The Information Regulator and the Banking Association of South Africa (Basa) has called for input on a new code of conduct around the processing of personal information by the country’s banks.
The draft code of conduct states that many of South Africa’s banks are part of a group of companies that offer financial products and services, as well as non-financial products and services.
These can fall outside the scope of banking products and services and include telecommunications, loyalty rewards, roadside assistance, insurance, and shares among others, Basa said.
This could lead to situations where banks use a customer’s personal information from one area, in other areas of their operations.
To address these and other issues, the code of conduct provides specific rules around how data should be processed and how it can be used.
The code of conduct outlines when a bank is allowed to contact you through direct marketing, how and what consent must be given by customers, and any information that must be included in direct marketing plans.
It states that a bank may obtain consent for unsolicited electronic direct marketing via any form of electronic communication or non-electronic communication. A bank will request your consent by:
- Addressing you in a formal or informal mode;
- Including its contact details (such as an address, contact number or email address);
- Referring to the products, goods, or services the consent relates to;
- Giving examples of the forms of the electronic communication to which the consent relates;
- Including the date; and
- Include a requirement for you to sign or accept.
Criminal or biometric information
The code of conduct states that a bank may process your criminal or biometric information for the following reasons:
- The Department of Home Affairs is the custodian of the Home Affairs National Identity System (HANIS). HANIS may be used by member banks to verify your identity online by placing your finger on a biometric reader which will read your finger against the Department of Home Affairs’ database.
- The Southern African Fraud Prevention Service (SAFPS) is a non-profit company committed to combating fraud across the financial services industry by providing a shared database to member organisations as well as offering the South African public a means of protecting themselves against impersonation and identity theft. Banks report and file cases of confirmed or suspected fraud onto the database held by SAFPS.
A customer’s race or ethnic origin
The processing of the personal information concerning a data subject’s race or ethnic origin, may occur if the processing is carried out to:
- Identify data subjects only when this is essential for that purpose;
- Comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination.
Some of the legislation which may require this special personal information include the Home Loans and Mortgage Disclosure Act and the Broad-Based Black Economic Empowerment Act.
Opening and managing the accounts of minors
A bank will allow a minor over the age of 16 years and under the age of 18 who is not emancipated or married, to make a deposit at a bank without requiring the consent or assistance of a parent or guardian.
Such minors can therefore without the consent or assistance of a competent person, execute all necessary documents, give all necessary acquittances and cede, pledge, borrow against, and generally deal with, that minor’s deposit as the minor thinks fit; and will enjoy all the privileges and be liable to all the obligations and conditions applicable to depositors.
What you can ask
A customer, having provided adequate proof of identity, has the right to request, free of charge, whether or not a bank holds personal information about them.
They can also request from the record or a description of the personal information being held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information.
Customers may also ask a bank to correct or delete personal information about them that is in the bank’s possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.