data protection & risk management
DESCRIPTION
The legal Implications of practical data management seen through South African technology law.TRANSCRIPT
PRIA CHETTYENDCODER/
ENDCODE.ORG
DATA PROTECTION AND RISK MITIGATION
Understanding Data Protection Risks and the Law
CONTEXT:
POPI Priority Issues
IT systems and business tools (enterprise data, (know your) customer data, profiling, analytics, relationship management,
financial, health )
Records management policies (creation, retention and destruction of records)
Digital content ownership (users: personal data and intellectual property, rights and obligations)
Database ownership(source of data, use of data, rights and
obligations)
Apps ownership (generation of user data: personal data and intellectual property, rights and obligations )
Young people (campaigns involving young people: special treatment of young people)
Recommendations
POPI: Priority Issues
POPI: Priority Issues• Getting Serious about PoPI
• Identification of Personal Data impacted and exempted
• Identification of Business Systems impacted
• Identification of Business Processes impacted
• Information Security (Risk and Incident Management)
• Identification of (Vital) Records
• Classification of Records
• Personal Information and Intellectual Property
• Technological Innovation and Privacy
POPI and Advertising and Marketing• Know Your Customer
• Know Your Channel
• Know Your Platform
• Risks associated with Digital Opportunities
• Risks associated with Innovation Opportunities
• Data Risks Management: Privacy and Intellectual Property (incl. copyright), Information Security and Records Management
IT / IS systems and business tools
• Accountability Principle (s8 POPI)• Responsible Party to process PI in satisfaction of conditions of PoPI
The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions,
are complied with at the time of the determination of the purpose and means of the processing and during the processing
itself.Section 8 The Protection of Personal Information Act 4 of 2013
• Processing Limitation (Condition 2 PoPI) and Further Processing for compatible purposes (Condition 4)
• Quality of Information (Condition 5 of PoPI)
IT / IS systems and business tools
• Security Safeguards • Security measures on integrity and confidentiality of personal information
(s19 of PoPI)• Data under my control has been breached, now what?• Notification to Data Subject (s22 POPI)• Notification to Information Regulator (s22 POPI)
• Unauthorised access to data is a crime
A person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an
offence. A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective is
guilty of an offenceSection 86 (1) and (2) Electronic Communications and Transactions Act 25 of 2002
IT systems and the CloudInformation processed by Operator or person acting under authoritySecurity measures regarding information processed by operatorCross-border transfer policy
5 Conditions of Cross-border Transfer (S72 POPI)• The third party who receives the information is subject to a law, binding corporate
rules or agreement which provide an adequate level of protection that effectively upholds the principles for processing of information that are similar to those in POPI, and includes provisions that are similar to POPI in relation to the further transfer of personal information from the recipient to third parties in a foreign country;
• The person consents to the transfer;• The transfer is necessary for the performance of a contract between you and the
person, or for pre-contractual measures taken at the request of the person whose information is being transferred;
• The transfer is necessary for the conclusion or performance of a contract between you and a third party that is in the interest of the person; or
• The transfer is for the benefit of the person whose information is collected, and it is not reasonably practical to obtain the consent of the person and, if it were reasonably practical to obtain such consent, the data subject would likely give it.
Records Management Policies• Accountability Principle
• Responsible Party to protect integrity of PI (s8 POPI)• Outdated information
• Restriction on records (s14 POPI)• Openness
• Documentation (s17• Access to Personal Information (s23 of PoPI)• Accuracy & Correction of information
• Restriction of Records (s14 POPI)• Right to correct PI (s24 POPI)A responsible party must take reasonably practicable steps to
ensure that the personal information is complete, accurate, not misleading and updated where necessary.
Section 16 The Protection of Personal Information Act 4 of 2013
• De-identification/Deletion of information• Exclusion (s6 POPI)• As soon as no longer authorised to have PI (s14 POPI)
Records Management Policies• Losing personal information • Notification to Data Subject & Regulator (s22 POPI)
• International Best Practices for records management • European Directive on Data Protection
• Right to Access Information Records• Promotion of Access to Information Act 2 of 2000 (PAIA)• Data Subject participation (s23 POPI)
Digital Content OwnershipWho Owns Digital Content• Do you own your own digital content?
“There are not yet statutory laws around ownership of virtual goods,
nor is there case law.” The Guardian
“In most cases you are effectively leasing the content, not buying it.”
The Guardian
"You will not transfer your account to anyone without first getting our
written permission" Facebook's terms and conditions
Digital Content Ownership• Should the subject of the digital
content own the own digital content?
“What are these people going to do with that data? They’re going to
target you with an ad which makes you feel a bit queasy. Targeted
adverts are not the future.”Sir Tim Berners-Lee
in The Guardian
“If you give [people] the ability to see how [data is] used and you ban its misuse then people are much more
happy to open up to their data being used.”
Sir Tim Berners-Lee in The Guardian
Database OwnershipDatabases & Copyright• Definition of ‘literary work’ in Copyright Act 98 of 1978 includes
compilations stored or embodied in a computer or medium used with a computer (s1)
• Originality in selection or arrangement
• Labour & Skill
• Owner of copyright to database has exclusive rights
Databases & POPI• Databases of personal information fall under POPI and must be
protected by the Responsible Party
• Directories (s70 POPI)
Apps Ownership
https://www.flickr.com/photos/jasonahowie/
Apps OwnershipApps & Copyright
• An App is a computer program
“computer program” means a set of instructions fixed or stored in any manner and which, when used
directly or indirectly in a computer, directs its operation to bring about a result”
Section 1 The Copyright Act 98 of 1978
• Computer programs are copyright protected (not patantable)
“Anything which consists of (amongst others) a computer program shall not be an invention for the
purposes of this Act” Section 25(2) The Patents Act 57 of 1978
App Ownership• Data Protection for Apps
• Owners of App are responsible for protection of data collected
• Think of all of the information an App can collect about you• Health & sport monitoring
apps• Medical apps• Messaging apps
Younge People & Data Protection
https://www.flickr.com/photos/malias/
Younge People & Data Protection• POPI – ‘Competent Person’• Protection of Personal information of children by Responsible
Party
A responsible party may, subject to section 35, not process personal information concerning a
child.Section 34 The Protection of Personal Information Act 4 of 2013
• Exceptions (s35 POPI)• Consent from the competent person• Necessary for establishment, exercise or defence of a right or
obligation in law • Necessary to comply with an obligation of international public
law• historical, statistical or research purposes
Recommendations• Appointment of Information Officer: Enterprise• Appointment of a Risk and Compliance Manager: Agencies• PoPI Audit (Client) PoPI Audit (Project)• Intellectual Property Audit• Information Security Audit• Privacy Policy• Information Security Policy• Intellectual Property Policy• Innovation Management
Different rules for different channels, platforms, data sources and applications
References• http://ico.org.uk/for_organisations/data_protection/security_measures)
• http://www.theguardian.com/money/2012/sep/03/do-you-own-your-digital-content
• http://www.theguardian.com/technology/2014/oct/08/sir-tim-berners-lee-speaks-out-on-data-ownership?CMP=ema_827
• http://www.bizcommunity.com/Article/75/542/98352.html
• http://ico.org.uk/Youth