PROTECTION OF PERSONAL INFORMATION BILL (09) 2009 SEPTEMBER 2009
Content • Overview: Timetable, aim • 9 principles • Exceptions and special provisions • Automatic electronic communications • Consent/purpose • The Regulator • Codes of conduct • Table of content of the Bill • Conclusion
Timetable for introduction of PPIBill (09)of 2009 was tabled in August to Parliament by Cabinet.• It will now go through the Parliamentary process: hearings before the National Assembly portfolio committee.• Could be signed by the President first half of 2010.• It will then take another year before the start of its implementation, including the drafting of regulations, the setting up of a National Information Regulator‟s office and other support structures.So there is time for all businesses to prepare their operations and minimize the impact of the legislation.
The aim of PPI• To give effect to the constitutional right to privacy• To regulate the manner of collection, usage, processing, retention and deletion of personal information• A statutory regulatory agency to be established, information commissioner: to register, monitor, regulate, educate and prosecute the offences• To endorse codes of conduct to make industry sectors self-regulated• To fall in line with international standards for trans border data flowThe law applies to all private and public bodies who handle personalinformation .
9 principles in PPI BillPersonal information must be:• Obtained fairly and lawfully and disclosing the purpose (purpose driven) and used only for the original specified purpose• Adequate, relevant and not excessive to purpose• Get consent as far as it is practical and offer an opt-out option (consent)• In some cases opt-in will be mandatory• Accurate and up to date and delete if requested (control)• Accessible to the subject• Kept securely and destroyed after its purpose is completed• The responsible party has an obligation to comply with all principles• Trans borders complianceThey are exclusions and exemptions for each principle and certain circumstances.
1. Accountability • Designate a staff manager to be responsible for adherence to privacy principles throughout the company • Draft a company privacy principles code to be used by all departments • Train all staff affected • Subscribe to an industry code, advise and scrutinize • Register with Information Regulator
2. Disclosure When gathering data from individual consumers marketers shall advise them of: 1. What information is being collected 2. How the information will be used 3. Record their consent When acquiring a list from another organization, must insure that consent was obtained for such usage
3. Controlling the use of information (purpose) • The purpose for which information is collected shall be identified before the time of collection • The collection shall be limited to what is necessary as identified by the company • All involved in the use, transfer, rental, sale or exchange of data must be aware of the exact nature of the list‟s intended usage
4. Safe storage of information of customers• All those involved in the use, transfer, rental, sale or exchange of mailings lists should agree to be responsible for the protection of data and take appropriate measures to ensure against unauthorized access, alteration or dissemination of list data
5. Respect for confidential and sensitive information • Lists owners and users must be protective of consumer‟s rights to privacy of sensitive information like religion, health and sex life, race, political persuasion and criminal behavior and positive consent will have to be obtained ( some industry exceptions)
6. Give consumers control of usage of information • Make reasonable efforts to provide personal own information to consumers on request • The marketer must remove the consumer‟s name from all internal lists or rental to third parties at the request of the consumer at anytime of such request • The marketer must amend any personal information at the request of the consumer or when aware of changes to the data. There is a duty of accuracy in keeping the information (present requirement of PAIA of 2000)
7. Security safeguards • Ensure the integrity of personal information and unlawful access • Information processed by person acting under authority of responsible party • Security measures in place • Notification of security compromises to regulator and data subjects
8. Information no longer required • Formal guidelines and implementation procedure guidelines must be develop to ensure safe destruction or disposal of personal information no longer required.
Exceptions and special provisions Note: Public Domain is excluded• Separate provision has been made for the protection of special (sensitive) personal information like religion, health and sex life, race, political persuasion and criminal behavior.• Section ( sect 66) regulates the unsolicited electronic communications to „opt- in” conditions (except for present customers)• (Sect 67) regulates the compilation and use of directories and ( Sect 68) automated decisions making• Deals with the privacy and advertising to children.
PPI: E-mail, SMS, Fax, automatic dialingmachines offers• Section 66 mandates that consent is obtained before contacting new consumers by Email, SMS, automatic dialing machines- opt-in requirement- (spam protection).• Does not apply to telemarketing• Positive consent does not apply for existing customers• ECT Act to be reviewed
“Consent” “purpose” and usage• “Purpose” for collection and usage must be disclosed up front• “Consent” means any freely given, specific and informed expression of will where data subjects agree to the purpose of usage and processing of personal information• An “opt-out” system presumes that the consumer wants to be contacted for marketing offers BUT the system allows people to block the use of their information.• An “opt-in” system presumes that the consumer does not want to be contacted ( even if the information is from publicly available source) and it requires that every consumer be contacted to gain explicit permission.• “Implied consent” can apply to existing customers
Regulator’office & Complaints• Establishment of a Regulator as an independent authority to administer the Bill, issuing codes of conduct, registering companies who intend to process personal information ( to check the purpose and transparency compliance)• Procedures set out to lodge a complaint with the Regulator• Regulator‟s powers and procedures outlined• Regulates the investigations process• Offences and penalties
Codes of conduct• Provisions in the Bill for registration by Associations of business sectors codes.• If the code accepted by the Regulator, the sector becomes self regulated and report to the regulator on its processing of complaints and , from time to time has its code reviewed• Should a company not adhere to the recommendations of the Association, the remedies and penalties of the Bill will apply.• An industry with a Code will also vet its members for compliance to the Bill, and if accepted as a member, the process of prior investigation will not be done by the Regulator.
Table of content of the Bill ( 12 chapters)• Chapter 1 : Definitions and purpose• Chapter 2 : Application provisions• Chapter 3 : Principles and processing of information• Chapter 4 : Exemptions• Chapter 5 : Information Protection Regulator• Chapter 6 : Notification and prior investigation
Table of content of the Bill ( contd)• Chapter 7 : Codes of conduct• Chapter 8 : Unsolicited electronic communications• Chapter 9 : Trans-border information flows• Chapter 10 : Enforcement• Chapter 11 : Offences and penalties• Chapter 12 : General provisions