What does the Protection of Personal information Act mean for business and for cybersecurity? Find out the implications of South Africa's new technology law Act.
PPT Template - Federal Law Enforcement Training Center
The Protection of Personal Information Act: A Presentation
1. The Protection of Personal Information Act 2013
Personal Information is your business
25.09.14
KOMESHNI PATRICK
TECHNOLOGY LAWYER/DIRECTOR/ENDCODE.ORG
2. Contents
Definitions
Aims
Exemptions
Key Role Players for POPI
8 Conditions of POPI
POPI and Consent
POPI and Notification
Giving PI Away
POPI for Business
PI & Cybercrime
3. What is Personal Information (PI)?
Section 1
Identifiable, living, natural person or identifiable, existing juristic
person
Race, sex, gender, name, sexual orientation, age, mental health
Medical, financial, criminal or employment history
E-mail address, physical address, telephone number, location information,
online identifier
Biometric information
Personal opinions, views or preferences
Private correspondence
Opinions of another individual about the person
name of the person if it appears with other personal information relating
to the person or if the disclosure of the name itself would reveal
information about the person
4. What is Special Personal Information?
Section 1
The religious or philosophical beliefs
race or ethnic origin
trade union membership
political persuasion
health or sex life or biometric information of the person
The criminal behaviour of the person to the extent that such information
relates to—
The alleged commission by the person of any offence
Any proceedings in respect of any offence allegedly committed by the
person or the disposal of such proceedings
5. What is Processing?
Sections 1 and 4 of POPI
Processing means any activity whether by automatic means or not,
concerning personal information, including
The collection, receipt, recording, organisation, collation, storage,
updating or modification, retrieval, alteration, consultation or use;
Dissemination by means of transmission, distribution or making available
in any other form; or
Merging, linking, as well as restriction, degradation, erasure or
destruction of information;
Processing must be for a defined and legitimate purpose that is
clear to the DS from whom you are collecting the PI
6. The Protection of Personal Information 4
of 2013 (POPI)
Aims:
Protection of PI processed by private and public bodies
Minimum requirements for processing of PI
Establishment of Information Regulator
Codes of Conduct
Rights protection against SPAM and automated decision-making
Regulate cross-border flow
7. Exemptions from POPI
Personal &
Household
• Personal address
book
• Personal Computer
De-identified
& cannot be
re-identified
• Anonymous Surveys
• Course Evaluation
Public
Bodies
involved in
national
security
• Prevention and
detection of unlawful
activities
• Terrorism, money
laundering, offenses
Judicial
Function of
a Court
• Section 166 of the
Constitution
Terrorism
• Terrorist & Related
Activities Act 33 of
2004
Journalistic,
literary,
artistic
• Freedom of
Expression (S16
Constitution)
• Codes of Ethics
govern PI
infringements
8. Key Role Players for POPI
Data Subject •The person to whom PI relates
•Public or private body or any other person which determines
Responsible Party the purpose of and means for processing PI
•Person who processes PI for a RP in terms of a contract or
mandate, without coming under the direct authority of that
party
Operator
•Any person legally competent to consent to any action or
decision being taken in respect of any matter concerning a child
Competent
Person
•A juristic person established in terms of the Act accountable to
the National Assembly and appointed by the Minister of Justice
Information
Regulator
9. 8 Conditions of POPI
•RP to ensure Accountability conditions for lawful processing
•Minimality – adequate, relevant and not excessive
•Consent, Justification, Objection
•Collection directly from Data Subject
Processing
Limitation
•specific, explicitly defined and lawful purpose
•Records of PI must not be retained longer than is necessary for achieving
the purpose
•Exemption: record required by law, historical, statistical or for research
• destroy/delete/de-identify a record of PI once purpose achieved
Purpose
Specification
•To be compatible with original purpose of collection if not, consent
for further processing is required
Further
Processing
Limitation
10. 8 Conditions of POPI
•RP must take steps to ensure PI is complete, accurate and not
misleading
Information
Quality
•Records of the processing cycle for operations must be maintained
and made available to the DS
•Obligation on RP to notify the DS upon collection of PI
Openness
• Integrity and confidentiality of PI must be maintained to prevent loss,
damage, unauthorised destruction, unlawful access or processing
•Operator must notify RP if there are reasonable grounds to believe that
the PI was accessed by an unauthorised person and the RP has to
notify the Regulator and the DS
Security
Safeguards
•Right to be informed - DS can be requested free of charge if PI held
•Where DS requests copy of the record, the RP can charge a fee
•DS can request correction or deletion of PI that is inaccurate, irrelevant, out
of date, excessive, incomplete, misleading or unlawfully obtained
Data Subject
Participation
11. POPI and Consent
•Consent from DS for processing PI
•Consent can be withdrawn at any time.
•Where the DS is a child, consent is needed from
Competent Person
General Consent
Section 11
• For records to be retained longer than is needed
achieving the purpose of the data processing,
must consent. Retention of
Section 14(1)(d)
12. POPI and Consent
•The RP must restrict processing of information if:
•The accuracy is contested by DS and RP has to
the PI
•Purpose is achieved but retain PI for proof
•The processing is unlawful and the DS requests
restriction rather than destruction
•The DS requests PI be transmitted to another
automated system
Restriction on
processing
Section 14(7)
•May only be processed:
• With DC consent or Competent Person’s consent
• For purposes of proof
•To protect a right of another natural or legal
• For public interest
13. POPI and Consent
• Further processing of information that is
with the original purpose of collection can only
Further Processing the DS consents.
Section 15(3)(a)
•The DS can consent to not being notified when
information is collected. Notification of
Collection
Section18(4)(a)
14. POPI and Consent
•The DS must consent to the processing of
Special Personal personal information.
Information
Section 27
• Information regarding religious or philosophical
can be processed only by religious or spiritual
institutions to which the DS belongs without
• Consent from the DS is needed when this data
supplied to third parties.
Religious Beliefs
Section 28(3)
15. POPI and Consent
• Information regarding trade union membership
processed only by the trade union or its
body to which the DS belongs.
• Consent from the DS is needed when this data
supplied to third parties.
Trade Union
Membership
Section 30(2)
• Information regarding political persuasion can
processed only by institutions founded on
principles to which the DS belongs without
•Consent from the DS is needed when this data is
supplied to third parties.
Political Persuasion
Section 31(2)
16. POPI and Consent
• Processing PI regarding children can only occur
the consent from a person who has legal
Information to make decisions regarding that child.
Children Section 34
• Processing for direct marketing is prohibited
DS gives consent.
•To request consent, the RP may approach the
consent only once and only if the DS has not
previously withheld consent.
Direct Marketing
Section 69
17. POPI and Consent
• RP may not transfer PI to a third party in a
country unless the DS has consented or the
benefits the DS and it is impractical to obtain
and the DS would likely give consent. Foreign
should have similar processing protection as
Foreign Country
Transfer
Section 72(1)
•The Minister has the power to create regulations
regarding the manner and form within which the
consent must be obtained or requested for direct
marketing.
Minister’s Powers
Section 112(2)(f)
18. POPI and Notification
•Notification to DS when collecting personal
Notification to DS
when collecting PI
Section 18
•The Operator must notify the RP immediately
there are reasonable grounds to believe that the
personal information of a DS has been accessed
acquired by any unauthorised person
Security measures
regarding
processed by
Section 21
19. POPI and Notification
•Where there are reasonable grounds to believe
personal information of a DS has been accessed
acquired by any unauthorised person, the RP
notify the Regulator and the DS
Notification of
Compromises
Section 22
•The RP must notify a DS, who has made a
correction or deletion of record of the action
result of such request
Correction of
personal
Section 24
20. POPI and Notification
• RP must notify and obtain prior authorization
Regulator for processing for the following:
• for a purpose other than the original purpose
intended at collection
•with the aim of linking the information
information processed by other responsible
• process information on criminal behaviour
•process information for the purposes of credit
reporting or
• transfer special PI or the PI of children to a
party in a foreign country that does not
adequate level of protection.
Responsible
party to notify
Regulator if
processing is
subject to
authorisation
Section 58
21. Giving Your PI Away
Shopping online
Subscribing or
registering
Competitions,
prizes, rewards
Online games and
virtual worlds
Social Media
Online Browsing
Employment
Name Surname
email address
telephone number
postal address
city
Education
credit card
number
ID number
physical address
22. POPI for Business
Financial Education Transport
Gaming Social Media
Advertising
Music
Telecoms
Credit
Personal Information is
Sports Mapping
Insurance IT Banking
Medical
your Business
23. POPI for Business
1
•POPI Strategy
2
•Appoint an Information Officer
3
•Privacy Policy
4
•Consider who the Data Subjects are
•Limit the collection type and amount to the purpose
3
•Third party Transfer
4
•Cross-border transfer
5
•Direct Marketing Practices
6
•Special Personal Information
7
•Children’s Personal Information
8
•Directories
24. POPI for Business
•-Obtain consent DS to use PI for the specified
purpose
•-Network Security – integrity and safekeeping
•-Limit access per business role
•-Ensure that there are back-up and business
continuity plans
•-Access Security at all points
•-Access to Information Procedure (correction,
objections to processing, copy of records,
third parties who access their PI)
•-Procedures for updating details to ensure
and completeness
•-Ensure Records retention management
(deletion or de-identification)
•-Incident Management Process
Creating
Business
Process
25. POPI for Business
Well managed brand
Strengthens the brand
Conveys that the business understands its legal obligations to the client
Builds trust in the brand
26. POPI for Business
Privacy infringement
Loss of Intellectual Property
Defamation
Loss of sensitive information
Security compromise - issues of national security
Financial loss
POTENTIAL FOR LITIGATION
Brand Damage
28. PI & Cybercrime
Lloyd’s 2013 Risk Index Report
Cyber security has moved from 12th position to 3rd position as a
global concern to business.
The 2013 Norton Report
South Africa has the third highest number of cybercrime victims
following Russia and China.
PwC’s Global State of Information Security Survey 2014
reported a rise of 25% in security incidents with a 51% rise in
spend on security. Overall, this makes up only 4% of the IT spend.
29. PI & Cybercrime
South Africa’s National Cyber Security Policy Framework was
passed in March 2012
18 months later
Department of Communications appointed the National Cyber
Security Advisor in October 2013
Goal
co-ordinate government actions on cyber security and ensure co-operation
between government, the private sector and civil society
on addressing cyber threats
30. PI & Cybercrime
The Electronic Communications and Transactions Act 2002
9 years later
No cyber inspectors to enforce cyber security
Wolfpack Information Risk’s report – The South African Cyber
Threat Barometer 2012/13
no national computer security incident response team
no national response team to co-ordinate a cyber defence strategy
Annual losses in 3 sectors = R2.65 billion
31. PI & Cybercrime
India
Sponsored training for 500 000 “cyber warriors”
South Korea
5000 cyber specialists are developed annually
United Kingdom
11 centres established for cyber skills development allied to the
universities
South Africa
?