GDS International - CIO - Summit - Africa - 2


Published on

The Protection of Personal Information Bill: The journey to implement

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

GDS International - CIO - Summit - Africa - 2

  1. 1. The protection of personal information bill: The journey to implementationNovember 2011
  2. 2. Table of contents1. Executive summary 12. Research for this white paper 23. Purpose of the Bill 34. Analysis of the conditions for processing 45. Conditions for processing of information by third parties 66. Implementation considerations 87. The Regulator 218. Applying experience from other countries in South Africa 239. Conclusion 3010. About the authors 3111. About the PwC Privacy Team 3212. Other members of the PwC Privacy Team 3313. Contacts 34 PwC
  3. 3. The Protection of Personal Information Bill: The Journey to Implementation
  4. 4. 1. Executive summaryOpen any newspaper or news website, and the chances are regard becoming compliant with the Bill as being high onthat you will find a report on someone’s right to personal their agendas, and they should be starting their privacyprivacy being infringed, or yet another intrusion through programmes as soon as organisation’s security systems with credit card or otherfinancial information being stolen. With the rise of free The purpose of this white paper is two-fold. We wouldflow of information over the internet, the popularity of like to draw attention to some of the potential challengessocial media, increasing identity theft and other intrusions we have noted in the Bill, as well as to aspects of the Billon the privacy of individuals, governments world-wide that we believe need to be given further clarity, eitherhave become increasingly concerned with the purposes through changing the language used in the Bill, or throughfor which organisations collect personal information, providing guidance in the form of Regulations or otherwhy they keep it, and how they protect it. The position in guidance documents. We have surveyed a selection ofSouth Africa is no different, and consumers in South Africa organisations in South Africa to gather their views onshould be welcoming the impending Protection of Personal various aspects of the Bill, and it is clear from the responsesInformation Bill (PoPI or the Bill). that we have received that there are some areas in the Bill that should be clarified through the Regulations.Although there are some disadvantages in lagging behind As organisations begin their privacy programmes, someother countries in adopting privacy legislation, one major areas will start to be viewed as standard business practice,advantage is that the South African legislators have been which will further provide meaning to some of the moreable to draw on the models developed and experience vague aspects. The second purpose for this white paper isacquired in other countries, selecting the best of the best to share with organisations and the Technical Committeefor our privacy legislation. The challenge for organisations, responsible for drafting the Bill some of the challenges thathowever, is that complying with the requirements of the are likely to be faced when it comes to operationalising thePoPI Bill is going to have a significant impact on the way Bill’s requirements. A particularly noteworthy result fromthey do business. In our discussions with our PwC subject our survey is that many organisations face a long journeymatter experts on privacy in different jurisdictions, the to becoming compliant with the Bill’s requirements. Someopinion throughout has been that the PoPI Bill is the of the larger financial institutions and telecommunicationsmost comprehensive piece of privacy legislation in the organisations have begun with their privacy programmesworld at the moment, and the burden of complying with and a few are relatively advanced, but even theseit is going to be a difficult one, particularly for small to organisations are concerned that they may not be able tomedium businesses. For organisations with complex complete their programmes in time for the deadline forbusiness processes who gather multiple types of personal compliance. The lack of readiness is a major concern, andinformation, the road to compliance is going to be much those organisations who have yet to begin their journey arelonger and more challenging. Regardless of the size likely to find themselves facing some unexpected obstaclesof the organisation, boards and management need to in the road. The key message for all organisations is that you need to start your compliance process immediately. PwC 1
  5. 5. 2. Research for this white paperIn preparing this white paper, we surveyed selected We also consulted with our PwC colleagues in otherorganisations, who participated from August to October jurisdictions who are subject matter experts on privacy2011 either by face to face interview, or through in their countries, and included their views in this whitecompleting a questionnaire. The sectors represented paper.include: This white paper is based on the draft Protection of• Financial services; Personal Information Bill dated 26 October 2011.• Public sector;• Entertainment and gaming;• Telecommunications;• Retail;• Manufacturing; and• Agriculture.2 The Protection of Personal Information Bill: The Journey to Implementation
  6. 6. 3. Purpose of the BillRampant developments in information and communication The Bill arises from international developments withtechnologies, globalisation, and the pursuance of regard to data protection regulation around the globe.electronic trade across the world have afforded For South Africa to continue trading effectively with otherinformation a strategic value. Moreover, information that countries, regulation such as this is essential. Consequently,is able to profile or identify a person or their interests the purpose of the legislation is two-fold, enhancing localoffers added strategic value as organisations compete for privacy regulation as well as prescribing data protectionthe attention of consumers. Over time, individual rights of practices in South Africa that are harmonised withprivacy and confidentiality have become more and more international practices.neglected, giving way to less than acceptable informationmanagement practices and rising identity theft, fraud, and Drawing from the detail in the Bill, it emerges that theother harm stemming from the unauthorised use of an Bill is cognisant of two stark realities of privacy – whileindividual’s personal information. The constitutional right privacy is a theme that permeates global society andto privacy in section 14 of the Bill of Rights of the South business endeavour, at the same time variations inAfrican Constitution has to date been a largely inaccessible industry data protection practices must be accommodatedright. in the regulation of privacy. As a result, the Bill includes conditions for how personal information is shared withThe PoPI Bill is aimed at giving effect to South African third parties (both within South Africa and outside itscitizens’ constitutional right to privacy. The Bill achieves borders). It also gives authority to industry codes ofthis through: conduct that will expand and clarify the data protection landscape of unique industries, taking into account the• Providing for the rights of data subjects with regard to sometimes unique requirements of industries such as their ability to protect their personal information as it is healthcare or financial services. processed by public or private bodies, as well as giving data subjects remedies they can use should those rights Finally, the Bill pursues a balanced approach to the be infringed. protection of personal information, mandating due regard for the justifiable limitations of the right to privacy, the• Providing a framework that sets out the minimum need to secure the interests of free flow of information conditions that must be met when personal information and managing the tensions between the rights of access to is processed by organisations, whether they are public or information and protection of personal information. private.• Establishing an Information Protection Regulator, whose primary purposes will be to promote awareness of the rights of data subjects when it comes to protecting their personal information, as well as enforcing the requirements of the Bill. PwC 3
  7. 7. 4. Analysis of the conditions for processingThe 8 conditions of the Bill are closely aligned with the 5. Information qualityprinciples of data protection that have emerged in theinternational privacy regulatory setting. These principles • Ensuring quality of informationare: 6. Openness1. Accountability • Notification to the Regulator • The responsible party to ensure conditions for • Notification to the data subject when collecting lawful processing personal information2. Processing limitation 7. Security safeguards • Lawfulness of processing • Security measures on integrity of personal • Right to privacy information • Consent, justification and objection • Information only to be processed by an operator or • Collection directly from the data subject person acting under authority • Security measures regarding information3. Purpose specification processed by operator • Collection for a specific purpose • Notification of security compromises • Appropriate retention of records 8. Data subject participation4. Further processing limitation • Access to personal information • Further processing to be compatible with the • Correction of personal information purpose of collection • The manner of access4 The Protection of Personal Information Bill: The Journey to Implementation
  8. 8. Historically, the Organization for Economic Cooperation principles of data protection contained in the Europeanand Development (OECD) compiled “Recommendations Union’s Data Protection Directive remain aligned with theof the Council Concerning Guidelines Governing the OECD principles which in turn correspond largely withProtection of Privacy and Trans-Border Flows of Personal those set out in the Bill. This general approach is alsoData”. The recommendations contained seven data prevalent in the UK and Hong principles for the governance of personalinformation. These included several principles that In contrast to the general approach, the United Statescorrespond with the conditions contained in the PoPI Bill, however has opted for an industry specific “sectoral” dataincluding, inter alia: protection regulatory approach. The regulation includes legislation, and self regulation. Whilst the US does not• Purpose specification: the information is only to be used have a single data protection law, legislation is linked to for a specified purpose; the needs of industry and circumstance (e.g. the Gramm- Leach-Bliley Act, the Health Insurance Portability and• Security: personal information is to be kept secure to Accountability Act and the 2010 Massachusetts Data mitigate security incidents that result in unauthorised Privacy Regulations). use of the information; In developing South Africa’s legislation, the South African• Access: provision is made for data subjects to be able Law Reform Commission looked at the approaches taken access and correct their information; and primarily in Canada, the European Union, the United Kingdom and the Asia-Pacific region (which includes• Accountability: collectors of the information are to be Australia). In addition to these, the influence of other held accountable for their data protection practices and countries’ legislation can also be seen, such as the United failures. States. Thus, South Africa’s approach may be described as a hybrid of the pure regulation and the self regulationFurther to the OECD recommendations, data protection approaches. The Bill provides for industry codes ofregulation has emerged prominently in Europe and the conduct that will offer a measure of self regulation of data protection further to the information protection principles. PwC 5
  9. 9. 5. Conditions for processing of information by third partiesThird parties outside South Africa Failing which, the responsible party must show that (i) the data subject has consented to the transfer; (ii) the relevantThe Bill establishes requirements for the transfer of transfer is necessary for the performance of a contractpersonal information to a third party outside South Africa. between the data subject and the responsible party, or forThe responsible party must for instance evaluate whether the implementation of pre-contractual measures taken inthe third party recipient country’s laws are substantially response to the data subject’s request; (iii) the transfer issimilar to and serve the same purpose as the PoPI Bill, or necessary for the conclusion or performance of a contractthe third party is subject to a code of conduct that provides concluded in the interest of the data subject between theadequate protection of the personal information received. responsible party and a third party; or (iv) the transfer is otherwise for the benefit of the data subject, subject to certain conditions. The diagram below exhibits the conditions for transferring personal information outside of South Africa. In order to transfer information outside South Africa, at least one of these conditions must be met: A The foreign organisation is subject to a law, contract or code that offers adequate data protection to data subjects (both in terms of SA principles and the conditions of any further transfer by the organisation of the data subject’s information to another cross border party) B The data subject provides consent to the transfer C The transfer is necessary for the performance of a contract between the South African organsiation and the data subject (or pre-contract procedures at the data subject’s request) D The transfer is necessary for the performance of a contract between a South African organisation and a foreign organisation in the interest of the data subject E The transfer benefits the data subject (consent was not obtained but would have been obtained if practicable)6 The Protection of Personal Information Bill: The Journey to Implementation
  10. 10. Internationally there have been several debates • The service provider will need to be able to provide asurrounding such conditions, particularly whether such level of assurance to the South African organisationan approach is overly cumbersome or produces adverse that unauthorised persons cannot access the personalimpact on international trade. Locally the practical information processed by the organisation. This maychallenges to enforcing this section are likely to be a matter take the form of, for example, an independent reportof inquiry by the Regulator. indicating that the service provider has adequate security measures in place.Further complications faced by South African organisationsconcern those relating to cloud computing. Manyorganisations are considering cloud computing for a Third parties within South Africanumber of reasons, but when it comes to the conditions for Many organisations in South Africa choose to outsourcetrans-border flows of information, the cloud computing certain aspects of the processing of personal informationmodel provides some challenges. Organisations will need to third parties. In such circumstances, organisations needto consider: to bear in mind that they still remain the “responsible party”, regardless of who is processing the information.• Where the data is being held, in other words, where While the onus is on the operator to comply with certain the servers are physically located. If the servers are in requirements laid out by the Bill, oversight of the operator’s a jurisdiction that does not have similar privacy laws, activities remains with the responsible party. transacting with the organisation providing the cloud computing services may be problematic, unless the A particular difficulty is the one faced by organisations South African organisation is able to draw up a contract whose business model revolves around databases of with the provider that includes requirements similar to contact information for the purposes of marketing those of the PoPI Bill. various products and services. This amounts to “further processing” as defined by the PoPI Bill, and we foresee that• The Bill requires the responsible party to ensure that this may be the subject of challenges in the courts. there is a “reasonable” level of security over the personal information processed. This does not only refer to the storage of the information, but also its transmission. Therefore, organisations considering cloud computing will also need to consider how the data will be encrypted so that even if it is intercepted during transmission, the interceptor will be unable to access it. PwC 7
  11. 11. 6. Implementation considerationsFrom the perspective of a Privacy Officer, looking to implement thecurrent (as of this writing) draft of the Bill, we can anticipate anumber of challenges. Below we have described some of the challengesas we see them, together with our suggestions of how organisationsmight go about handling them.Broad scope of definition ofpersonal informationA key challenge associated with the definition of “personal to an identifiable person, including but not limited to theinformation” is the extraordinarily broad scope of the elements listed. Again, in other jurisdictions, where adefinition, the varied nature of the data elements (alpha- similarly broad definition exists, the view is taken that anynumeric characters, text, images, biological material, etc.), of the elements, in and of themselves, constitute personaland the unstructured nature of some of the data elements information. Organisations will have clarify for themselves(such as images and free text, correspondence, and “views which information is considered personal information,or opinions”). For a Privacy Officer, determining the scope whether in conjunction with other elements or not, andof the organisation’s obligations under the Bill, and being under what circumstances. Our understanding of the Billable to articulate that scope in a clearly-definable way to is that information is personal to the extent that it is ableone’s colleagues throughout the organisation, is extremely to identify a person, but given that it is possible to comeimportant for an effective privacy program. to a different conclusion, it is essential that organisations obtain clarity on this point.Recommendation for organisations Unstructured information or material, such as images ofOrganisations should establish criteria to more specifically documents, photos, videos, and paper records, shouldidentify personal information. For example, in other be stored in designated, secured areas. Alternatively,jurisdictions, the data elements are more explicitly organisations will need to be extremely disciplineddefined, such as requiring a person’s name in conjunction with data classification applied to unstructured data. Inwith certain other specified information. The Bill developing their privacy programmes, organisations willcurrently defines personal information as that relating need to take such information into account and create business processes for managing information of this sort throughout its lifecycle, from the time it is collected or created, used and through to its ultimate destruction.8 The Protection of Personal Information Bill: The Journey to Implementation
  12. 12. Definition of personal informationrelating to living persons Recommendation for organisationsNext, we can direct our attention to the definitions of This issue would require correction by the legislature;terms in the Bill. The definition of “personal information” however, in order for organisations to comply with therefers to a “living, natural person”, which means that purposes of the Bill, they should voluntarily adopt periodsas soon as someone dies, their information is no longer of time in which to continue to safeguard the informationsafeguarded. While this might provide some relief to some of deceased individuals. These periods would likely vary,organisations, it is concerning with regards to one of the based on the sensitivity of the information, and could beprimary purposes of the Bill, which is to instantiate our included in industry codes of conduct.constitutional right to privacy.Level of effort requiredOur research with organisations in South Africa has shown that many organisations areunsure of the level of effort that will be required of them to comply with the Bill, withothers estimating that a considerable amount of work will be needed to in order to becomecompliant. 5% At the time of responding to this 9% questionnaire, how 160 man hours (one person, one month) or less. much effort do you In excess of 4 000 man hours. think your organisation 38% will need to put into In excess of 9 000 man hours. becoming compliant We are uncertain how much effort will be with the requirements 48% required. of the Bill?Many organisations are also anticipating that becoming compliant with the Bill is going torequire a number of years, with the majority believing that they will need more than oneyear to become compliant. Our experience with our clients both locally and globally showsthat compliance can take a great deal longer than one year for larger organisations. 13% 13% At the time of 4% One year or less. responding to this More than one year and up to three years. questionnaire, how long do you think your More than three years and up to five years. organisation will need More than five years. to become compliant 35% 35% with the requirements We are uncertain how much time we will need. of the Bill? PwC 9
  13. 13. Recommendation for organisationsWhen the data protection laws came into effect in While we hope that our white paper will sensitise thethe United Kingdom, organisations were given three legislature to the fact that compliance with the Bill isyears to work towards compliance. During that time, not likely to be a task that can be completed within athe Information Commissioner worked with affected short space of time, at the same time we advise thatorganisations to educate and inform, without enforcing organisations should not expect that there will be anthe requirements of the Data Protection Act at that stage. extension to the one year that has been allowed forIn the United States, most organisations handling health- becoming compliant in the current draft of the Bill,related information were given two years to become and should not develop their programmes based on thecompliant with the requirements of HIPAA, with smaller expectation of an extension. We are also aware that manyorganisations being given three. The experience in these organisations are currently adopting a “wait and see”countries demonstrates that given the extent of the approach, arguing that there may be changes to the draftchanges required not only to systems and processes, but Bill before it is enacted. We noted that there were noalso to the mindset of employees, it may be somewhat significant changes to the conditions that organisationsimpractical for the legislature to expect South African must comply with in the last two drafts of the Bill (namelyorganisations to become compliant in just one year. February 2011 and October 2011), and based on the latest draft, we believe that the legislation is close to finalisation. We therefore believe that if organisations begin acting on the present draft of the Bill as if it were law, it is unlikely that they will have to make considerable changes to their programmes to accommodate further amendments to the legislation. With this in mind and the fact that, based on experience, it will take significant time to comply we strongly advise that organisations begin their privacy compliance programmes as a matter of urgency.The minimality requirementOne of the principles of the Bill is that organisations should collect only the minimuminformation required, and should not collect any excessive information. The challengethat many organisations face is that they are not only unsure of what personal informationis being collected, but they are also unsure of whether the personal information they arecollecting is excessive. At the time of 5% Workshops with key stakeholders to determine completing this what information must be collected and which will be unnecessary. questionnaire, has your 18% Analysis and classifications by key stakeholders organisation considered of the data we collect to determine the purpose how you will ensure that of its collection. 41% the information your A combination of both of the above. organisation collects will be in compliance We plan to engage consultants to analyse and 27% classify the data we collect and to provide us with this principle? with recommendations. That is, collecting only We are not sure how we will determine what adequate and relevant 9% information we collect and whether its collection information or only is in compliance with this section. that information that is objectively necessary for the completion of the transaction.10 The Protection of Personal Information Bill: The Journey to Implementation
  14. 14. Recommendation for organisations Clarity of terminologyAn important step in an organisation’s journey tocompliance will be determining what information is In a number of key areas, strongly subjective terminologycollected, and whether it is absolutely necessary that it is is used in the Bill, such as “reasonable”, “unnecessarily”,collected. As can be seen from the above, organisations “legitimate interests”, and “reasonably practicable”. Givenare taking a variety of means to determine this. Regardless that privacy is such an inherently subjective notion, andof how each organisation goes about determining what that one cannot predict how the Regulator will interpretinformation is collected, the question that must be asked these subjective terms, it is difficult for organisations toat all stages and at all levels within the organisation is: establish policies and train their staff.“Why are we collecting this?” If there is no clear purposefor collecting a particular data element, then it should not Recommendation for organisationsbe collected. The less personal information an organisationcollects, the less effort will be required to protect it. Organisations should determine for themselves what the terminology means and how it will impact them, andIn our experience, we have seen that using a combination look to the purposes of the Bill for guidance. They canof interviews and questionnaires to determine what also research case law and enforcement actions in otherpersonal information is collected is most effective. jurisdictions to determine how the Regulator may interpretQuestionnaires allow for quantitative measurements, such provisions. Having done this, organisations canwhile interviews or workshops provide the qualitative then develop their own internal policies and informationbackground as to why certain information is collected. handling controls with guidance in line with the sensitivity of the personal information they process, the risks involved and the consumer base expectations. Organisations canPre-emption provisions then develop employee training to integrate the terms in daily operations. They should additionally clarifyThe “pre-emption” provisions of the Bill in section 3, which the subjective terms through industry codes of conductstate that any other legislation that is stricter than the defining and applying standards relative to the industryBill must still apply mean that a Privacy Officer cannot and technological standards relative to the industry.rely solely on the Bill for the development of their privacyprogram. Organisations need consider the requirementsof legislation such as the Consumer Protection Act, the Communicating the uses of personalPromotion of Access to Information Act, the CompaniesAct, to name just a few of the other pieces of legislation informationthat make up the South African regulatory universe. Section 17 of the current draft of the Bill requiresMulti-national organisations who are subject to privacy organisations to explain to a data subject what his/ herlegislation from other jurisdictions will also need to factor information is being used for, but given the many purposesthe requirements of those jurisdictions into their privacy for which organisations use personal information onceprogrammes. it has been collected, how will this be meaningfully communicated to the data subject at the time of collection?Recommendation for organisationsOrganisations should take a holistic approach to the Recommendation for organisationsregulatory universe, and consult with legal advisors Organisations will have to examine their data flows quiteto ensure that all applicable privacy legislation carefully, in order to determine whether to create a single,is contemplated, and apparent conflicts between large privacy notice for the entire organisation (whichsuch legislation are interpreted and resolved within runs the risk of not being helpful to the data subject andorganisational policy. therefore deemed non-compliant by the Regulator), or creating specialised privacy notices for different areas of the organisation. The purpose of this provision is primarily to ensure that the data subject is aware of the purpose of the processing of their personal information. As with the content of contracts, organisations will be measured not only by whether a statement that informs the data subject is in place but on the quality of the communication. The statements should be clear, should not be vague or ambiguous. Questions as to language of communication and literacy of data subjects may be raised as future inquiries. PwC 11
  15. 15. The uses of personal information Recommendation for organisationsThe Bill requires that if information is collected for a In developing privacy programmes, organisations willspecific purpose, it cannot then be used for a different need to consider the processes around collection ofpurpose. For example, if a customer’s mobile phone personal information and how the purpose of collectionnumber is collected by an organisation as part of is identified. In developing processes, the organisationcompleting a transaction, the organisation cannot then will need to bear in mind the life cycle of data, the datause that mobile phone number to send the customer text elements being collected and most importantly, whenmessages to promote the organisation’s goods or services, personal information will need to be destroyed as it is noas that would then be a change from the purpose for which longer needed. Training of employees will be essential,it was originally collected. as the best-designed privacy programme is likely to fail if employees do not understand their responsibilities when it comes to the handling of personal information. Organisations will have to have a holistic approach to purpose specification and management within the organisation and consider automating some of the processes to minimise usages of personal information for other purposes. (Bear in mind, however, the challenge associated with objections, below.)The right to object to processing of personalinformationIndividuals have the right to object to the processing of their information. How will thisobjection be honoured throughout the entire organisation?Our research has shown that many organisations are currently unsure how they willhandle objections to the processing of personal information. At the time of completing this questionnaire, has your We will use a combination of various notices: at organisation considered our premises, on the forms data subjects complete, on our website, or verbal explanations. how you will allow data 55% 45% subjects other than We have not yet considered how we will allow employees to register the registration of objections. their objections to the processing of personal information?12 The Protection of Personal Information Bill: The Journey to Implementation
  16. 16. Recommendation for organisationsExperience in other countries has shown that the organisations review their system development processesmajority of complaints regarding the handling of personal and change management processes to ensure that theyinformation are based on the data subject’s perceptions. include considerations for the requirements of the Bill.Once these perceptions have been changed, the complaintis easily resolved. This underscores the reality that For older legacy systems where normalisation may bemore often than not it is the way that the organisation’s difficult, it would be wise to determine what data elementsemployees manage complaints and objections that will are being stored in those systems, and ensure thatultimately determine whether the affected data subject appropriate protection is in place.registers a formal complaint with the Regulator. As hasalready been mentioned, training of employees will be Section 22 gives additional weight to the existingessential, especially those who are customer-facing, such requirements of the Promotion of Access to Informationas call centre agents or front-desk agents. Organisations Act, in terms of which organisations must compile awill need to implement dispute resolution procedures to manual detailing the procedures for gaining access toprovide for and efficiently manage objections to the use of information. Over and above this, organisations will needpersonal information. to engage in data classification in order to distinguish personal information from other information, and toThis is not to say that all objections will simply be a matter further distinguish “special personal information”, theof discussing them with the data subjects concerned processing of which is covered in sections 25 to 32 of theand placation of the data subjects. There will be other Bill.objections that indicate that there are problems withinthe systems and processes, and organisations will need todevelop objection-handling processes that will allow the Outsourcing of informationorganisation to determine the cause of the problem and processingresolve it to prevent further occurrences. They will haveto develop mechanisms to track and check for objections Organisations are required to “ensure” that third partiesin all their business processes at key points. Organisations who process personal information on their behalf alsoalso need to bear in mind that the Regulator may insist safeguard the information, and to have contractual termson evidence of how the objection has been resolved, so in place with such parties, especially if the outsourceprocesses will need to take this into account as well. partner is located outside of the Republic (unless they are in a jurisdiction covered by comparable legislation).Access to personal information Recommendation for organisationsSection 22 of the Bill implies that data subjects will be Organisations will need to thoroughly review their existingable to ask organisations whether the organisation stores contracts, as well as identify and evaluate any trans-borderor processes any of their personal information, and can data flows, and ensure that appropriate contractualsubmit a request to have that information deleted. Most language and terms and conditions are in place. Inpersonal information is spread throughout multiple addition, organisations may need to consider requiringdisparate systems (both paper and electronic) within an that their outsource providers supply them with evidenceorganisation. How will organisations be able to identify that the provider has adequate security measures in placewhere all the information is located? and that these are regularly and independently evaluated. Organisations should maintain rights of auditing theRecommendation for organisations practices of third party organisations in order to ensure meaningful compliance with the terms and conditions ofAs far as is practically possible, organisations should the contracts.normalise their electronic information to ensure that it isstored the minimum number of times across applications, Over and above this, we recommend that organisationsdatabases, end user applications, third parties and in both evaluate the operators they are currently dealingvarious other electronic or paper formats. The quality with, as well as developing processes to evaluate operatorsof personal information can be questioned if it is spread that they may contract with in the future. In evaluatingacross systems. Wherever feasible, organisations will operators, organisations should establish, for example:have to ensure that a single view of customer records ispossible and that the information is consistent across the • Whether the operator has sufficient controls (people,organisation. Records management systems will need to process and technology) in place to ensure that thebe established for paper and electronic records. However, personal information being processed is protected; andnormalisation may only be possible for new systemsthat are in development. It is therefore important that • Whether the operator is in turn outsourcing the processing of personal information to yet another party. PwC 13
  17. 17. Obtaining consent from data subjectsSection 10 requires responsible parties to obtain consent from a data subject prior toprocessing his information. Organisations who participated in our research have generallyindicated that they will use a variety of means to obtain consent from data subjects tocollect and process their information. We will include a notice on all forms that must be At the time of completed by data subjects explaining why we 17% are collecting data, assume that data subjects completing this will read and understand the notice and thereby questionnaire, have tacitly give their consent. you considered how Combinations of some of: notices on forms will you obtain consent 35% completed by data subjects, verbal explanations, from data subjects other notices on our website, and a “tick box ” for data subjects to tick, indicating that they have read than employees (i.e. the notices. 39% customers, suppliers, We will use a combination of all of: notices on etc.)? forms completed by data subjects, verbal 9% explanations, notices on our websites and a “tick box” for data subjects to tick, indicating that they have read the notices. We have not yet considered how to obtain data subjects’ permission.Recommendation for organisationsObtaining consent for the processing of personal information needs to be an aspect thatwill be considered by organisations, depending on their business and how they transactwith stakeholders. Privacy notices on websites and on contracts will need to be developed,giving data subjects clear information regarding why the entity is collecting their personalinformation, and what it will be used for, including the option to object if the data subjectwishes to – which will need to be accompanied by appropriate processes and proceduresfor personnel to follow should this occur. Consent choices and objectives must be recordedin systems and data subjects who consented for specific processing options or objectionsmust be flagged and their information excluded in the specific processing or alternativeprocedures will need to be defined and followed.14 The Protection of Personal Information Bill: The Journey to Implementation
  18. 18. Deletion of information that is no longer required orthat is excessiveSection 13 requires organisations to delete personal information that is no longerrequired, unless it needs to be retained by law, for the purposes of a contract between theorganisation and the data subject or if the data subject has given his/ her consent to theinformation being retained. The requirement to delete information that no longer needs tobe retained is an issue that many organisations are finding difficult to manage, given themultitude of legislation that requires records to be kept for differing periods of time.Our research with organisations shows that many entities do not yet have records retentionpolicies that include policies regarding the deletion of personal information. At the time of completing this questionnaire, does your company have 65% 35% Yes. policies and procedures No. governing when and how personal information is to be deleted?In conjunction with the requirements of Section 13, Section 23 gives data subjects theright to request an organisation to delete his/ her record if the organisation is no longerauthorised to retain the record or the record is “inaccurate, irrelevant, excessive, outof date, incomplete, misleading or obtained unlawfully”, or to request an update to therecord.However, many entities are not yet certain how they will manage such requests. If a data subject 4% claims that the record Delete the record without question. your organisation Warn the data subject that if they wish to do holds should be business with us in the future that they will have to resubmit their information, & allow them to deleted because your then choose between deletion & retention. If they organisation is no insist on the information being deleted, we will do 39% 44% so. longer authorised to retain the information Archive the information so that it is not easily accessible, but continue to hold it in case the or for any of the other data subject changes his/ her mind in the future. reasons listed in the Bill (inaccurate/ out Ignore the request as data subjects are not aware of the impact on them of deleting such records. of date information, 4% 9% etc.), what steps is your We are uncertain what steps we would take. organisation likely to take? PwC 15
  19. 19. 4% If a data subject claims Delete the information the data subject claims is that the personal “excessive” without further question. information your organisation holds is Explain why the information is collected and what it is used for, and continue to hold all the “excessive” and requests 39% 26% information collected. that the “excessive” Explain why the information is collected and information be deleted, what it is used for, but if the data subject what steps is your continues to insist that the “excessive” information be deleted, do so after the data organisation likely to subject has been warned of the impact of take? 31% deleting the information. We are uncertain what steps we would take. 9% If a data subject By completing a secure form on our website. requests an update 9% By completing a paper form that can be to the records your 30% submitted to any of our branches/offices. company holds about Any of: completing a form on our website, calling him/ her, in what our call centre, completing a form to be manner will you submitted at one of our branches/ offices, or ask for the updated sending us a fax. information? We have not yet determined what process data subjects should follow to update their records. 52%Recommendation for organisationsProcesses that organisations will need to consider as part of their privacy programmeswill include those regarding allowing data subjects to update their information, aswell as how to handle requests from data subjects to delete their personal information.In addition organisations will have to ensure that their Records Management Policydetails the retention periods of the various personal information categories with relatedprocesses and mechanisms to destroy it in all formats once the retention period is met.These policies will need to take a holistic approach to records retention that takes intoaccount the multitude of legislation that makes reference to records retention periods. Indeveloping a policy regarding update of information by data subjects and the deletion ofsuch information once it is no longer needed, organisations need to consider the following,amongst others:• Back-up tapes;• Information stored off-site for disaster recovery purposes;• Spreadsheets of information extracted onto individual laptops or PC’s;• Data warehouses;• Footage from closed circuit cameras.16 The Protection of Personal Information Bill: The Journey to Implementation
  20. 20. Systems that inadvertently store information will also needto be more carefully managed. Such systems may includerecords of visitor details to the organisation’s premises, as asimple example.“De-identification” of personalinformation Recommendation for organisationsAnother definition that is likely to pose challenges is Organisations will need to familiarise themselves“de-identify”. Section 4 of the Bill excludes information with the various techniques available for de-“that has been de-identified to the extent that it cannot identification. They will also need to implement abe re-identified again”, using any “reasonably foreseeable re-identification risk assessment for each situation.method”. However, in other jurisdictions there have been The outcome of the risk assessment will determineseveral well-publicised reports of re-identification of whether de-identification is acceptable, given theindividuals within large data sets using publicly-available circumstances, and which technique(s) to use.information. As a result, organisations may find itchallenging to use de-identification as an effective businessmechanism. It remains to be seen whether the SouthAfrican Regulator will view organisations as having beennegligent if information is re-identified using publicly-available information.Removable devicesExperience both locally and overseas indicates that the greatest number of compromises ofpersonal information is due to the loss of removable devices, such as laptops, USB memorysticks, PDA’s, etc. Paper records have also proved problematic, as many of the more recentcompromises relate to personal information stored on paper that was either deliberately orinadvertently removed from the organisation’s premises, with inadequate precautionsthen being taken to protect it. However, many organisations in South Africa, while awareof the risks both from a security and privacy perspective, have not yet determined how toaddress this risk. Our security/mobile computing policy states that staff are prohibited from using personal devices 8% and warned them that only approved devices At the time of issued by our organisations are to be used. completing this 24% We have ongoing awareness to highlight the risks questionnaire, has of mobile computing. your organisation implemented any Both of the above. 36% special security 8% We have password protected mobile devices, safeguards for although we do not have encryption software installed. removable computing devices (e.g. laptops, 20% We have considered the risks posed by mobile USB flash drives/ computing, although we do not yet have a policy or process to mitigate these risks. memory sticks, external 4% hard drives, PDA’s)? We have not considered the risks posed by mobile computing. PwC 17
  21. 21. Recommendation for organisationsAddressing the risks of mobile computing is essential in In addition to preventative measures, organisations willdeveloping a comprehensive privacy programme. The also need to determine what the response will be in theanswers to mitigating these risks are likely to lie in a event of a compromise of personal information due to acombination of technical solutions (such as encryption removable device being lost or paper records inadvertentlysoftware) as well as having ongoing education and being left in a public place. Strategies to respond will needawareness programmes so that staff are constantly to include how to determine which data subjects werereminded of their responsibilities when it comes to affected, how to manage notifications to the affected dataremovable devices. subjects, the handling of any complaints that may arise as a result, as well as investigation of how the breach occurred in the first place. Once again, organisations need to remember that the Regulator may well demand evidence of how the compromise was responded to, and therefore documentation of the actions taken will be important.Closed circuit camerasOne aspect that many organisations have not considered are the privacy notices that willbe required if they use closed circuit cameras. The responses to our survey indicate thatthis is generally something that many organisations have not yet considered. At the time of 22% Yes: we have clearly visible notices that are completing this strategically placed warning people who come onto our premises that we use closed circuit questionnaire, does cameras. your organisation 39% disclose to stakeholders No: we use closed circuit cameras but there is no explicit notice. (e.g. customers, suppliers, employees, We do not believe that it is necessary to explicitly visitors, etc.) that they 39% disclose the use of closed circuit cameras. are being recorded by closed circuit cameras? At the time of completing this questionnaire, if your organisation does No: we have notices up but theyonly advise disclose to stakeholders 61% 39% people that camera surveillance is in place. that they are being recorded by closed No: we use closed circuit cameras but there is no explicit notice. circuit cameras, does the disclosure also include information regarding what is done with the video surveillance footage?18 The Protection of Personal Information Bill: The Journey to Implementation
  22. 22. Recommendation for organisationsAs the definition of “records” extends to photographs how it will be protected, and when it will be destroyed inand video footage, organisations will need to determine accordance with legislative requirements.whether the notices they have up (if they have them up)will be sufficient for the purposes of the Bill. In the long One aspect that we believe that the banks in particular willterm organisations will need to seek guidance from the need to discuss with the Regulator is the matter of hiddenRegulator as to the parameters on balancing the rights of cameras in the vicinity of automated teller machinesthe organisation vis-à-vis the rights of the data subject. In (ATM’s). It is clear that such cameras are needed in thesome cases they may also need to take into account other event of criminal activity around ATM’s, and thereforelegislation that requires such surveillance. providing notification that cameras are being used may be counter-productive. It will be important that the need forOver and above providing notices regarding camera security and crime prevention is balanced against the needsurveillance, organisations will need to include in their for the protection of personal information, and finding thispolicies who will be permitted to access such information, balance is likely to need input from the Regulator.Section 71 – Unsolicited electronic communicationAlthough s71(1) prohibits using electronic communications for direct marketing unlessthe data subject has given his/ her consent or is a customer of the responsible party,s71(2) permits an organisation to approach a data subject once in order to obtain theirconsent to be obtained. This may be interpreted by organisations as being allowed to adddata subjects’ contact information to mailing lists, and only removing the customers if thecustomer chooses to “opt out”. In the case of marketing campaigns conducted by SMS,the data subject who receives the message often has to reply to the SMS to be removedfrom the contact list, which is generally at his/ her expense. If the data subject ignoresthe initial contact and does not specifically opt out from the marketing communication,the organisation may continue to send marketing communication on the assumption that“silence indicates consent”.Our research with South African organisations indicates that there is some confusion withregard to the interpretation of this particular clause, as shown below. Does your organisation view this clause as Yes: We must have the “opt in” on record before 23% we can market directly to them. a requirement for customers to specifically No: Provided that we have an “opt out” option on give their consent 68% our marketing material that will be sufficient to comply with this section. before marketing to 9% them via email or other At this stage we are uncertain how to interpret this clause. electronic means, i.e. customers must “opt in”? PwC 19
  23. 23. While most organisations seem to be fairly clear that Consideration for the Regulatorthey regard this as a requirement for customers to “opt The uncertainty over the interpretation of this clausein” before they start marketing to them using electronic is likely to be an indicator that organisations may takecommunications, there are still a number of organisations some latitude in how they believe they should comply.who seem to be uncertain as to the meaning of this We therefore recommend that greater clarity be given,requirement, or see having an “opt out” mechanism as either through rewording of this clause, or through thebeing sufficient for compliance. In additional, anecdotal Regulations.evidence from media reports and discussions on websitesindicates that there are a number of people who interpretthis clause as being a requirement to have an “opt out”mechanism, rather than specifically asking for permissionfrom customers to contact them (“opt in”).20 The Protection of Personal Information Bill: The Journey to Implementation
  24. 24. 7. The RegulatorThe governance and structure of the The powers and duties of theRegulator RegulatorThe most recent version of the Bill outlines a structure The Bill provides for the establishment of an Informationfor the Regulator that comprises a commission-style Protection Regulator with institutional characteristicsRegulator, rather than an individual. The commission common to counterpart regulators in other countries –would be comprised of relatively few individuals (currently independence, impartiality, a juristic entity comprising afive people), including a Chairperson. The individual sound governance structure that performs its functions andmembers are likely to be responsible for different functions exercises its powers without fear, favour or prejudice. Theof the Regulator, such as the protection of personal duties of the Regulator shall include:information and the promotion of access to information.The current draft of the Bill calls for the members to be • Monitoring and enforcing compliance with the Bill (onappointed by the President, based on recommendations enactment);from the National Assembly. The National Assembly mustrecommend the members via a committee comprised of • Promoting understanding and acceptance of themembers of parties represented in the National Assembly, information protection principles and objects ofand the nominees to the President must be approved principles;by a majority vote of the National Assembly. Althoughthe Regulator will be formed under the auspices of the • Input to revisions to laws impacting the protection ofDepartment of Justice and Constitutional Reform, the personal information;Regulator itself will be an independent juristic person,subject only to the Constitution and the law. This holds • Monitoring developments in technology in order topromise for the independence and impartiality of the limit foreseeable negative impact on the protection ofRegulator. personal information;The structure of the Regulator will be aligned with its • Conducting educational programmes and makingfunctions (see below). public statements pertinent to protection of personal information; andThe Regulator itself, as a juristic person, would be “...independent, and is subject only to the Constitution and to • Auditing public and private bodies’ personal informationthe law ...”. In other words, the Regulator will not be under practices.the authority of government. PwC 21
  25. 25. As such the Regulator is tasked with administrative, As with regulatory bodies in other countries, we would likesupervisory and promotional roles. Day to day functions to anticipate that in the beginning much of the Regulator’sof the Regulator will include receipt and investigation of activity will relate to educating organisations about theircomplaints, issuing of directions for compliance with the responsibilities when it comes to protecting the personallegislation and maintaining a strong research function information of the data subjects that they transact with. Wethat is able to position the adequacy of South Africa’s data would further anticipate that the Regulator’s early activityprotection regulation against rampant opportunities for will also include educating the general public aboutabuse of personal information. their rights when it comes to their personal information. While the Regulator will have wide powers, and hopefullyEqually noteworthy, the Regulator is tasked with the sufficient resources to enforce the requirements of the Bill,performance of its functions and powers in accordance at the end of the day the Regulator will also need to rely onwith this Bill and the Promotion of Access to Information the public to assist with enforcement.Act (PAIA). The arrival of the Regulator spells thereforethe arrival of due enforcement of PAIA which came intoeffect in 2000. Another challenge for the Regulator will bethe facilitation of the interplay between rights of access toinformation in PAIA and protection of information in thePoPI Bill.22 The Protection of Personal Information Bill: The Journey to Implementation
  26. 26. 8. Applying experience from other countries in South AfricaSection 1 – DefinitionsThe current draft of the Bill has described fairly lengthy The UK Data Protection Act of 1998 defines personal datadescription of what is meant by “personal information”. as:On first reading this definition one would assume thatthere is little room for misinterpretation, until the reader data which relate to a living individual who can berealises that there are certain elements that are somewhat identified —subjective. For example, one of the data elements includedis that of “preferences”. Does this then mean that Mrs A’s (a) from those data, orpreference for tea rather than coffee should be protected?We therefore submit that certain of the elements included (b) from those data and other information which is inare difficult to interpret and impractical to protect. the possession of, or is likely to come into the possession of, the data controller,We reviewed the definitions of personal information from anumber of other countries. and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual The Canadian Personal Information Protection and Electronic Documents Act defines personal information as: information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. PwC 23