PRIA CHETTYENDCODER/

ENDCODE.ORG

DATA PROTECTION AND RISK MITIGATION

Understanding Data Protection Risks and the Law

CONTEXT:

POPI Priority Issues

IT systems and business tools (enterprise data, (know your) customer data, profiling, analytics, relationship management,

financial, health )

Records management policies (creation, retention and destruction of records)

Digital content ownership (users: personal data and intellectual property, rights and obligations)

Database ownership(source of data, use of data, rights and

obligations)

Apps ownership (generation of user data: personal data and intellectual property, rights and obligations )

Young people (campaigns involving young people: special treatment of young people)

Recommendations

POPI: Priority Issues

POPI: Priority Issues• Getting Serious about PoPI

• Identification of Personal Data impacted and exempted

• Identification of Business Systems impacted

• Identification of Business Processes impacted

• Information Security (Risk and Incident Management)

• Identification of (Vital) Records

• Classification of Records

• Personal Information and Intellectual Property

• Technological Innovation and Privacy

POPI and Advertising and Marketing• Know Your Customer

• Know Your Channel

• Know Your Platform

• Risks associated with Digital Opportunities

• Risks associated with Innovation Opportunities

• Data Risks Management: Privacy and Intellectual Property (incl. copyright), Information Security and Records Management

IT / IS systems and business tools

• Accountability Principle (s8 POPI)• Responsible Party to process PI in satisfaction of conditions of PoPI

The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions,

are complied with at the time of the determination of the purpose and means of the processing and during the processing

itself.Section 8 The Protection of Personal Information Act 4 of 2013

• Processing Limitation (Condition 2 PoPI) and Further Processing for compatible purposes (Condition 4)

• Quality of Information (Condition 5 of PoPI)

IT / IS systems and business tools

• Security Safeguards • Security measures on integrity and confidentiality of personal information

(s19 of PoPI)• Data under my control has been breached, now what?• Notification to Data Subject (s22 POPI)• Notification to Information Regulator (s22 POPI)

• Unauthorised access to data is a crime

A person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an

offence. A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective is

guilty of an offenceSection 86 (1) and (2) Electronic Communications and Transactions Act 25 of 2002

IT systems and the CloudInformation processed by Operator or person acting under authoritySecurity measures regarding information processed by operatorCross-border transfer policy

5 Conditions of Cross-border Transfer (S72 POPI)• The third party who receives the information is subject to a law, binding corporate

rules or agreement which provide an adequate level of protection that effectively upholds the principles for processing of information that are similar to those in POPI, and includes provisions that are similar to POPI in relation to the further transfer of personal information from the recipient to third parties in a foreign country;

• The person consents to the transfer;• The transfer is necessary for the performance of a contract between you and the

person, or for pre-contractual measures taken at the request of the person whose information is being transferred;

• The transfer is necessary for the conclusion or performance of a contract between you and a third party that is in the interest of the person; or

• The transfer is for the benefit of the person whose information is collected, and it is not reasonably practical to obtain the consent of the person and, if it were reasonably practical to obtain such consent, the data subject would likely give it.

Records Management Policies• Accountability Principle

• Responsible Party to protect integrity of PI (s8 POPI)• Outdated information

• Restriction on records (s14 POPI)• Openness

• Documentation (s17• Access to Personal Information (s23 of PoPI)• Accuracy & Correction of information

• Restriction of Records (s14 POPI)• Right to correct PI (s24 POPI)A responsible party must take reasonably practicable steps to

ensure that the personal information is complete, accurate, not misleading and updated where necessary.

Section 16 The Protection of Personal Information Act 4 of 2013

• De-identification/Deletion of information• Exclusion (s6 POPI)• As soon as no longer authorised to have PI (s14 POPI)

Records Management Policies• Losing personal information • Notification to Data Subject & Regulator (s22 POPI)

• International Best Practices for records management • European Directive on Data Protection

• Right to Access Information Records• Promotion of Access to Information Act 2 of 2000 (PAIA)• Data Subject participation (s23 POPI)

Digital Content OwnershipWho Owns Digital Content• Do you own your own digital content?

“There are not yet statutory laws around ownership of virtual goods,

nor is there case law.” The Guardian

“In most cases you are effectively leasing the content, not buying it.”

The Guardian

"You will not transfer your account to anyone without first getting our

written permission" Facebook's terms and conditions

Digital Content Ownership• Should the subject of the digital

content own the own digital content?

“What are these people going to do with that data? They’re going to

target you with an ad which makes you feel a bit queasy. Targeted

adverts are not the future.”Sir Tim Berners-Lee

in The Guardian

“If you give [people] the ability to see how [data is] used and you ban its misuse then people are much more

happy to open up to their data being used.”

Sir Tim Berners-Lee in The Guardian

Database OwnershipDatabases & Copyright• Definition of ‘literary work’ in Copyright Act 98 of 1978 includes

compilations stored or embodied in a computer or medium used with a computer (s1)

• Originality in selection or arrangement

• Labour & Skill

• Owner of copyright to database has exclusive rights

Databases & POPI• Databases of personal information fall under POPI and must be

protected by the Responsible Party

• Directories (s70 POPI)

Apps Ownership

https://www.flickr.com/photos/jasonahowie/

Apps OwnershipApps & Copyright

• An App is a computer program

“computer program” means a set of instructions fixed or stored in any manner and which, when used

directly or indirectly in a computer, directs its operation to bring about a result”

Section 1 The Copyright Act 98 of 1978

• Computer programs are copyright protected (not patantable)

“Anything which consists of (amongst others) a computer program shall not be an invention for the

purposes of this Act” Section 25(2) The Patents Act 57 of 1978

App Ownership• Data Protection for Apps

• Owners of App are responsible for protection of data collected

• Think of all of the information an App can collect about you• Health & sport monitoring

apps• Medical apps• Messaging apps

Younge People & Data Protection

https://www.flickr.com/photos/malias/

Younge People & Data Protection• POPI – ‘Competent Person’• Protection of Personal information of children by Responsible

Party

A responsible party may, subject to section 35, not process personal information concerning a

child.Section 34 The Protection of Personal Information Act 4 of 2013

• Exceptions (s35 POPI)• Consent from the competent person• Necessary for establishment, exercise or defence of a right or

obligation in law • Necessary to comply with an obligation of international public

law• historical, statistical or research purposes

Recommendations• Appointment of Information Officer: Enterprise• Appointment of a Risk and Compliance Manager: Agencies• PoPI Audit (Client) PoPI Audit (Project)• Intellectual Property Audit• Information Security Audit• Privacy Policy• Information Security Policy• Intellectual Property Policy• Innovation Management

Different rules for different channels, platforms, data sources and applications

Pria ChettyPria.chetty@endcode.org

endcode.org

THANKS, QUESTIONS?

References• http://ico.org.uk/for_organisations/data_protection/security_measures)

• http://www.theguardian.com/money/2012/sep/03/do-you-own-your-digital-content

• http://www.theguardian.com/technology/2014/oct/08/sir-tim-berners-lee-speaks-out-on-data-ownership?CMP=ema_827

• http://www.bizcommunity.com/Article/75/542/98352.html

• http://ico.org.uk/Youth