We’re living in the information age, that means tons of information and data is floating about either online or offline. The data can be private or public, but the data belongs to one person, and only they can decide how, where and why it can be used. 

Welcome to your 101 on data privacy law and why you should care if you’re in the media. 

First, what is data privacy? 

It’s giving individuals control over their own information – this could range from their name, cell number, home address, work address to more high level information like bank details and business accounts. It even includes information about your online activity, whether it’s your social media usage, or the conversations you have online. 

Data privacy ensures that your information – if shared with an outside party – is kept confidential and not shared with any external parties without your permission. It also limits how much of your online information is collected and stored. Information sharing can sometimes be a good thing, but it also increases the risk of unethical or unlawful use of your information by secondary and third parties. These can be hackers or criminals, surveillance and monitoring and/or use of information for targeted marketing and advertisements. The rise of the digital age is making data privacy even more important.

The Protection of Personal Information Act (POPIA) was first introduced in South Africa in 2013 but was only wholly implemented in 2020. The purpose of POPIA is to give effect to the Constitutional right to safeguard personal information when processed by a responsible party. It also considers giving people the rights and remedies to protect their personal information from processing when it is not in accordance with POPIA. 

The Act applies to any person or organisation that keeps any type of record relating to the personal information of anyone. These include big and small businesses, banks, the healthcare industry and insurance companies among others. But there are some exceptions – organisations or individuals may apply for an exemption from POPIA from the Information Regulator if public interest or benefit outweighs infringement of the Act. 

This makes it very tricky for journalists and media persons, because one of the core values of the media is to report on things that are in the public interest, yet there have been cases where journalists were lambasted for acquiring and sharing confidential information despite it being in the public interest. 

One such ongoing case is between former president Jacob Zuma and legal journalist, Karyn Maughan. 

In September 2022, Zuma launched a private prosecution against Maughan and state prosecutor Billy Downer. Zuma accused Downer of breaching the National Prosecuting Act, when he leaked Zuma’s doctor’s letter to Maughan. 

Industry leaders are calling Zuma’s actions an attack on media freedom – an attack on Maughan – and an attempt to stop her from doing her work. Maughan’s pursuit of legal documents is not an infringement of privacy;  it is fair practice in journalism,  especially when the case and person concerned is of public interest. And in this case, it’s the former president of South Africa. 

When it comes to the media’s access to information, Section 7 of POPIA on Exclusion for journalistic, literary or artistic purposes, states that the Act “does not apply to the processing of personal information solely for the purpose of journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.” 

There are, however, expectations that journalists act ethically and in accordance with the clauses on privacy and personal data in the Press Code of Ethics for Print and Online Media, and within the prescripts of POPIA. They must also be able to motivate why the information obtained is in the public interest. This is especially important in the event of disputes.

Simply put, an organisation or an individual cannot just reference POPIA to deny journalists access to information, especially if the needs for the information are in the public interest. 

Data privacy expert, Murray Hunter said  newsrooms should be wary of ‘data protection’ becoming the new ‘no comment’ – or ‘this matter is sub judice’. 

“Enforcing data protection rules doesn’t mean that public institutions and powerful figures can now be shielded from scrutiny, and journalists should ensure that spokespeople don’t try to misuse POPIA to block legitimate questions from the media,” he said. 

In the same breath, journalists have the right to protect their sources, especially in sensitive cases where the source could be targeted or harmed for sharing information. So, newsrooms are also expected to enforce data privacy policies and practice them regularly, as Hunter points out: 

“Data protection is like dental hygiene: it’s not a once-off event, but relatively painless as long as you give it ongoing attention. But the big first steps: ensuring that you have a privacy policy, that all staff understand the policy, and that newsletters and any other subscription products are in line with the policy.” 

Note: International Data Privacy Day is on 28 January, and aims to create awareness around the importance of data privacy and data protection. What are you doing to ensure data in your organisation is protected?