Stii posted a warning to his blog about an apparent practice of misappropriating personal information submitted to a job seeker website, Best Jobs, and disseminating that personal information to scam employment agencies. The warning begs the question whether Best Jobs is allowing the misuse of its users’ personal information and answering that question requires taking a closer look at privacy law in South Africa.
Privacy law in a nutshell
The primary law governing privacy law is the Bill of Rights and article 14 in particular:
Everyone has the right to privacy, which includes the right not to have-
(a) their person or home searched;
(b) their property searched;
(c) their possessions seized; or
(d) the privacy of their communications infringed.
The right to privacy is a general right to privacy first. The individual rights are subsets of the more general right itself. There is a two step test used to determine whether conduct constitutes a violation of the right to privacy in the Bill of Rights:
- Has a law or a party’s conduct infringed the right, taking into account the right’s scope; and
- If there is an infringment, is it justified under the Limitations clause in the Bill of Rights?
The Limitations clause is article 36:
36 Limitation of rights
(1) The rights in the Bill of Rights may be limited only in terms of law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors, including-
(a) the nature of the right;
(b) the importance of the purpose of the limitation;
(c) the nature and extent of the limitation;
(d) the relation between the limitation and its purpose; and
(e) less restrictive means to achieve the purpose.
(2) Except as provided in subsection (1) or in any other provision of the Constitution, no law may limit any right entrenched in the Bill of Rights.
So what does this all mean so far? It means there is a general right to privacy which can be limited by a law that applies generally.
The seminal case on the right to privacy is Bernstein and Others v Bester NO and Others. The Constitutional Court said that the right to privacy is informed largely by a legitimate expectation of privacy which, in turn, means that a person must establish that:
he or she has a subjective expectation of privacy and that the society has recognized that expectation as objectively reasonable.
The subjective component means that a person can’t have an expectation of privacy where that person has consented to have his or her privacy invaded. The objective component introduces a requirement for reasonableness when assessing an apparent privacy violation. There is a notion of a “continuum of privacy interests” which is a helpful application of this idea of a legitimate expectation of privacy. The Court in the Bernstein case said the following:
The truism that no right is to be considered absolute, implies that from the outset of interpretation each right is always already limited by every other right accruing to another citizen. In the context of privacy this would mean that it is only the inner sanctum of a person, such as his/her family life, sexual preference and home environment, which is shielded from erosion by conflicting rights of the community. This implies that community rights and the rights of fellow members place a corresponding obligation on a citizen, thereby shaping the abstract notion of individualism towards identifying a concrete member of civil society. Privacy is acknowledged in the truly personal realm, but as a person moves into communal relations and activities such as business and social interaction, the scope of personal space shrinks accordingly.
This is an explanation for why people in the public eye have a different legitimate expectation of privacy than people who are deeply private and secretive. A person’s legitimate expectation of privacy is determined by their level of publicity and the consents they have given to invasions of their privacy.
Without delving into the law further we can already see that an aspect of the legitimate expectation of privacy is this subjective expectation of privacy which is determined by factors like consent and so on. Bottom line here is that if you grant your consent to a company to collect and process your personal information in some way, you don’t have a legitimate expectation of privacy when it comes to the authorised use of that personal information.
The general right to privacy should protect another important interest called “informational self-determination“. This interest includes the ability to control what information is collected, how and and when it is used. It also includes the ability to access information which is held by another party and be able to determine what personal information has been collected and correct it if it is inaccurate (the Promotion of Access to Information Act was passed to protect and give effect to this aspect of informational self-determination).
So what does all this mean? It means that not only would your consent be required to enable someone to collect your personal information where it isn’t otherwise permissible but you have a say over what that information can be used for, not to mention the ability to find out what personal information authorised parties have collected and correct it if need be.
The proposed Protection of Personal Information Bill will take this process further and introduce a far more structured and mandatory regime to protect collection and processing of personal information but we are still some way away from that proposed law being passed. That being said, we recommend to our clients that they develop privacy policies in line with this proposed legislation because it is the likely shape of things to come (which is important when incorporating privacy considerations into a medium to long term project) and it provides sound principles for the collection and processing of personal information.
Best Jobs: friends or fiends?
General privacy statement
We may only use your email address or personal details to contact you from time to time about matters directly related to our website, such as sending you a password reminder, or changes in our website that may affect you. Your email address or any other part of your personal information will never be used for marketing purposes or be disclosed to third parties. You will be able to remove any of your personal information stored in our systems at any time, by using the on-line forms in our website.
This site contains links to other sites. We are not responsible for the privacy practices or the content of such web sites.
The privacy of your CV
We consider your CV as a personal document and we wish you to have full control over it, and whether or not you wish to have your contact details (name, address, telephone number) visible to employers.
When registering your CV, we will ask you to give us your email address. This email address will be disclosed to potential employers and recruiters looking for employees in our online database, and apart from that, we will only use it to send you CV update reminders and to contact you about matters directly related to this website.
We make an effort to limit access to our CV services only to employers or recruiters wishing to find employees. If any business is found to be using our CV services for something different to this, then we will immediately terminate their use of our services.
Although you may remove your CV from our searchable database at any time, companies who have had access to the database may have retained a copy of your CV in their own files or databases. We are not responsible for the retention, use, or privacy of your CV by companies in these instances.
We have implemented reasonable technical and organisational measures designed to secure your personal information from accidental loss and from unauthorised access, use, alteration or disclosure. However, we cannot guarantee that unauthorised third parties will never be able to defeat those measures or use your personal information for improper purposes.
There are a number of provisions in these quotes sections that should concern users, especially in the context of this scam warning. For one thing Best Jobs points out that it is not responsible for other services misusing either its own service or your personal information. Once you release it, Best Jobs will try keep your personal information safe but you take your chances.
Best Jobs does promise to terminate scammers’ access to its services once their misuse of the service comes to Best Jobs’ attention so the implication of the scammers’ continued access to the service despite being warned about the scams is that Best Jobs at least tacitly consents to this practice. This makes the Best Jobs service a platform for these scams. To make matters worse, Best Jobs tells users, on one hand, that it will not make their email addresses available to third parties (although this seems to be precisely what it is doing) and, on the other hand, that it will disclose users’ email address to agencies and recruiters. It begs the question what its users are consenting to here – disclosure of their email addresses or not? Why the emphasis on email addresses? Because email addresses are the mechanism used to carry out these apparent scams and support further illegal activity.
To make matters even worse for South Africans, Best Jobs is a Scottish company and that means taking action against Best Jobs means doing so in Scotland and in terms of a foreign legal system. The only thing users can do if they are concerned about their privacy is to remove their information from the service and hope it either isn’t being retained or hasn’t been passed along to an unscrupulous third party.
As we pointed out above, a service requires a person’s consent to invade that person’s privacy. This includes collecting and processing that person’s personal information. It also means that the consent should be for specific uses of specific information given people’s rights to determine what information may be collected and what it may be used for.
The question for users is whether they are prepared to use a service which is casual about their personal information? This Best Jobs issue is an excellent reminder of the risks associated with loose practices and poor protection of personal information. As we pointed out in previous posts, the implications of an unauthorised disclosure of personal information can be severe.