Protection of Personal Information Bill
Protection of Personal Information Bill (POPI)
Jan 29, 2015
A short presentation that focuses on the proposed POPI law, how it impacts businesses, technology, IT depts & the cloud. It was based on a draft so some aspects may have changed.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Protection of Personal Information Bill
Agenda
Going to cover most of the law
Purpose to give an overview and provide a starting point for further
discussion and action
This is not about the Protection of State Information Bill aka “Secrecy
Bill”
Disclaimer
I am not a lawyer (duh) – this is about a law – thus you should have a
lawyer check and work with you on this.
We are talking about a bill, not an act.
Not covered:
The legal aspects about the regulator and information protection officers.
Code of conduct aspects.
Unsolicited Electronic Communications aspects.
Goal of the bill
To promote the protection of personal information processed by public
and private bodies; to introduce information protection principles so as
to establish minimum requirements for the processing of personal
information; to provide for the establishment of an Information
Protection Regulator; to provide for the issuing of codes of conduct; to
provide for the rights of persons regarding unsolicited electronic
communications and automated decision making; to regulate the flow of
personal information across the borders of the Republic; and to provide
for matters connected therewith.
One Page View
Colle
ct In
form
ati
on Must
collect direct from personSome exclusion apply
Pro
cess
In
form
ati
on Process
means anythingSome limits on what you can process
Rete
nti
on Keep for
as short a time as possible
Dele
tion Delete so
it is not recoverable
Secu
rity Reasonabl
e security steps must be taken D
ata
Su
bje
ct
Part
icip
ati
on
You can find out who has your dataYou can change your data
Noti
fica
tion Notificatio
n must be given if there is loss or damage to data
En
forc
em
en
t
Punishments
Timelines
Section 14 of the Constitution: Every has a right to privacy
Bill created in 2009
Seven drafts to date
Expected to be enacted in three to six months1
Companies will have between six and twelve months to put the law
into place.
1. Webber Wentzel Attorneys: http://www.mondaq.com/404.asp?404;http://www.mondaq.com:80/x/184466/data+protection/POPI+Snapshot+Tougher+Laws+For+Privacy+Breaches&login=true
Who this applies to
This is aimed at protecting the information of all citizens of the
country – so you!
Any company that processes or outsources data to third parties needs
to comply with it.
As all organisations have information on staff, share holders etc… this
means all businesses are affected.
Who it doesn’t apply to
is non-commercial, and non-governmental or related to household
activities;
has been de-identified to the extent that it cannot be re-identified
again;
is held by or on behalf of a public body, which involves national
security or deals with the identification of the proceeds of unlawful
activities and the combating of money laundering activities;
is created exclusively for journalistic purposes.
What does it apply to?
‘‘processing’’ means any operation or activity or any set of operations,
whether or not by automatic means, concerning personal information,
including—
(a) the collection, receipt, recording, organisation, collation, storage,
updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making
available in any other form; or
(c) merging, linking, as well as blocking, degradation, erasure or
destruction of information;
Processing Limitations
Must process lawfully
Minimal set of data
Relevant data only
Give the purpose
Consent must be given
Required for the conclusion or performance of the contract
You may opt out, at any time, and the processing must stop
Impact on the cloud?
Applies to all people & companies that are within South Africa
and
Applies to all people & companies that have systems that do
processing in South Africa
There is additional consent need to store & process data outside of
the borders of the country
Collecting Informationhas implications to further processing
Must be collected directly from the data subject
Except
It is in a public record already
The data subject has consented to collection from a third party
Collection from a third party without consent, where it would not prejudice
the data subject
Collection from a third party without consent where it is required
For example getting a criminal record from the police
Retention
Kept only for the processing
Can be kept for longer if
Required by law
Required for functions/activities
Agreed to in contract
Historical, statistical or research provided appropriate safe guards
Retention for Decision Making
Data must be retained for as long as the law says
If there is not law, for a reasonable period
This is so that access requests can be fulfilled
Destruction of Data
Data must be destroyed ASAP
Data must be destroyed in such a way it cannot be reconstructed
Security Measures
Reasonable technical & organisational measures to prevent
Loss of & damage to data
Unlawful access
What do you need to do
Identify all risks (internal & external)
Maintain & regularly validate safe guards
Follow generally accepted information security practices
Notification of security compromises
Must notify the regulator
Must notify the data subject
Must be done ASAP, except if instructured by SAPS, NIA or regulator to delay
Notification must be done in one of the following ways
Mailed to physical or postal address
Emailed
Placed on the web site
Published in the news media
As directed by the regulator
Notification must contain enough information for the data subject to take protective measures
Must, if known, contain the identity of the unauthorised person
Data Subject Participation
A data subject, having provided adequate proof of identify, can
request, free of charge, if a company has information on them.
A data subject, having provided adequate proof of identify, can
request what the information is & who it has been provided to.
Reasonable cost can be applied but an estimate must be given first.
Parts can be denied – requires compliance with grounds set out in
PIPA
Data Modification
A data subject can request the data to be changed or deleted
The reasonable party must comply with it, and provide evidence of it.
You may not process parts of information if they relate to
Children
data subject’s religious or philosophical beliefs, race or ethnic origin,
trade union membership, political opinions, health, sexual life or
criminal behaviour.
There are reasonable exceptions for example
Religion: If the information is being processed by an organisation and the
data relates to belonging to that organisation. For example religious
information & churches
Health: if the organisation is an insurance or medical organisation
Notification
The regulator must be notified prior to initial processing, must include
Name & address of who is using the data
Purpose
Description of data collected
Who the data will be supplied to
If it will leave South Africa
Description of security measure
Enforcement
Process: Complaint Decision of Action Investigation Assessment
Enforcement Notice Appeal
Can issue warrants and do search & seizure
Offences: Obstruction, breach of confidentiality, failure to comply
Penal sanctions: Imprisonment (up to 10 years) and/or fine
Fine: R 10 million1
Civil action can also be taken
1. Webber Wentzel Attorneys: http://www.mondaq.com/x/189552/data+protection/POPI+Snapshot+Penalties+Under+The+Bill
Impact on other lawsAmendments & Repeals to
Promotion of Access to Information Act, 2000
ECT Act, 2002
National Credit Act, 2005
Examples
Blackberry with company information left on train & does not have a
pin. The company is at fault. 1
Outsourced company doing storage of backups and loses the backup
medium. The backups contain customer information. The backup is
not encrypted. The company is at fault. 2
1. Webber Wentzel Attorneys: http://www.mondaq.com/404.asp?404;http://www.mondaq.com:80/x/184466/data+protection/POPI+Snapshot+Tougher+Laws+For+Privacy+Breaches&login=true2. Webber Wentzel Attorneys: http://www.mondaq.com/x/189552/data+protection/POPI+Snapshot+Penalties+Under+The+Bill
KPMG Cheat Sheet
From: http://
www.kpmg.com/ZA/en/IssuesAndInsights/ArticlesPublications/Protecti
on-of-Personal-Information-Bill/Pages/default.aspx
Broken down into the eight principals and has a number of easy to
answer questions about an organisation that can help comply.
Shorten List
Have someone accountable in the organisation for the management of data, data
information policies & managing communication in this regard
Have a document of data we collect
Detail how & why it was collected, if further processing is needed and when it will be
destroyed
Include the why on the documents we use
Educate staff on this
Ensure we have security risk assessments for the data and that reasonable security is
in place in all areas
Ensure people have a way to access & update their information
Related Documents
