Going to cover most of the law
Purpose to give an overview and provide a starting point for further discussion
This is not about the Protection of State Information Bill aka “Secrecy Bill”
I am not a lawyer (duh) – this is about a law – thus you should have a lawyer
check and work with you on this.
We are talking about a bill, not an act.
The legal aspects about the regulator and information protection officers.
Code of conduct aspects.
Unsolicited Electronic Communications aspects.
Goal of the bill
To promote the protection of personal information processed by public and private
bodies; to introduce information protection principles so as to establish minimum
requirements for the processing of personal information; to provide for the
establishment of an Information Protection Regulator; to provide for the issuing of
codes of conduct; to provide for the rights of persons regarding unsolicited
electronic communications and automated decision making; to regulate the flow of
personal information across the borders of the Republic; and to provide for matters
One Page View
on what you
Keep for as
short a time
Delete so it
You can find
out who has
given if there
is loss or
Section 14 of the Constitution: Every has a right to privacy
Bill created in 2009
Seven drafts to date
Expected to be enacted in three to six months1
Companies will have between six and twelve months to put the law into place.
1. Webber Wentzel Attorneys: http://www.mondaq.com/404.asp?404;http://www.mondaq.com:80/x/184466/data+protection/POPI+Snapshot+Tougher+Laws+For+Privacy+Breaches&login=
Who this applies to
This is aimed at protecting the information of all citizens of the country – so you!
Any company that processes or outsources data to third parties needs to
comply with it.
As all organisations have information on staff, share holders etc… this means
all businesses are affected.
Who it doesn’t apply to
is non-commercial, and non-governmental or related to household activities;
has been de-identified to the extent that it cannot be re-identified again;
is held by or on behalf of a public body, which involves national security or
deals with the identification of the proceeds of unlawful activities and the
combating of money laundering activities;
is created exclusively for journalistic purposes.
What does it apply to?
‘‘processing’’ means any operation or activity or any set of operations, whether or
not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or
modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any
other form; or
(c) merging, linking, as well as blocking, degradation, erasure or destruction of
Must process lawfully
Minimal set of data
Relevant data only
Give the purpose
Consent must be given
Required for the conclusion or performance of the contract
You may opt out, at any time, and the processing must stop
Impact on the cloud?
Applies to all people & companies that are within South Africa
Applies to all people & companies that have systems that do processing in
There is additional consent need to store & process data outside of the borders
of the country
has implications to further processing
Must be collected directly from the data subject
It is in a public record already
The data subject has consented to collection from a third party
Collection from a third party without consent, where it would not prejudice the data
Collection from a third party without consent where it is required
For example getting a criminal record from the police
Kept only for the processing
Can be kept for longer if
Required by law
Required for functions/activities
Agreed to in contract
Historical, statistical or research provided appropriate safe guards
Retention for Decision Making
Data must be retained for as long as the law says
If there is not law, for a reasonable period
This is so that access requests can be fulfilled
Destruction of Data
Data must be destroyed ASAP
Data must be destroyed in such a way it cannot be reconstructed
Reasonable technical & organisational measures to prevent
Loss of & damage to data
What do you need to do
Identify all risks (internal & external)
Maintain & regularly validate safe guards
Follow generally accepted information security practices
Notification of security compromises
Must notify the regulator
Must notify the data subject
Must be done ASAP, except if instructured by SAPS, NIA or regulator to delay
Notification must be done in one of the following ways
Mailed to physical or postal address
Placed on the web site
Published in the news media
As directed by the regulator
Notification must contain enough information for the data subject to take protective measures
Must, if known, contain the identity of the unauthorised person
Data Subject Participation
A data subject, having provided adequate proof of identify, can request, free of
charge, if a company has information on them.
A data subject, having provided adequate proof of identify, can request what the
information is & who it has been provided to.
Reasonable cost can be applied but an estimate must be given first.
Parts can be denied – requires compliance with grounds set out in PIPA
A data subject can request the data to be changed or deleted
The reasonable party must comply with it, and provide evidence of it.
You may not process parts of information
if they relate to
data subject’s religious or philosophical beliefs, race or ethnic origin, trade
union membership, political opinions, health, sexual life or criminal behaviour.
There are reasonable exceptions for example
Religion: If the information is being processed by an organisation and the data
relates to belonging to that organisation. For example religious information &
Health: if the organisation is an insurance or medical organisation
The regulator must be notified prior to initial processing, must include
Name & address of who is using the data
Description of data collected
Who the data will be supplied to
If it will leave South Africa
Description of security measure
Process: Complaint Decision of Action Investigation Assessment
Enforcement Notice Appeal
Can issue warrants and do search & seizure
Offences: Obstruction, breach of confidentiality, failure to comply
Penal sanctions: Imprisonment (up to 10 years) and/or fine
Fine: R 10 million1
Civil action can also be taken
1. Webber Wentzel Attorneys: http://www.mondaq.com/x/189552/data+protection/POPI+Snapshot+Penalties+Under+The+B
Impact on other laws
Amendments & Repeals to
Promotion of Access to Information Act, 2000
ECT Act, 2002
National Credit Act, 2005
Blackberry with company information left on train & does not have a pin. The
company is at fault. 1
Outsourced company doing storage of backups and loses the backup medium.
The backups contain customer information. The backup is not encrypted. The
company is at fault. 2
1. Webber Wentzel Attorneys: http://www.mondaq.com/404.asp?404;http://www.mondaq.com:80/x/184466/data+protection/POPI+Snapshot+Tougher+Laws+For+Privacy+Breaches&login
2. Webber Wentzel Attorneys: http://www.mondaq.com/x/189552/data+protection/POPI+Snapshot+Penalties+Under+The+Bill
KPMG Cheat Sheet
Broken down into the eight principals and has a number of easy to answer
questions about an organisation that can help comply.
Have someone accountable in the organisation for the management of data, data information
policies & managing communication in this regard
Have a document of data we collect
Detail how & why it was collected, if further processing is needed and when it will be destroyed
Include the why on the documents we use
Educate staff on this
Ensure we have security risk assessments for the data and that reasonable security is in place
in all areas
Ensure people have a way to access & update their information