Article: Net1, SASSA and your data – governance, ethics and what you can do about it

31 July 2017

The mess that is the Cash Paymaster Services (CPS), Net1 and South Africa Social Security Agency (SASSA) data debacle serves as a lesson to all of us as business owners, managers and individuals. If you give your data away without securing it, expect your privacy (or that of your customer’s) to be exploited. Right now, the Protection of Personal Information (PoPI) Act provides very little protection, and only the privileged and monied realistically have recourse to civil action. So, how do we as South Africans protect our data?

Attorney Alan Warrener provides a simple answer: “Currently, our legislation is making all the right noises about protection of data and data privacy. However, there’s very little in place that we can rely on to enforce that just yet. Under common law, if you give your data away, it’s gone—the recipient owns it and can do what it likes with it.”

Gary Alleman, MD at Master Data Management, a specialist in information management and data governance, echos that response: “Client data should be protected, and there are several ways of doing so. Rules can be built into the businesses’ data governance, handling policies, and business processes. However, as the digital business realm expands, companies are forming more partnerships to offer services rather than just products to segments of customers. This implies sharing of data, opening a whole new grey area that needs to be addressed by the business and policed by data-smart customers.”

The backstory: SASSA mandated CPS, a subsidiary of Net1, to distribute grants in South Africa. Net1 is alleged to have exploited the grant recipient data to sell loans, insurance, and other products from Net1 companies to vulnerable grant recipients using methods described as ‘ambush marketing’.

Data protection – the key to being data-smart
The first responsibility for the protection of our data lies within each individual. Of course, people need to share their data if they want a loan, a bank account, a vehicle licence, or even a loyalty card. However, we can limit use of that data to that purpose, notes Warrener. Unfortunately, it takes a written contract – an undertaking from the service provider not to use the personal data received for any other purpose – to enforce that. As the actions of SASSA, CPS and Net1 illustrate, it’s time to stop taking such things for granted.

“With the PoPI Act not yet fully promulgated, the only bit of law we can rely on if we feel our data has been exploited is Section 14 of the South African Bill of Rights which notes our Constitutional Right to Privacy. Since the only place you can fight for that is in a civil court the best way to ensure your data will only be used for a specific purpose, is to get it in writing,” Warrener explains.

One would think that if the only way forward for individuals is to “get it in writing”, not a lot of business is going to happen. Yet it does – online and all the time. What restrains companies is the knowledge that abuse of data and privacy will quickly lose them customers. Many online companies do state what they will be doing with our data and the data-smart consumer ensures it’s there. Then again, there are other organisations, often considered trusted entities (like government department, banks, insurance providers) where the promise of privacy is implicit. Yet they omit to provide such an undertaking in online and offline (hardcopy) documents.

Big Data and creepy ‘connected’ data
While many online businesses do explicitly state what they will do with customer data, there are multiple clauses indicating that the data generated by online browsing, purchasing and social interaction will be used. Saying this, it may be in a way that does not directly identify the person. This data, as we know (because we received those pop-up ads and links to naughty sites after viewing that risqué video from cousin Martin) is used to better target marketing at us and our online associates. While we know there are ways to avoid this, many of us live with it because it can be useful. Nevertheless, there’s a fuzzy line between using big data appropriately and using it in an inappropriate, exploitative way.

Alleman adds, “SASSA erred when it gave Net1 and its CPS subsidiary full access to the government database of grant receivers. If data governance principles were in place, SASSA would have ensured that only critical information necessary for payment of the grant was shared with Net1 and CPS. It would also have ensured that use of that data was limited to payments of the grants, that the data was suitably secured, and that it was disposed of when it was no longer required.”

“As a responsible organisation with a trusted relationship with your customers, protecting their data is vital. It’s an unwritten contract but one that PoPI, when it’s promulgated, will make mandatory.”

Understanding the ethics behind your data
When Net1 decided to exploit the SASSA/CPS database for use by its own subsidiary companies, and used its trusted position to get grant recipients to switch up their protected SASSA card for the Net1 EasyPay Everywhere card (on which debit orders could be placed and deductions could be made) there is no question that the decision was highly unethical.

Says Warrener: “While King Code of Corporate Governance offers guidelines for corporate governance and ethics, and companies listed on the Johannesburg Stock Exchange are expected to comply with these guidelines, these cannot always be relied on. In addition, even though companies prefer to be seen as ethical, as it’s important to their investors and stakeholders, there are just as many companies that will, like Net1, bend rules to breaking point.”

In the case of Net1, chances of a grant recipient launching a civil suit are close to zero — it’s simply out of their reach. The impact of selling an expensive loan to an unsophisticated, vulnerable and needy individual can be devastating. And when things go wrong, their recourse is limited. Nor can they rely on the ‘trusted’ entities with which they initially shared their data, to protect their interests. Which is why we need data privacy and security legislation – sooner rather than later.

Some may feel that what CPS and Net1 did in exploiting grant recipients” data to enrich themselves was by no means ethical, yet the ruling of the Constitutional Court did not explicitly say so – it only says they may not do so again, nor may any company taking on the role of grant dispenser in future use the data for any purpose but to pay out the grants.

Constitutional Court ruling sets a precedent
While there was no punitive action taken, this is an important ruling by the highest court in the land. It sets a precedent that will have considerable impact on the rulings of civil and other courts in future.

“The courts in South Africa are very liberal and fiercely independent. There is recognition of the pace of advance across multiple areas, especially digital, and that the law must act to regulate abuse. This is essentially what the PoPI Act aims to do – it expands upon Section 14 of the Bill of Rights, detailing proper use and limitations on use of personal data. However, until this legislation is fully promulgated, it’s up to each of us to protect our own data,” Warrener concludes.