The information legislation (PAIA, POPI, RICA) awareness of undergraduate university students: A longitudinal study

information privacy concepts dates back to the privacy baseline in 1945, the first era of contemporary privacy development in 1961, the second era of privacy development in 1980 and the third era of privacy development in 1990. The concept that the fourth era of information privacy compliance laws is preparing users for the fourth industrial revolution (4IR) is evident with the Background: Governmental legislation directs and guides the manner in which organisations and individuals manage their information. This has a direct impact on the development of organsiational policy and procedures. An individual’s awareness of such legislation is of utmost importance in order to understand how individuals use information. Objective: The research problem is focussed on the awareness of information legislation by average South African first year student. The study goes on to further investigate how awareness impacts the manner in which users apply the knowledge to everyday use of their personal information. Methods: The study utilised a mono-method and quantitative methodological framework. The data collection instrument was a survey in the form of a questionnaire. The survey was conducted amongst 2017 undergraduate student and repeated in 2018. Results: The young adult demographic, of which the sample of undergraduate university students, findings indicated that the increase in awareness of Protection of Personal Information, Promotion of Access to Information and Regulation of Interception of Communication Act legislative acts directly impacted the students’ ability to manage and share their information more strategically. Students’ knowledge of the acceptance of the acts into legislation was not of great importance; however, the use of the acts concerning their personal information proved to be of greater significance. Conclusion: The study’s findings confirmed that the sample had been introduced to the idea of information legislation and that their awareness of the legislation does in most cases affect their use and management of their personal information. It also revealed that an in-depth knowledge of the legislation was not a necessity rather an overall understanding of the legislation was important. Recommendations for future studies arose from the study.


Introduction
The urgent need to comply with legislative acts that are passed by the South African government is imposing the shift, on the average South African organisation to ensure that they are up to date with the new laws. South Africa Institute of Chartered Accountants (SAICA 2017) saw the appointment of the information regulator by the South African government in December 2016. It forced industry to develop its need to comply with the Protection of Personal Information (POPI) Act. Mansfield-Devine (2008) indicated that Web 2.0 is largely impacted by the notion that user generated and site owners and operators are not fully in control of the content rendered by their sites. With Facebook, Twitter, Instagram, Linkedin, becoming the most popular social network sites of choice for the sharing of one's information, it is evident that privacy of one's information is of utmost importance (Tankovska 2021).
The Guardian (2020) reported on how social media giant twitter experienced a major security breach of 36 public figures accounts on 15 July 2020. O'Brien (2020) reported on the Shropshire council data breach wherein 250 emails were exposed. According to Westin (2003), the evolution of the information privacy concepts dates back to the privacy baseline in 1945, the first era of contemporary privacy development in 1961, the second era of privacy development in 1980 and the third era of privacy development in 1990. The concept that the fourth era of information privacy compliance laws is preparing users for the fourth industrial revolution (4IR) is evident with the development of new technologies and more so governments are seeking to regulate privacy of information use.
The 4IR has introduced its nine pillars: internet of things (IoT), big data and analytics, cloud computing, social media, augmented reality, autonomous robots, simulation and horizontal and vertical system integration (Eslamzadeh, Jassbi & Cruz-Machado 2020:160). This development in the nine pillars is forcing people to not only become aware of their privacy but also create awareness and concern about the threat of the violation of their privacy. The encumbered risks of divulging personal information in an online space is undoubtedly one of the largest threats that users face in the light of Web 2.0. Developing the average user's awareness of the various legislative acts that have been passed into law, to protect their information and privacy on the dawn of the 4IR is at the core of this article. The increased levels of awareness of privacy amongst users, will indirectly force them to examine the overall experience of the privacy of their information. This concept of data privacy inside the 4IR is supported by the World Economic Forum in 2018 (World Economic Forum 2018).
There are many legislative acts that have been passed into law by the South African government. Some of the acts stipulate how organisations should seek to address the governance of the information that is collected, stored and accessed. These acts govern the manner in which organisations must seek to manage the general and personal information of South Africans.

Background to research problem
Data theft is a crime that is experienced globally. The European Business News (2018) reported that 39% of European businesses have been victim to data theft, and they pay exorbitant amounts per attack. This directly affects the manner in which Europe now identifies and manages the use of its data. Shillibeer (2018) quoted David Williamson, the CEO of Efficient IP stating the following: New regulation made it necessary for every organisation to ensure the data they keep is secure. Surprisingly, our research shows European companies have invested the least globally in technology, which can prevent data theft. This could be a reason as to why the region had the most data stolen. In the year ahead, it will be interesting to see how European companies will prevent data theft and avoid regulatory fines.
According to the IBM (2016) global analysis, data breaches cost companies exorbitant amounts of money, with South African companies experiencing a total average of $1.87 million loss in 2016. Pahnila, Siponen and Mahmood (2007) correlated this to employees' awareness and inability to comply with policy and procedure. Schilder, Brusselaers and Bogaerts (2016) study revealed that increased awareness linked to lower online risk behavior. George-Jackson and Gast (2014), identified the link between awareness and preparedness.
The study clearly reveals, 'Information and awareness are often precursors to behaviour and preparation'.
With organisations now being forced to comply with legislation, it is of utmost importance that there is an awareness about the said legislation. The typical information legislation seeks to instruct organisations on the proper conduct when gathering, storing, sharing, using and even destroying information. Three such legislative acts include POPI, Promotion of Access to Information Act (PAIA) and Regulation of Interception of Communication Act (RICA).
According to POPI (2013) organisations behaviour in the processing of another entity's personal information must be conducted in a responsible manner. As such, these organisations must seek to comply with the legislative regulations or else they would face legal action. Promotion of Access to Information Act (2000) was signed into law to exercise the constitution's bill to ensure that information held by the state and information held by private bodies are accessible in the protection of the rights of South Africans. (2002) came into effect in 2005, and it warrants law enforcement the authority to regulate and intercept the communication to prevent criminals from using cellular devices and networks for illegal activities.

Regulation of Interception of Communication Act
Companies seek to comply with legislation by incorporating legislative acts into the organistional policies. These policies are filtered down through management. According to Adu-Oppang and Agyin-Birikorang (2014) for organisations to develop effectively, administrator's awareness of the value of what they are communicating must be present.
Awareness of information legislation, need not always begin within the organisation, thus the concept of, is the average university student knowledgeable of legislation and more so does the awareness change the behaviour when using information.
The research problem is focussed on the information legislation awareness of users, with the unit of observation being the first year information management students of the University of Johannesburg. The students in this sample typically fell within the 18-25 year age group.

University students' awareness of information legislation
Whilst maintaining ones information privacy in a society that is believed to be caught up in the social media lifestyle, it is perceived that the young generation is unaware of matters such as information privacy and information transparency (Hoofnagle et al. 2010:1).
Social media platforms are required to comply with information privacy and transparency laws, both globally and as per the country's legislation. Within the Republic of South Africa this would include POPI and PAIA.
As the young people are exposed to social media platforms, they are forced to agree with information privacy and transparency terms and conditions. Thus, increasing the chances that young people are in some way aware of their legislation that guides the privacy terms and conditions (Nkosi 2011): The number of mobile phone users in South Africa who've registered their network connection or sim cards in accordance with the new Regulation of Interception of Communication Act (RICA) has jumped to over 37-million.
It indicates that 95% of South Africans are RICA registered. As many young people have access to a cellular device, there is an expectation that they have become aware of the RICA legislation.

Research methodology
The quantitative research design was best suited for this study, with the survey utilising the form of a questionnaire. The quantitative research design serves as a tool that allows for consistency in the study. The positivist philosophical paradigm allowed natural relationships to be revealed through the data.
A deductive research approach was used that allowed the researcher to extrapolate conclusions based on the accepted facts. The questionnaire was utilised as the data collection tool.
The methodological framework in this study was monomethod quantitative. This was used to investigate which information-related legislation students were aware of and how their awareness affected their use of information. A convenience sampling technique was used in this study through access to the first year information and knowledge management students over a 2 year longitudinal period. All findings were represented in a quantitative format, typically represented in graphs. The study employed the use of a preintervention and a post-intervention data collection method. An information legislation intervention was also conducted.
The survey used in the 2017 study was not modified for the purpose of comparing results longitudinally. The survey was rolled out to the first year information management 2018 students. In both years the survey was deployed in a hard copy form to the information and knowledge management undergraduate first year students at the University of Johannesburg.
The questionnaire consisted of 23 questions and a general comments option. All questions were delivered in a multiplechoice style, allowing students the opportunity to choose an appropriate answer.
The findings of the 2017 survey were presented at the Academy of World Business Marketing Development Conference in Athens, Greece. The findings of the 2018 survey were presented at the ECKM 20th European conference on Knowledge Management in Portugal. This article will compare and discuss the findings of these two data collection instances.
Convenience sampling according to Saunders, Lewis and Thorhill (2012:176) are samples that are characteristically based on ease of access because of the researchers' familiarity to the sample. Non-probability convenience sampling was adopted as the sampling technique for both collection instances. According to Kumar (2014:242) non-convenience, probability sampling is an appropriate approach bearing the quantitative nature of the study's research method.
The University of Johannesburg's information and knowledge management first year undergraduate students formed the object of observation. In both 2017 and 2018, the survey was made available to the students twice in the first 6-month semester. In both instances, a physical survey was handed out in class.

Findings
Respondents were asked to indicate whether they were aware of the following acts: POPI, PAIA and RICA. The questions were posed to indicate if respondents were firstly aware of the acts by their acronym, next they were engaged with whether or not they knew when the acts were signed into law and finally questions addressing the respondents understanding of the acts and how the acts affected the use of their information.
For the year 2017, there was a total population of 347 information and knowledge management first year students on the main campus. In Figure 1, the following is evident: there were 195 respondents in the pre-intervention and 175 respondents in the post-intervention, respectively. There were 32 surveys, which could not be used. In 2017, 402 surveys were administered. For the year 2018, there was a total population of 262 information and knowledge management first year students on the main campus. The year 2018 saw a decrease in numbers, with a total of 240 surveys being administered, of which only 83 were usable in the pre-intervention and 81 in the post-intervention. A total of 76 surveys were unusable.  The pre-intervention responses to the acronyms POPI, PAIA and RICA are identified ( Figure 2) and the postintervention responses to the acronyms POPI, PAIA and RICA are depicted (Figure 3).
For the pre-intervention (Figure 2), it was evident that the respondents showed a clear lack of awareness of the mention of the acronyms, 2017 saw a larger number of students lack of awareness of the affiliated acronym POPI. With 90% respondents incapable of identifying POPI as the correct acronym for the POPI, similarly 2018 saw a majority of respondents being unaware of the acronym POPI. With 64% respondents indicating the incorrect answer for the acronym clearly showed that both 2017 and 2018 respondents had very little to no knowledge to even hearing about the POPI Act.
For the acronym PAIA, it is evident that 67% respondents were not aware of the acronym in 2017; similarly 2018 saw 78% respondents who were not aware of the acronym PAIA.
For the acronym RICA, the pre-intervention reveals that in both 2017 and 2018 the respondents' were mostly unaware of RICA. A total of 62% of respondents in 2017 and 66% of respondents in 2018 were unable to link the acronym to the correct title.   The general trend that is reflected from the findings concerning the acronym is that majority of individuals do not necessarily come into contact with the acronyms in their everyday living. This brings to attention the concern that the acronyms are generally the first point of contact that is made with the act. With the respondents being first-year university students, Figure 2 indicates that the majority of young adults were not exposed to the information-related acts acronyms. By not being aware of the acts, exposes the first-year student to matter of data anomalies when dealing with the protection and sharing of their data.
The indication of the respondents' knowledge of the acronyms post-intervention results for POPI, PAIA and RICA is depicted (Figure 3). After the intervention was conducted, the 2018 respondents showed 98% awareness of the acronym POPI and the 2017 respondents showed a 90% awareness of the acronym.
The post-intervention results for the year 2017 revealed that 70% of the respondents were aware of acronym PAIA and 77% of the respondents were aware of this acronym in 2018.
For 2017, the RICA acronym post-intervention revealed that an astounding 87% respondents improved knowledge of the affiliated RICA acronym and in 2018 a remarkable increase to 78% improved knowledge of the affiliated acronym. This indicated a clear development in the respondents' awareness of the affiliated acronym.
The respondents' pre-intervention knowledge of the Acts (POPI, PAIA and RICA) acceptance into the South African legislation is depicted (Figure 4). The post-interventions of respondents' knowledge with the basic acceptance of the POPI, PAIA and RICA Acts into the South African legislation are depicted ( Figure 5). This question was posed to identify the depth of knowledge individuals paid to the legislation that directs the use of their information.
For 2017 and 2018, Figure 4 reveals a similar trend that as much as respondents' may have heard about the Act, they knew very little about when the acts were accepted into law.
With 2017 seeing 93% of respondents and 2018 reflected 69% of respondents' lack of knowledge of when the POPI Act was accepted into legislation.
The respondents' basic pre-knowledge of the acceptance of the PAIA Act into legislation is poor. This is evident as 2017 reflects 87% of respondents and 2018 shows 75% of respondents not knowing when the promotion of access to information had become part of their legal rights.
Findings reveal that respondents took little to no interest in the acceptance of RICA into legislation. With 92% of respondents' in 2017 and 71% of respondents' not knowing in which year RICA was accepted into law.
It is evident that as much as the acts are influencing the average South Africans, many do not take time to read up and become knowledgeable about the acts.

Regulation of Interception of Communication Act was an
interesting Act to note as many of the respondents' would have been exposed to this act upon the purchase of a cellular Subscriber Identification Module (SIM) card, or even inquiry of the purchase of a cellular SIM card within the Republic of South Africa. As such it is clear that the average respondent merely accepts the terms and conditions and very rarely reads up on the act itself.  The basic knowledge of the POPI Act being accepted into legislation sees substantial change. An increased knowledge between the 2 years is revealed ( Figure 5). The year 2017 shows 96% of respondents and 2018 post intervention shows 81% of respondents' knowledge of POPI legislation. An interesting observation is that the intervention was successful in matters concerning basic knowledge of the act being accepted as an Act of the South African legislation. The respondents' practical knowledge of application of POPI, PAIA and RICA for pre-intervention and post-intervention is depicted ( Figure 6 and Figure 7).
The POPI pre-intervention results were something to take note of because in both years the pre-knowledge about this Act was very high. It indicated that respondents were highly aware of the idea of protecting their information. In 2017, 71% of respondents were unable to correctly indicate the proper application of the POPI Act. In 2018, 65% of respondents were able to correctly indicate the proper application of the POPI act. The results indicate that respondents came into contact with the concept of protecting their information, it was often enough to make the link to POPI.
For the PAIA pre-intervention, in 2017 a total of 73% of respondents indicated an incorrect understanding of PAIA, and in 2018, 82% of respondents indicated they did not know how to correctly apply PAIA.
The application of RICA is of significant interest as the likeliness of respondents' coming into contact with this Act is very high. A total of 60% of respondents in 2017 indicated a poor understanding of the application of RICA and 40% of respondents showed they were able to understand the application of RICA. An interesting shift is seen in 2018, with 94% of respondents indicating they knew the application of RICA and 6% of respondents showed they did not understand how RICA is applied.
The impact of the intervention on respondents who were already quite knowledgeable about the application of POPI is revealed (Figure 7). In both 2017 and 2018, there was a majority of respondent whose knowledge was increased in terms of how POPI is applied. In 2017, 68% of respondents' understood how POPI is applied and in 2018, 90% of respondents were knowledgeable about how to apply POPI.
There is a clear difference in the 2018 responses as 90% respondents revealed their new found understanding of the application of POPI.
The post-intervention application for 2017 revealed that 72% of respondents indicated the correct application of PAIA. The impact of the 2018 intervention could be seen as a failure, with 51% of respondents not being able to apply PAIA and 49% of respondents acknowledging the proper way to apply PAIA.
The 2017 RICA post-intervention reflected as follows: 51% of respondents were unable to apply RICA correctly and 49% of respondents showed a good understanding of RICA application. The year 2018, saw 96% of respondents with a POPI, Protection of Personal Information; PAIA, Promotion of Access to Information Act; RICA, Regulation of Interception of Communication Act. new found knowledge on the application of RICA and a minor 4% still unable to apply RICA correctly.

Discussion
The comparative analysis was drawn as such the following was evident. Here is a comparison between the correct answers between the pre-intervention and the post-intervention as per the acronym, the year and the application. The general trend concerning the acronym can be clearly defined as the following: Protection of Personal Information acronym showed a positive 80% for 2017 and a 64% difference between the preand post-intervention.
Promotion of Access to Information Act acronym showed a positive difference of 37% for 2017 and a 55% difference for 2018.
Regulation of Interception of Communication Act acronym revealed a positive difference of 49% for 2017 and 44% difference for 2018.
The acronyms are generally seen as the first point of contact that individuals would make with the legislation acts. Thus, it is the assumption that if one has a general introduction to the acronyms, it would lead to some form of understanding of the act. The acronym is successful as they are related to the cause, function and meaning (Aronson 2014).   When looking at the trends concerning the ability of respondents to correctly apply the acts, the following differences were presented: The application of the POPI act revealed a positive 39% difference for 2017 and a 25% positive difference for 2018.
The application for the PAIA act revealed a positive 45% difference for 2017 and a 31% positive difference for 2018.
Concerning the application of the RICA act, although a small difference of 9% for 2017 and a minor 2% for 2018, 2018 proved that respondents were far more informed about RICA and 2017. It was also evident that in 2017 the intervention had not been as successful as for POPI and PAIA. Ornstein and Hunkins (2018) indicated that sound, rational content and activities are criteria for successful policy implementation. An improved application knowledge would be best achieved by introducing sound activities. Furthermore, Chukwuemeka and Ikechukwu (2013) pointed out the importance that creating clarity as many students may have distinct interpretations of policy objectives, which is clearly evident as many of the respondents have their own interpretations of the application of the various acts.
The trends presented by the findings in relation to respondents' vested interest into the information-related acts in terms of the year the acts were approved into legislation are as follows: Protection of Personal Information year shows a remarkable 89% positive difference for 2017 and substantial 50% positive difference for 2018.
Promotion of Access to Information Act year shows a positive 81% difference for 2017 and a positive 55% difference for 2018.

Regulation of Interception of Communication Act
year reveals a substantial positive difference of 83% for 2017 and a positive 56% difference for 2018. Although respondents were comfortable with knowing the implementation date, it had little effect on their ability to practically apply the information to their information needs. Improving the knowledge about the legislation proves futile as the application requires practical scenarios to ensure that awareness is not just linked to basic information but rather one's ability to have application knowledge. This will serve individuals and in so doing serve society.
In addition, it is imperative that effective public awareness of the acts become a central theme for the South African public. According to Hortan (2015), there are many different strategies that can be used to develop awareness: ranging from engaging media, developing key messages, ensuring that staff and volunteers are knowledgeable so as to always be sharing the same message, making use of social media, websites and even print material to spread the message.
The nature of the longitudinal study was set out to identify the knowledge base of undergraduate university students concerning the following information Acts: POPI, PAIA and RICA. The analysis of the data from the two samples, surveyed in 2017 and the other in 2018, it was found that in the pre-intervention the 2017 group of students had been exposed to the acts and had a greater knowledge compared with the pre-intervention students in 2018.

Conclusion and recommendations
The intervention in 2018 yielded positive outcomes in terms of the acronym pre-intervention. The impact of the intervention was largely positive for POPI and PAIA.
Overlooking the three acts, the act that students were most aware of was POPI. Students revealed that they were aware of the acronym POPI and were able to apply it correctly. The students' knowledge of when the act was accepted into legislation was not something important to them.
This was a finding for all three acts that students did not find the need to know the in-depth knowledge of when the acts were accepted into legislation; rather they were primarily focussed on being aware of the acts and acknowledging how to apply the acts to their personal use of information.
The findings support this notion in the sense that the awareness and exposure to the acronyms and the application of the acts are by far the greater need than having an in-depth knowledge of the legislature acceptance of the act.
It was also worth noting that for both 2017 and 2018, there was a small group of respondents who did have in-depth knowledge and awareness of the acts. This indicated that students were exposed to the concepts of information protection, information transparency and the regulation of information by the government.
The expectation that awareness around RICA would be much higher amongst the demographic of 'young adults' use of mobile devices is quite high was surprisingly the opposite. The reason for this expectation is because of the fact that upon purchasing a mobile device, a cellular network requests that the cellular device follows the protocol to ensure that it complies with RICA. The chances of the users being knowledgeable about RICA should be higher. For both 2017 and 2018, it was evident that for the acronym, the year and the application, the students lacked awareness.
The government should better strategise when looking to develop the knowledge base and awareness of young people and when dealing with their understanding and use of information. Young people are forced to manage their information once they are recognised at the age of 18 as adults, as such their awareness of the manner in which they gather, store and share their personal information is imperative when seeking to conduct business in the information age.
The value that is brought by this study is the application awareness sets itself as the core to how individuals understand and use the legislation that is linked to information usage. The information management sector need not just know about the legislation, but rather they should seek to understand how to implement information legislation in the work space.
The study still possesses some unanswered questions, such as the awareness versus everyday application of the acts. For example, with POPI, students may be aware of POPI; however, the question is how do they apply their knowledge with the information privacy acceptance of downloading apps onto cellular devices, accepting information privacy terms and conditions on social media platforms.
The nature of the study can in future be presented to the older age groups and it could further branch out to more information-specific usage environments.