Nedbank’s Biometric Bungle exposes Personal Info Bill shortcomings.

South Africa’s constitution may have guarantees against the invasion of one’s body in addition to strong privacy protections, but corporations perceive a future in which article 12 and 14 will be amended by simple legislation. Nedbank for instance, has already installed biometric scanning equipment in the expectation of the eminent passing of the so-called “ Protection of Personal Information Bill” (POPI) . A piece of post-RICA and 911 legislation drawn up by government securocrats that could open the doorway to intrusive gathering of biometric information by private companies under the pretext of new privacy protections in the “interests of the consumer”.

Rights Violation?

The new bill  may authorise “a responsible party” to process personal information, even if that processing is “in breach of an information protection principle.” According to the Bill, ‘biometric’’ data means “a technique of personal identification that is based on physical characteristics, including fingerprinting, DNA analysis, retinal scanning and voice recognition.”

Although already aware of the bill due to  my ongoing lobby work for the People’s Health Movement and the Right2Know Campaign — I have submitted concerns related to the problem of securing patient records under the new NHI –  I only became aware of the breadth of the new legislation being contemplated by our government, upon encountering Nedbank’s Guardian system during the festive season

The bank has already rolled out its biometric fingerprinting and security device “pursuant to legislation” being passed.

The issue of consent, which is also covered by the proposed act proved a lot more trickier to navigate than Nedbank had contemplated.

Upon entering the double-door security system which is de rigeur even at the post office, I was assaulted by the new guardian system which at the time, had been programmed to bar entry unless one “consented” to being fingerprinted and photographed.

I immediately objected and complained to management. Surely this was a violation of my constitutional rights, a biometric assault in fact, that could in no way  imply consent?

After numerous phone-calls and a few tweets later, I received the following letter, in which it appears Nedbank capitulates, customers will be requested to use the system on a voluntary basis for the time being, at least until the legislation is passed:

We refer to your complaint regarding the use of fingerprints at Nedbank branches in the Nedbank Guardian biometric system, in particular during your visit to Nedbank Salt River on 21 November 2011, and advise as follows.

You are correct in stating that the Constitution provides a right to privacy for all citizens.

As is indicated on the poster wording outside the Nedbank Salt River branch door, use of the Nedbank Guardian system is optional, however, and you may enter a participating Nedbank branch whether you choose to provide your fingerprints or not. Should you not wish to provide your fingerprints, you are welcome to speak to the security guard on duty or contact branch management. Branch management will then arrange for your access to the branch, as is also indicated on the poster wording outside the Nedbank Salt River branch door.

The wording in the notices placed on posters at Nedbank branch doors is based on the wording of the Protection of Personal Information Bill (“the Bill”). The Bill has not been enacted yet, but Nedbank is already striving to embrace the spirit of the Bill by using the appropriate wording in anticipation of this enactment.

Consent would be required for the use of biometrics at branch after enactment of the Bill, since other exemptions in the Bill which would allow Nedbank to process personal information without consent would not necessarily apply to the processing of personal information of visitors to its branches.

“Consent” is defined in the Bill as “… any voluntary, specific and informed expression of will….”  This would include cases in which visitors voluntary elect to enter participating branches and provide their fingerprints.

The sole purpose of the fingerprinting is to match the identity of visitors to branches with records kept by the Department of Home Affairs, and will only be disclosed to the Department of Home Affairs, the South African Police Service, the South African Fraud Prevention Services, and to Nedbank’s security services providers, or when Nedbank is compelled under law to disclose this information to other parties.

We confirm that Nedbank Guardian records and stores biometric data and photographs of visitors to the branch confidentially and in accordance with applicable legislation.

Nedbank Guardian uses the Advanced Encryption Standard specification for the encryption of electronic data, and we attach a link in the event that you would like to obtain more information in this regard:

Nedbank will not sell your personal information to third parties.

Nedbank strives to provide the best customer service possible, and to protect its clients and members of the public against criminal activities. It is with this in mind that it has introduced the Nedbank Guardian biometric system at branch doors.

We trust that our response is satisfactory to you.

If not, please do not hesitate to contact the undersigned so that we can follow up on this matter.

Yours sincerely

Edwin Smerdon

Read the Bill