2014-04-16 Protection of Personal Information Act Readiness Workshop


Published on

These are my slides for my presentation at the Protection of Personal Information Act Readiness Workshop at the OR Tambo Protea Hotel on 16 April 2014. My focus was on understanding data processing constraints; identifying key risk areas and the benefits of better data protection frameworks.

Published in: Law, Technology, News & Politics
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2014-04-16 Protection of Personal Information Act Readiness Workshop

  1. 1. 2014-04-16 Responsible Data Processing Protection of Personal Information Act Workshop
  2. 2. 2014-04-16 Share your thoughts You can find me on Twitter as @pauljacobson #POPIready
  3. 3. Understanding your data processing constraints
  4. 4. Lawful processing conditions ✤ Accountability! ✤ Purpose limitation! ✤ Purpose specification! ✤ Further processing limitation! ✤ Information quality! ✤ Openness! ✤ Security safeguards! ✤ Data subject participation
  5. 5. There are exceptions
  6. 6. Personal or household activity
  7. 7. Anonymised and can’t be associated ! with a data subject again
  8. 8. By or on behalf of a! public body National security Public defence Crime and money laundering
  9. 9. Cabinet or! Executive Councils Judicial proceedings
  10. 10. 01 Journalistic, literary or artistic purposes
  11. 11. “solely for the purpose of journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.” – Section 7(1), Protection of Personal Information Act
  12. 12. Regulatory function delegated to a code of ethics that will apply to the exclusion of the Act* * This is provided for elsewhere and forms part of a distributed enforcement mechanism
  13. 13. Conditions for lawful processing of personal information
  14. 14. Consent and data collection
  15. 15. 01 Consent, justification and objection
  16. 16. “… it seems to be a sensible approach to say that the scope of a person’s privacy extends a fortiori only to those aspects in regard to which a legitimate expectation of privacy can be harboured.” – Bernstein and Others v Bester NO and Others
  17. 17. Options Consent Legitimate interests Contractual conclusion or performance
  18. 18. Only in the case of consent may a data subject withdraw permission
  19. 19. “Legitimate interests” is vague, undefined and, yet, a very interesting justification
  20. 20. “The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.” – Section 6, Schedule 2, UK Data Protection Act
  21. 21. Still, the “Lawful processing of personal information conditions” provide broad parameters and context for “legitimate interests” arguments …
  22. 22. 01 Special personal information
  23. 23. ✤ Children’s personal information! ✤ Religious or philosophical beliefs*! ✤ Race or ethnic origin! ✤ Trade union membership*! ✤ Political persuasion! ✤ Health or sex life! ✤ Criminal behaviour or biometric information
  24. 24. How transparent are you?
  25. 25. ‘‘consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information
  26. 26. “A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.” – Section 16, the Protection of Personal Information Act
  27. 27. Do you facilitate meaningful access to personal information you hold?
  28. 28. Data processing
  29. 29. “Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.” – Section 10, the Protection of Personal Information Act
  30. 30. Purpose specification “Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party” Be transparent about the purpose
  31. 31. Further processing must align with the original purpose* * There are exceptions too
  32. 32. Data integrity and retention
  33. 33. “… records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed …” – Section 13, Protection of Personal Information Act
  34. 34. Don’t lose sight of the bigger data retention compliance picture Electronic Communications and Transactions Act Protection of Personal Information Act Everything else
  35. 35. POPI places special emphasis on security safeguards
  36. 36. “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures …” – Section 19, Protection of Personal Information Act
  37. 37. “A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19 …” – Section 21, Protection of Personal Information Act
  38. 38. Identifying key risk areas
  39. 39. How do you process personal information? Helpful questions Are you the responsible party or the operator? Is your reputation at risk and what could go wrong?
  40. 40. Do you engage in direct marketing?
  41. 41. Do you process personal information on your responsible party customers’ behalf?
  42. 42. Benefits of better protection frameworks
  43. 43. Clear privacy statements
  44. 44. Transparent dealings with stakeholders 2014 Heartbleed Bug OpenSSL exploit came to light Providers proactively contacted users and recommended password changes
  45. 45. Be responsible, reduce reputational harm risk in the process
  46. 46. “The way to gain good reputation is to endeavor to be what you desire to appear” – Socrates
  47. 47. Thank you for your time. Please feel free to contact me if we can assist you or answer questions. webtechlaw.com/contact Paul Jacobson 083 444 8260