Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preparing For POPI

Andre
August 09, 2015

Preparing For POPI

A general introduction to the Protection of Personal Information Act (South Africa)

Andre

August 09, 2015
Tweet

Other Decks in Business

Transcript

  1. • Long gestation period: – SA lagged behind in developing

    data protection legislation • South African Law Reform Commission (SALRC) (DISCUSSION PAPER 109, Project 124, 2005) – Bill drafted in 2009 – Drew heavily on European model – Went through several revisions – “Hier kom ‘n ding” - Here comes trouble! • Finally signed into law in November 2013 • Archival Platform : Draft code of conduct for archives and records management sector • Special Collections POPI Project BACKGROUND
  2. • The POPI Act is data protection legislation, a term

    of European origin describing a law intended to protect individuals from detriment resulting from the processing of their personal information. • The POPI Act is intended to balance the Constitutional right to privacy with the Constitutional right of access to information. • POPI aims to facilitate the flow of PI in South Africa and across borders. WHAT IS POPI?
  3. PERSONAL INFORMATION Recorded information in any medium about a living,

    identifiable individual or legal entity that may include his or her • name, address, email address, phone number • race, nationality, ethnicity • identifying number, code, symbol • biometrics • educational, financial, criminal, employment history • SPECIAL PI: religion or philosophy of life, political persuasion, health or sexual life, trade union membership, criminal behavior, or unlawful or objectionable conduct DEFINITIONS
  4. PROCESSING The Act defines processing as any operation or activity

    concerning personal information including: The collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation or; Dissemination, transmission, distribution or making accessible; Merging, linking, restricting, degrading, erasing or destroying. DEFINITIONS
  5. The crux of the Act is a set of 8

    conditions which must be complied with if processing is to be fair and lawful. 1. Accountability 2. Processing limitation 3. Purpose specification 4. Further processing limitation 5. Information quality 6. Openness 7. Security safeguards 8. Data subject participation
  6. The “responsible party” is accountable for ensuring compliance CONDITION 1:

    ACCOUNTABILITY INFORMATION REGULATOR POPI/PAIA ‘RESPONSIBLE PARTY’ Information Officer(s) Enforce/monitor Educate/train Investigate Codes of conduct Data Subject
  7. • Personal Information must be processed lawfully and without infringing

    privacy of data subject. • Processing must be minimal, i.e., not excessive given the purpose for which it is processed • Processing may only take place if (11 (1)) – The data subject consents – In pursuance of a contract to which the data subject is a party – The responsible party has a legal duty to process the PI – Processing protects a legitimate interest of the data subject – In pursuance of a legal obligation by a public body – To protect a legitimate interest of the responsible party or a third party CONDITION 2: PROCESSING LIMITATION
  8. • Personal Information must be obtained directly from the data

    subject unless – The information is already public – The data subject has consented to collection of personal information from another source – Collection from another source would not prejudice a legitimate interest of the data subject – Collection from another source is necessary for reasons of national security, crime prevention etc. – Compliance would compromise a lawful purpose of the collection – Compliance is not reasonably practicable in the circumstances of the particular case
  9. • Collection must be for a specific, explicitly defined and

    lawful purpose related to a function of the responsible party, and the data subject must be aware of the purpose and notified. • Retention must not exceed the time period needed to achieve the purpose for which personal information was collected subject to certain exceptions . • Records of personal information may be retained longer than intended purpose requires “for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purpose”. • Destruction/deletion/de-identification of a record must take place as soon as practicably possible once the purpose for which it was collected has been realised. CONDITION 3: PURPOSE SPECIFICATION
  10. • Further processing must be in accordance with or compatible

    with the purpose for which it was collected. • Further processing is not incompatible with the intended purpose of collection if – The data subject consents to further processing – The personal information is part of a public record or has been made public by the data subject – It is necessary for legal/critical reasons or to mitigate a public threat – “The information is used for historical, statistical or research purposes and the responsible party ensures that further processing is carried out solely for such purposes and will not be published in an identifiable form” CONDITION 4: FURTHER PROCESSING LIMITATION
  11. Responsible party must ensure personal information collected is complete, accurate,

    not misleading, and updated where necessary. CONDITION 5: INFORMATION QUALITY
  12. • Responsible party must maintain the documentation of all processing

    operations under its responsibility as required by PAIA sections 14 or 51. • The responsible party must take all reasonable steps to notify data subjects of the information being collected, or the source if not collected from the data subject; the name and address of the responsible party; the purpose of collection; whether or not the supply of information by that data subject is voluntary or mandatory; the consequences of failure to provide the PI; any particular law in terms of which personal information is collected; any intention of transferring the personal information to a 3rd party • Similar exemptions apply as adumbrated under Condition 4 CONDITION 6: OPENNESS
  13. • Responsible party must ensure the integrity and confidentiality of

    personal information in its possession or under its control and prevent loss, damage, destruction or unlawful access to it. • To do so, responsible party must – Identify all reasonably foreseeable internal and external risks – Establish and maintain safeguards against risks – Regularly verify safeguards and update them in light of new risks. • Safeguards governing information processing by an “operator” are to be contractually specified. • Responsible party must notify the Regulator and data subject of any unauthorised access to personal information held by responsible party CONDITION 7: SECURITY SAFEGUARDS
  14. • Data subject has the right to: – Access: A

    data subject may request confirmation of personal information held by a responsible party; confirmation free of charge, detailed information at a fee (23(10(b)). Responsible party may or must refuse if refusal is in terms of PAIA Chapter 4, parts 2 and 3, or sections 30 and 61. Access is in terms of sections 18 and 53 of PAIA. – Correction: A data subject may request a responsible party to correct or delete personal information that is inaccurate, excessive, out of date, incomplete, misleading, or obtained unlawfully, or to destroy personal information if it has been retained beyond the period authorised in terms of section 14. CONDITION 8: DATA SUBJECT PARTICIPATION
  15. EXCLUSIONS GENERAL EXCLUSIONS The Act does not apply to the

    processing of personal information: • In the course of purely personal or household activity; • Information that has been de-identified to the extent that is cannot be re- identified; • On behalf of a public body when it involves national security, defence or public safety, the identifying the financing of terrorist activity, identifying the proceeds of unlawful activity, combatting money laundering, etc.; • By cabinet, provincial executive councils; and • Relating to the judicial functions of a court.
  16. EXCLUSIONS SPECIFIC EXCLUSIONS Public Interest Exclusion The Act takes into

    account the importance of the public interest in the free flow of information and allows this to override the protection of privacy subject to certain provisions. Freedom of Expression Exclusion The Act takes into account the need to reconcile the right to privacy with the right to freedom of expression and does not apply to the processing of personal information used solely for the purposes of journalistic, literary or artistic purposes, providing that, in the case of journalistic purposes, the responsible party is subject to a code of ethics that provides adequate safeguards.
  17. SPECIFIC EXCLUSIONS Research Interests Exclusion The Act makes some exemptions

    for the lawful processing of personal information for historical, statistical or research purposes, provided that: • The responsible party has established adequate safeguards; • Further processing is carried out solely for this purpose; • Processing serves a serious public interest; or • If it would be impossible or disproportionally difficult to ask for consent.
  18. TRANSBORDER FLOW OF INFORMATION A responsible party may not transfer

    personal information to a 3rd party in a foreign country unless – • The 3rd party is subject to a law or agreement similar to that which obtains in this Act, and likewise for any parties to which the personal information is transferred to. • The data subject consents to the transfer • The transfer is in pursuance of a contract between the data subject and the responsible party, or a contract pursued in the interests of the data subject where it is impracticable to seek consent or likely that the data subject would grant consent if sought
  19. PROCESSING OF SPECIAL PERSONAL INFORMATION Responsible party may not process:

    religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information; criminal behaviour of data subject i.t.o. an alleged commission of an offense, or any proceeding i.r.o. alleged offense. General exceptions and exemptions (27(1)(a-f)): • Data subject consents • Processing is necessary for various legal/critical reasons • Processing is for historical, statistical or research purposes to the extent that (a) the public interest is served, and (b) it would be impossible or involve a disproportionate effort to ask for consent; • information has been made public by data subject.
  20. SPECIAL COLLECTIONS POPI PROJECT Phase 1: PI protection gap analysis

    Phase 2: Solution seeking/Risk analysis Phase 3: Develop and implement roadmap