Social Assistance Regulations intended to protect grant beneficiaries from service providers who have access to the SASSA bank accounts of the beneficiaries to whom they market products.

It is great to see Black Sash advocate for the data protection and privacy rights of the beneficiaries. Section 7(3)(g) of the SASSA Act places an obligation on the Minister to determine a code of conduct applicable to SASSA employees for the protection of confidential information held by SASSA other than as contemplated in section 16 of the SASSA Act. Section 16 contains a broad prohibition on the disclosure of confidential information held by SASSA and contravention of this section amounts to an offence. In the founding affidavit, it is stated that beneficiaries are unaware of the SASSA card’s terms and conditions. These terms provide that beneficiaries consent to their confidential information being collected and to be sent marketing material from affiliates, as well as for their information to be shared with third parties. Black Sash further provides that they have only seen the terms and conditions printed in English.
The beneficiaries’ lack of knowledge places them in an unfair position, and ultimately amounts to the infringement of their constitutional right to privacy.

The Information Regulator

The office of the Information Regulator is empowered to roll out education and advocacy campaigns to all parties concerned and involved in the processing of personal information. This includes SASSA employees, operators and beneficiaries for the purposes of understanding, promoting and accepting the conditions for lawful processing of personal information. This means that both SASSA and CPS are subject to the monitoring of Information Regulator in relation to their compliance (or non-compliance) with the relevant provisions of POPIA. To give teeth to the many data protection and privacy provisions, across the various pieces of legislation, training on POPIA is critical as it will be applicable once fully in effect. The Information Regulator has extensive powers to address data protection and privacy infringements and given the ease of potential misuse of personal information, it is imperative that the office of the Information Regulator becomes fully operational as soon as possible.

SASHA BEHARILAL
PPM ATTORNEYS
9 MARCH 2017