Privacy is a fundamental human right, and while new technologies come with many valuable benefits, they also create new challenges for the protection of personal information. As a provider of these technologies, we have an obligation to protect individuals from intentional or unintentional disclosure or misuse of personal information.
Vodacom has a dedicated privacy officer (Executive Director: Regulatory Affairs) and we have various policies, procedures and processes in place to ensure that information is not unlawfully disclosed. Some of the control mechanisms we use include:
- Audit trails in all systems that interface with the customer or handling of customer information;
- An Access Monitoring Policy that discourages unlawful access and / or disclosure of customers’ information;
- Deterrence of potential perpetrators by adopting strict disciplinary action regarding issues of invasion/breach of customer information; and
- Regular trade bulletins and electronic newsletters to alert employees and trade partners regarding confidentiality of customer information.
This is also provided for in the Group’s disciplinary policy and code and a zero tolerance approach is followed regarding policy transgression. Our employees cannot intercept calls, SMSs or any other type of messages sent from one person to another. This information may be intercepted only if properly authorised in terms of the provisions of the RICA.
The South African Protection of Personal Information Draft Act (2005) was approved in August 2009. Vodacom made a submission on the draft act as published by the Department of Justice and Constitutional Development in 2005, prior to its tabling in parliament. The version that was tabled in parliament in 2009 addressed all the key concerns raised by Vodacom on the initial draft. Negotiations for the establishment of an industry forum are now at an early stage. Given the multitude of licensed entities in the sector and the need to make the process more manageable, the current discussions have been initiated at the level of infrastructure-based licensees.
Wireless Application Service Providers (WASPs)
Due to the potential infringement of customer privacy associated with the use of location-based services (LBS), Vodacom SA has instituted strict guidelines for its provision to WASPs. Providers must undergo an audit process prior to the approval of the deployment of LBS and users have to consent to being tracked (please see the section on ‘Content Standards/Protecting vulnerable users’). The Wireless Application Service Providers Association (WASPA), the industry regulator, also has its own rigorous adjudication and due diligence processes which it follows and has, for example, suspended two service providers who may no longer operate in South Africa as a result. These measures have restricted the violation of privacy rules on the Vodacom network.
Vodacom is also a signatory to the Code of Conduct for Cellular Operators in South Africa which commits us to adhere to certain standards, ensuring protection of consumers against harmful behaviour by WASPs using the Group’s network. We measure the extent of violations of these rules and aim for zero incidents. During the last financial year, there were 12 proven incidents.
Commercial business partners are now in the process of implementing technical solutions to address compliance to business rules as these are not always adhered to by rogue operators. Vodacom SA has teams of testers who check WASP services for quality and compliance, and report cases of non-compliance.
We provide training to all customer-facing employees as well as service providers on our privacy policies and how to deal with incidences of non-compliance. Staff are required to adhere to strict rules and procedures when dealing with customer information. Training on the provisions of the Access to Information Act is also provided.
Other local markets
In Mozambique, a privacy policy is being developed which should be implemented during the course of 2010/11. In addition, the process of identifying a Board director (with responsibility for reporting to the Board on privacy-related matters and risks), and a Privacy Officer (with day-to-day responsibility for implementing operational structures, processes and measures), is underway. Employees are trained on the importance of protecting privacy and on the proper access to, use and disclosure of customer information. Under current security practices and policies, access to personally identifiable information is authorised only for those who have a business need for such access.
The Tanzanian Communications (Consumer Protection) Regulations of 2005 governs privacy and client confidentiality issues. The company issues information upon request by law enforcement agencies and penalties are imposed for any violations.