MANY companies will need at least three years to fully comply with the Protection of Personal Information Bill once it becomes law. But the time allowed to become compliant is only one year.

The purpose of the legislation is to safeguard personal information by regulating the manner in which it may be processed, retained and destroyed. It is a replica of the European Union's (EU's) data protection directive. The bill is set to come into force within a couple of months.

Daniella Kafouris, senior manager of risk advisory at Deloitte, says legislation protecting the personal information of citizens and companies is not new and exists in countries such as Canada, Australia, Hong Kong, and in the EU.

"We are taking the next step (with the act) to align ourselves with our international counterparts. Several countries are not prepared to share information if they are not assured by legislation such as Protection of Personal Information Bill that the security and integrity of personal information will be protected."

She says compliance is good for SA as it will facilitate international trade. Countries that have the legislation are reluctant to trade with those that do not have it.

The bill is expected to come into force in the first quarter of next year. Legal experts who have assessed the amount of work that needs to be done say companies should not underestimate what is needed to achieve compliance.

The processing and safeguarding of personal information cover the life cycle of the information. Therefore, the compliance period is quite lengthy, says Ms Kafouris.

"Most companies will need a compliance period of one to three years. One year will not be enough and it is uncertain whether there will be an extension." The act does allow for an extension by the minister, but it is limited to three years.

Ms Kafouris says companies should look at the principles of the act, and see it as an opportunity to begin a fresh relationship with their clients, allowing them to update their data and to engage in data cleansing.

The aim of the legislation is to provide persons with rights and remedies to protect their personal information. However, many people have been quite generous with some of their confidential information, which means there is little that is not already in the public domain.

However, individuals have the right to request a public or private body to correct or delete personal information about themselves that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or has been obtained unlawfully.

Ms Kafouris says there always will be private and public bodies that obtain and use personal information illegally. "Dustbin raiders" create identities by rummaging through the waste of companies that have not shredded their documents.

The introduction of legislation to protect personal information, she says, is not only the right thing to do, but because of the huge increase in cyber crime it has become a necessity.

The bill deals with the correct way to destroy or "de-identify" information to minimise identity theft. The act describes "de-identification" as destroying information to such an extent that it cannot be reconstituted.

Statistics from the National Fraud Authority in the UK show that identity theft costs that country £2,7bn a year.

Emma Sadleir, associate director at law firm Webber Wentzel, says several companies, such as banks and enterprises involved in healthcare, have made an effort to comply.

"There is a lot of work to be done by companies, but ultimately it is good for consumers, who will have the assurance of protection through legislation."

Ms Sadleir says the legislation requires a public or private entity to ensure that an individual or company is aware of the purpose for which the information will be processed and retained.

Companies will have to reassess their policies and processes so that they may have appropriate security measures in place to safeguard the confidentiality, integrity and availability of information collected, Ms Sadleir says.

The legislation provides for civil claims where individuals' rights have been infringed.

Ms Kafouris says that it is very difficult to determine the cost of compliance for companies as there are " pockets of excellence" where firms are already compliant.

But in some cases the gap between compliance and noncompliance is huge and will need sufficient time and resources to bridge, she says.

vissera@bdfm.co.za