data protection legislation • South African Law Reform Commission (SALRC) (DISCUSSION PAPER 109, Project 124, 2005) – Bill drafted in 2009 – Drew heavily on European model – Went through several revisions – “Hier kom ‘n ding” - Here comes trouble! • Finally signed into law in November 2013 • Archival Platform : Draft code of conduct for archives and records management sector • Special Collections POPI Project BACKGROUND
of European origin describing a law intended to protect individuals from detriment resulting from the processing of their personal information. • The POPI Act is intended to balance the Constitutional right to privacy with the Constitutional right of access to information. • POPI aims to facilitate the flow of PI in South Africa and across borders. WHAT IS POPI?
identifiable individual or legal entity that may include his or her • name, address, email address, phone number • race, nationality, ethnicity • identifying number, code, symbol • biometrics • educational, financial, criminal, employment history • SPECIAL PI: religion or philosophy of life, political persuasion, health or sexual life, trade union membership, criminal behavior, or unlawful or objectionable conduct DEFINITIONS
concerning personal information including: The collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation or; Dissemination, transmission, distribution or making accessible; Merging, linking, restricting, degrading, erasing or destroying. DEFINITIONS
conditions which must be complied with if processing is to be fair and lawful. 1. Accountability 2. Processing limitation 3. Purpose specification 4. Further processing limitation 5. Information quality 6. Openness 7. Security safeguards 8. Data subject participation
ACCOUNTABILITY INFORMATION REGULATOR POPI/PAIA ‘RESPONSIBLE PARTY’ Information Officer(s) Enforce/monitor Educate/train Investigate Codes of conduct Data Subject
privacy of data subject. • Processing must be minimal, i.e., not excessive given the purpose for which it is processed • Processing may only take place if (11 (1)) – The data subject consents – In pursuance of a contract to which the data subject is a party – The responsible party has a legal duty to process the PI – Processing protects a legitimate interest of the data subject – In pursuance of a legal obligation by a public body – To protect a legitimate interest of the responsible party or a third party CONDITION 2: PROCESSING LIMITATION
subject unless – The information is already public – The data subject has consented to collection of personal information from another source – Collection from another source would not prejudice a legitimate interest of the data subject – Collection from another source is necessary for reasons of national security, crime prevention etc. – Compliance would compromise a lawful purpose of the collection – Compliance is not reasonably practicable in the circumstances of the particular case
lawful purpose related to a function of the responsible party, and the data subject must be aware of the purpose and notified. • Retention must not exceed the time period needed to achieve the purpose for which personal information was collected subject to certain exceptions . • Records of personal information may be retained longer than intended purpose requires “for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purpose”. • Destruction/deletion/de-identification of a record must take place as soon as practicably possible once the purpose for which it was collected has been realised. CONDITION 3: PURPOSE SPECIFICATION
with the purpose for which it was collected. • Further processing is not incompatible with the intended purpose of collection if – The data subject consents to further processing – The personal information is part of a public record or has been made public by the data subject – It is necessary for legal/critical reasons or to mitigate a public threat – “The information is used for historical, statistical or research purposes and the responsible party ensures that further processing is carried out solely for such purposes and will not be published in an identifiable form” CONDITION 4: FURTHER PROCESSING LIMITATION
operations under its responsibility as required by PAIA sections 14 or 51. • The responsible party must take all reasonable steps to notify data subjects of the information being collected, or the source if not collected from the data subject; the name and address of the responsible party; the purpose of collection; whether or not the supply of information by that data subject is voluntary or mandatory; the consequences of failure to provide the PI; any particular law in terms of which personal information is collected; any intention of transferring the personal information to a 3rd party • Similar exemptions apply as adumbrated under Condition 4 CONDITION 6: OPENNESS
personal information in its possession or under its control and prevent loss, damage, destruction or unlawful access to it. • To do so, responsible party must – Identify all reasonably foreseeable internal and external risks – Establish and maintain safeguards against risks – Regularly verify safeguards and update them in light of new risks. • Safeguards governing information processing by an “operator” are to be contractually specified. • Responsible party must notify the Regulator and data subject of any unauthorised access to personal information held by responsible party CONDITION 7: SECURITY SAFEGUARDS
data subject may request confirmation of personal information held by a responsible party; confirmation free of charge, detailed information at a fee (23(10(b)). Responsible party may or must refuse if refusal is in terms of PAIA Chapter 4, parts 2 and 3, or sections 30 and 61. Access is in terms of sections 18 and 53 of PAIA. – Correction: A data subject may request a responsible party to correct or delete personal information that is inaccurate, excessive, out of date, incomplete, misleading, or obtained unlawfully, or to destroy personal information if it has been retained beyond the period authorised in terms of section 14. CONDITION 8: DATA SUBJECT PARTICIPATION
processing of personal information: • In the course of purely personal or household activity; • Information that has been de-identified to the extent that is cannot be re- identified; • On behalf of a public body when it involves national security, defence or public safety, the identifying the financing of terrorist activity, identifying the proceeds of unlawful activity, combatting money laundering, etc.; • By cabinet, provincial executive councils; and • Relating to the judicial functions of a court.
account the importance of the public interest in the free flow of information and allows this to override the protection of privacy subject to certain provisions. Freedom of Expression Exclusion The Act takes into account the need to reconcile the right to privacy with the right to freedom of expression and does not apply to the processing of personal information used solely for the purposes of journalistic, literary or artistic purposes, providing that, in the case of journalistic purposes, the responsible party is subject to a code of ethics that provides adequate safeguards.
for the lawful processing of personal information for historical, statistical or research purposes, provided that: • The responsible party has established adequate safeguards; • Further processing is carried out solely for this purpose; • Processing serves a serious public interest; or • If it would be impossible or disproportionally difficult to ask for consent.
personal information to a 3rd party in a foreign country unless – • The 3rd party is subject to a law or agreement similar to that which obtains in this Act, and likewise for any parties to which the personal information is transferred to. • The data subject consents to the transfer • The transfer is in pursuance of a contract between the data subject and the responsible party, or a contract pursued in the interests of the data subject where it is impracticable to seek consent or likely that the data subject would grant consent if sought
religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information; criminal behaviour of data subject i.t.o. an alleged commission of an offense, or any proceeding i.r.o. alleged offense. General exceptions and exemptions (27(1)(a-f)): • Data subject consents • Processing is necessary for various legal/critical reasons • Processing is for historical, statistical or research purposes to the extent that (a) the public interest is served, and (b) it would be impossible or involve a disproportionate effort to ask for consent; • information has been made public by data subject.