the protection of personal information act 2013 personal information is your business 25.09.14
DESCRIPTION
The Protection of Personal Information Act 2013 Personal Information is your business 25.09.14. KOMESHNI PATRICK TECHNOLOGY LAWYER/DIRECTOR/ENDCODE.ORG. Contents. Definitions Aims Exemptions Key Role Players for POPI 8 Conditions of POPI POPI and Consent POPI and Notification - PowerPoint PPT PresentationTRANSCRIPT
The Protection of Personal Information Act 2013Personal Information is your business
25.09.14
KOMESHNI PATRICKTECHNOLOGY LAWYER/DIRECTOR/ENDCODE.ORG
Contents Definitions Aims Exemptions Key Role Players for POPI 8 Conditions of POPI POPI and Consent POPI and Notification Giving PI Away POPI for Business PI & Cybercrime
What is Personal Information (PI)? Section 1
Identifiable, living, natural person or identifiable, existing juristic person Race, sex, gender, name, sexual orientation, age, mental health Medical, financial, criminal or employment history E-mail address, physical address, telephone number, location information,
online identifier Biometric information Personal opinions, views or preferences Private correspondence Opinions of another individual about the person name of the person if it appears with other personal information relating
to the person or if the disclosure of the name itself would reveal information about the person
What is Special Personal Information? Section 1
The religious or philosophical beliefs race or ethnic origin trade union membership political persuasion health or sex life or biometric information of the person The criminal behaviour of the person to the extent that such information
relates to— The alleged commission by the person of any offence Any proceedings in respect of any offence allegedly committed by the
person or the disposal of such proceedings
What is Processing? Sections 1 and 4 of POPI
Processing means any activity whether by automatic means or not, concerning personal information, including
The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
Dissemination by means of transmission, distribution or making available in any other form; or
Merging, linking, as well as restriction, degradation, erasure or destruction of information;
Processing must be for a defined and legitimate purpose that is clear to the DS from whom you are collecting the PI
The Protection of Personal Information 4 of 2013 (POPI)
Aims:
Protection of PI processed by private and public bodies Minimum requirements for processing of PI Establishment of Information Regulator Codes of Conduct Rights protection against SPAM and automated decision-making Regulate cross-border flow
Exemptions from POPIPersonal & Household
• Personal address book
• Personal Computer
De-identified & cannot be
re-identified
• Anonymous Surveys
• Course Evaluation
Public Bodies
involved in national security
• Prevention and detection of unlawful activities
• Terrorism, money laundering, offenses
Judicial Function of
a Court
• Section 166 of the Constitution
Terrorism
• Terrorist & Related Activities Act 33 of 2004
Journalistic, literary, artistic
• Freedom of Expression (S16 Constitution)
• Codes of Ethics govern PI infringements
Key Role Players for POPI
•The person to whom PI relatesData Subject
•Public or private body or any other person which determines the purpose of and means for processing PIResponsible Party
•Person who processes PI for a RP in terms of a contract or mandate, without coming under the direct authority of that party
Operator
•Any person legally competent to consent to any action or decision being taken in respect of any matter concerning a child
Competent Person
•A juristic person established in terms of the Act accountable to the National Assembly and appointed by the Minister of Justice
Information Regulator
8 Conditions of POPI
•RP to ensure conditions for lawful processingAccountability
•Minimality – adequate, relevant and not excessive •Consent, Justification, Objection•Collection directly from Data Subject
Processing Limitation
•specific, explicitly defined and lawful purpose•Records of PI must not be retained longer than is necessary for achieving the purpose
•Exemption: record required by law, historical, statistical or for research
• destroy/delete/de-identify a record of PI once purpose achieved
Purpose Specification
•To be compatible with original purpose of collection if not, consent for further processing is required
Further Processing Limitation
8 Conditions of POPI
•RP must take steps to ensure PI is complete, accurate and not misleading
Information Quality
•Records of the processing cycle for operations must be maintained and made available to the DS
•Obligation on RP to notify the DS upon collection of PIOpenness
•Integrity and confidentiality of PI must be maintained to prevent loss, damage, unauthorised destruction, unlawful access or processing
•Operator must notify RP if there are reasonable grounds to believe that the PI was accessed by an unauthorised person and the RP has to notify the Regulator and the DS
Security Safeguards
•Right to be informed - DS can be requested free of charge if PI held
•Where DS requests copy of the record, the RP can charge a fee•DS can request correction or deletion of PI that is inaccurate, irrelevant, out of date, excessive, incomplete, misleading or unlawfully obtained
Data Subject Participation
POPI and Consent
• Consent from DS for processing PI• Consent can be withdrawn at any time. • Where the DS is a child, consent is needed from
a Competent Person
General Consent Section 11
• For records to be retained longer than is needed for achieving the purpose of the data processing, the DS must consent.
Retention of Records
Section 14(1)(d)
POPI and Consent
Restriction on processing
Section 14(7)
• The RP must restrict processing of information if: • The accuracy is contested by DS and RP has
to verify the PI• Purpose is achieved but retain PI for proof• The processing is unlawful and the DS
requests restriction rather than destruction• The DS requests PI be transmitted to another
automated system
• May only be processed:• With DC consent or Competent Person’s consent• For purposes of proof • To protect a right of another natural or legal person • For public interest
POPI and Consent
Further Processing Section 15(3)(a)
• Further processing of information that is inconsistent with the original purpose of collection can only occur if the DS consents.
Notification of Collection
Section18(4)(a)
• The DS can consent to not being notified when their information is collected.
POPI and Consent
Special Personal Information Section 27
• The DS must consent to the processing of special personal information.
Religious Beliefs Section 28(3)
• Information regarding religious or philosophical beliefs can be processed only by religious or spiritual institutions to which the DS belongs without consent.
• Consent from the DS is needed when this data is supplied to third parties.
POPI and Consent
Trade Union Membership
Section 30(2)
• Information regarding trade union membership can be processed only by the trade union or its controlling body to which the DS belongs.
• Consent from the DS is needed when this data is supplied to third parties.
Political Persuasion Section 31(2)
• Information regarding political persuasion can be processed only by institutions founded on political principles to which the DS belongs without consent.
• Consent from the DS is needed when this data is supplied to third parties.
POPI and Consent
Information regarding Children
Section 34
• Processing PI regarding children can only occur with the consent from a person who has legal competency to make decisions regarding that child.
Direct Marketing Section 69
• Processing for direct marketing is prohibited unless the DS gives consent. • To request consent, the RP may approach
the DS for consent only once and only if the DS has not previously withheld consent.
POPI and Consent
Foreign Country Transfer
Section 72(1)
• RP may not transfer PI to a third party in a foreign country unless the DS has consented or the transfer benefits the DS and it is impractical to obtain consent and the DS would likely give consent. Foreign country should have similar processing protection as POPI.
Minister’s Powers Section 112(2)(f)
• The Minister has the power to create regulations regarding the manner and form within which the DS’s consent must be obtained or requested for direct marketing.
POPI and Notification
Notification to DS when collecting PI
Section 18
• Notification to DS when collecting personal information
Security measures regarding
information processed by
operatorSection 21
• The Operator must notify the RP immediately where there are reasonable grounds to believe that the personal information of a DS has been accessed or acquired by any unauthorised person
POPI and Notification
Notification of Security
CompromisesSection 22
• Where there are reasonable grounds to believe that the personal information of a DS has been accessed or acquired by any unauthorised person, the RP must notify the Regulator and the DS
Correction of personal
informationSection 24
• The RP must notify a DS, who has made a request for correction or deletion of record of the action taken as a result of such request
POPI and Notification
Responsible party to notify Regulator
if processing is subject to prior authorisation
Section 58
• RP must notify and obtain prior authorization from the Regulator for processing for the following: • for a purpose other than the original purpose
as intended at collection• with the aim of linking the information
together with information processed by other responsible parties
• process information on criminal behaviour• process information for the purposes of credit
reporting or• transfer special PI or the PI of children to a
third party in a foreign country that does not provide an adequate level of protection.
Giving Your PI Away
Shopping onlineSubscribing or registeringCompetitions, prizes, rewardsOnline games and virtual worldsSocial MediaOnline BrowsingEmployment
Name Surname email address telephone number
postal address city
Education
credit card
number ID number physical address
POPI for Business
Financial Education Transport
Gaming Social Media
Advertising Music Telecoms Credit Sports Mapping
Insurance IT Banking Medical
Personal Information is your
Business
POPI for Business
1 •POPI Strategy
2 •Appoint an Information Officer
3 •Privacy Policy
4 •Consider who the Data Subjects are•Limit the collection type and amount to the purpose
3 •Third party Transfer
4 •Cross-border transfer
5 •Direct Marketing Practices
6 •Special Personal Information
7 •Children’s Personal Information
8 •Directories
POPI for Business
Creating Business Process
• -Obtain consent DS to use PI for the specified purpose
• -Network Security – integrity and safekeeping
• -Limit access per business role• -Ensure that there are back-up and
business continuity plans• -Access Security at all points• -Access to Information Procedure
(correction, objections to processing, copy of records, identity of third parties who access their PI)
• -Procedures for updating details to ensure accuracy and completeness
• -Ensure Records retention management processes (deletion or de-identification)
• -Incident Management Process
POPI for Business
Well managed brand
Strengthens the brand
Conveys that the business understands its legal obligations to the client
Builds trust in the brand
POPI for Business
Privacy infringement
Loss of Intellectual Property
Defamation
Loss of sensitive information
Security compromise - issues of national security
Financial loss
POTENTIAL FOR LITIGATION
Brand Damage
PI and Cyber Crime
Cybercrime
PI
PI & Cybercrime
Lloyd’s 2013 Risk Index Report Cyber security has moved from 12th position to 3rd position as a
global concern to business.
The 2013 Norton Report South Africa has the third highest number of cybercrime victims
following Russia and China.
PwC’s Global State of Information Security Survey 2014 reported a rise of 25% in security incidents with a 51% rise in
spend on security. Overall, this makes up only 4% of the IT spend.
PI & Cybercrime
South Africa’s National Cyber Security Policy Framework was passed in March 2012
18 months later
Department of Communications appointed the National Cyber Security Advisor in October 2013
Goal
co-ordinate government actions on cyber security and ensure co-operation between government, the private sector and civil society
on addressing cyber threats
PI & Cybercrime
The Electronic Communications and Transactions Act 2002 9 years later
No cyber inspectors to enforce cyber security
Wolfpack Information Risk’s report – The South African Cyber Threat Barometer 2012/13
no national computer security incident response team no national response team to co-ordinate a cyber defence strategy
Annual losses in 3 sectors = R2.65 billion
PI & Cybercrime
India Sponsored training for 500 000 “cyber warriors”
South Korea5000 cyber specialists are developed annually
United Kingdom11 centres established for cyber skills development allied to the
universities
South Africa
?