Identity theft 
It is trite that identity theft is the fastest growing fraudulent activity in the world. 

Identity theft occurs when someone uses your personal information without your knowledge or consent. This information is invariably used to commit a crime such as fraud or theft. 

Over time, various kinds of identity theft have been identified such as: 

Phishing / Sphere Phishing Using targeted, false but convincing E-mails and web sites to trick people into disclosing their sensitive personal information, by pretending to be someone or some institution they are not. 

Vishing Use of the telephone to trick victims into releasing sensitive data, also known "voice phishing", is one of the latest forms of identity theft. 

Malware This includes the use of any malicious spyware program that infiltrates or damages your computer system without your consent, usually in order to steal your information. 

Pharming Scammers install a malicious code on your personal computer or server that misdirects you to a fraudulent web site without your knowledge or consent. 

All these schemes are designed to obtain personal information which is used for financial gain or criminal purposes. Other common forms of identity theft include driver's licence identity theft, medical identity theft and character/criminal identity theft. 

In South Africa, during the 2009 general election, a gruesome form of identity theft manifested itself. People arrived at polling stations to cast their votes only to be told that according to the national population register they were "deceased". Fraudsters had been stealing ID numbers and personal information and thereafter registering people as dead, in order to benefit from insurance policies.

Costs to the banking industry 

In a 2005 the Cape Argus report it was stated that South African banks lost approximately R83 million Rands to fraudsters using stolen or copied IDs, whilst a 2008 Mercury Business Report stated that identity theft could be costing South Africa more than a R 1 billion Rands per annum. 

According to a 2007 study in the United States, nearly 150 million consumers avoid online banking because of the immense fear of identity theft. The study showed that the banking industry could possibly improve revenue by as much as 8,3 billion dollars per year if institutions were able to establish consumer confidence in online transactions.

The Regulation of Interception of Communications Act ("RICA")

From the 1st of July 2009, "RICA" was implemented in South Africa. It requires everyone who has an active cellular phone number or purchases a new prepaid starter pack, to register their SIM cards. All current and new contracts, top-up and pre-paid customers are required to register their SIM cards with their network provider. 

When registering a SIM card, persons are required to have their cell phone numbers, full names and surnames, identity number or passport number handy. A document that includes the SIM card holder's name and residential address (e.g. bank statement or retail account, etc) will be required to confirm proof of residence. 

In terms of RICA, network providers have been given 12 months to register customers, put in place systems for the interception of cell phone communication, cut service to clients using their networks but whose information they failed to obtain within the 12 month grace period and provide for penalties for non-compliance.

Prior to the introduction of RICA, criminals could purchase as many SIM cards as they liked without being required to provide an address. Criminals could, once they obtained a person's personal banking details via a phishing scam, block that person's cell phone, acquire a fresh SIM card from a cell phone provider and then intercept the one time password generated by the bank allowing the fraudsters access to the victim's bank account. Once everyone is RICA compliant this avenue will be closed to criminals. The whole idea is to make it harder for criminals to use mobile phones to commit crime.

Protection of Personal Information Bill ("the Bill")

Technology and methods conducive to fraud have increased exponentially over the past decade. Sophisticated duplicating facilities such as colour copiers, high definition scanners and colour printers are more accessible and generally available worldwide, making it easier for criminals to commit identity theft or falsifying electronic information and documents. 

There have also been allegations that some employees of organisations that require ID photocopies for transactions, were stealing other people's identities to buy goods fraudulently or to open bank accounts where stolen money was deposited and cashed. Working from the premise that responsibility for identity protection rests with the organisations that capture and store personal data, the South African authorities have proposed the Protection of Personal Information bill.

The Bill was tabled in the South African Parliament on 24 August 2009. The main objectives of the Bill are to promote the protection of personal information processed by public and private bodies. The Bill regulates the processing of personal information of any individual or juristic entity (data subject) by a responsible party and will apply to almost all private and public sector bodies. A "responsible party" is defined as a public or private body or any other person who, alone or in conjunction with others, determines the purpose of and the means for processing personal information. The responsible party must implement appropriate technical and organisational measures to safeguard personal information against loss, damage or unlawful access.

Personal information is broadly defined and includes almost any form of information capable of identifying a person, whether a natural person or an existing juristic person. It includes information about a person's race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth, information relating to a person's education or medical, financial, criminal or employment history, ID number, symbol, E-mail address, physical address, telephone number, blood type, etc. Controversially, it also includes personal opinions, and the views or opinions of another individual about the person. Processing means any operation concerning personal information, including the collection, receipt recording, organisation, collation, storage, updating modification, retrieval, alteration, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, degradation, erasure or destruction of information. The Bill deals with both the automatic and manual processing of information.

Introduce information protection principles so as to establish minimum requirements for the processing of personal information. The legislation prohibits any institution from divulging personal information without good reason. Institutions are no longer allowed to sell lists of personal information, especially to telemarketers and each person on such list must first be contacted and their permission obtained before their information may be sold.

The Bill also provides for the establishment of an Information Protection Regulator, issuing of codes of conduct, provisions for the rights of persons regarding unsolicited electronic communications and automated decision-making and to regulate the flow of personal information across the borders of the Republic.

The Bill thus seeks to balance the protection of the right to privacy with a regard to the processing of personal information against other rights such as the right of access to information. The Bill aims to give effect to the right to privacy, by introducing measures to ensure that the personal information of an individual (data subject) is safeguarded when it is processed by responsible parties. The Bill also aims to balance the right to privacy against other rights, particularly the right of access to information, and to generally protect important interests including the free flow of information within and across the borders of the Republic.

The Bill does not apply to the processing of personal information for: 

• personal or household activities
• exclusively for journalistic purposes
• in the interests of national security, defence or public safety or the prevention, investigation or proof of offences
• by the cabinet and its committees, the executive council of a province and a municipal council of a municipality
• relating to the judicial functions of a court referred to in section 166 of the Constitution of the Republic of South Africa
• Information that has been exempted from the application of the provisions of the Bill.

Records must be destroyed, deleted or "de-identified" after their retention is no longer authorised in terms of the Bill. This must be done in a manner which prevents the reconstruction of the information in an intelligible form. 

Conclusion
The introduction of RICA and, in due course, the Protection of Personal Information Bill , will make it considerably harder for criminals to commit crime in South Africa.

Ombudsman for Banking Services 
September 2009