SlideShare a Scribd company logo

Clyrofor popia readiness webinar

Download as PPTX, PDF
L
Lesedi Mnisi

Clyrofor webinar series consists of several webinar sessions, brought together by highlighting various Cyber Security topics and hosting sessions through out the year on a quarterly basis. the POPIA Readiness Webinar session was our very first kick off session, where we had our guest Speaker Mr Nemasisi (Executive: PAIA) give us a brief break down of the POPI act and it's requirements. This slide gives clear details on what was discussed during our webinar session.

Technology
1 of 38
CLYROFOR POPIA Readiness Webinar Presented by: Mr. N Nemasisi- Executive: PAIA Mr. ML Makhubela- Senior Manager- POPIA Date: 23 April 2021 1 1
ROLES AND RESPONSIBILITIES OF THE INFORMATION REGULATOR The Regulator is established in terms of Section 39 of the Protection of Personal Information Act No.4 of 2013 (POPIA), which enjoins the Regulator to be independent and impartial, and to perform its functions and exercise its powers without fear, favour or prejudice. As an independent institution that is accountable to the National Assembly, subject only to the Constitution and the law, the decisions of the Regulator can only be reviewed by a Court of law. 2 2
CONT. • The Regulator consists of five (5) members, namely the Chairperson and four ordinary members (Members) who are appointed by the President on the recommendation of the National Assembly for a period of five years, which is renewable. • The Chairperson and two (2) ordinary members are full time and the other two (2) ordinary members are part-time. • One (1) full time ordinary member is designated for POPIA and the other for PAIA. 3 3
CONT. • The current Members took office on 1 December 2016 and their five (5) year term ends in November 2021 with the exception of one (1) Member who joined the Regulator on 01 December 2020 after the resignation of one part time member. 4 4
MANDATE OF THE REGULATOR The Regulator has a wide mandate which is provided for in section 40 of POPIA. Its mandate includes the following: - to provide education; - to monitor and enforce compliance; - to consult with interested parties; - to handle complaints; - to conduct research and to report to Parliament; 5 5
CONT. - to issue, amend or revoke codes of conduct; - to make guidelines to assist bodies to develop or apply for codes of conduct; and - to facilitate cross- border cooperation in the enforcement of privacy laws. 6 6
PURPOSE OF POPIA (section 2) • Give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at: “balancing the right to privacy against other rights, particularly the right of access to information; and protecting important interests, including the free flow of information within the Republic and across international borders”. 7 7
CONT. • Regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information; • Provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and • Establish voluntary and compulsory measures, including the establishment of a Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act... 8 8
APPLICATION OF POPIA ( section 3) • POPIA applies to the processing of personal information entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when recorded personal information is processed by non- automated means, it forms part of a filing system or is intended to form part thereof. • POPIA takes precedence over other laws that regulates processing of personal information – materially inconsistent with POPIA. 9 9
CONT. • POPIA does not prevent a public or private body from exercising its powers. •10 10
CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION 29 11
CONT. 12 11
Eight Conditions of Lawful Processing • Responsible party must ensure compliance with the conditions for lawful processing. Accountability • PI must be processed lawfully, in a reasonable manner that does not infringe the privacy of the data subject. • Minimality- adequate, relevant and not excessive. Consent, justification and objection;Collection directly from data subject Processing Limitation • Collection for a specific purpose; retention and restriction of records; records must not be retained for a period longer than for the initial purpose. • Exemptions: record required by law, historical, statistical , research. Destroy /De-Identify a record once purpose is attained. Purpose Specification 13
CONT. 14 12 • Further processing must be compatible with the purpose of collection failing which consent must be obtained, further processing is necessary for the maintenance of the law, comply with an obligation imposed by law, conduct of court proceedings, in the interests of national security, prevent or mitigate a serious and imminent threat historical, research, statistical purposes Further Processing Limitation • Personal information must be complete, accurate, not misleading and updated. Information Quality • Responsible party must maintain records, Notification to data subject when collecting personal information Openness
CONT. 15 13
REGULATOR’S STATE OF READINESS • On 1 July 2021 all responsible parties must ensure that all processing of personal information complies with POPIA. The enforcement powers of the Regulator will come into effect on this date. • On 30 June 2021, the Regulator will be responsible for the promotion and enforcement of the rights protected by PAIA. This function is currently performed by the South African Human Rights Commission ( SAHRC). 16 16
CONT. • On 1 July 2021 section 58(2) of POPIA shall become applicable to the processing of personal information referred to in section 57 of POPIA (processing subject to prior authorisation). • Guidance Note on Information Officers and Deputy Information Officers, 01 Apr 2021 • Guidance Note on applications for Prior Authorisation, 11 Mar 2021; • Guidelines to develop Code of Conduct, 15 Feb 2021. 17 17
CONT. • Regulations made by the Regulator in terms of section 112(2) of POPIA has or will come into operation as follows: - Regulation 5 (application for issuing a code of conduct) came into effect on 1 March 2021; - Regulation 4 (responsibilities of Information Officers) will come into effect on 1 May 2021; and - Residual regulations will come into effect on 1 July 2021. 18 18
INFORMATION OFFICERS AND DEPUTY INFORMATION OFFICERS (SECTIONS 55 AND 56) • In terms of both PAIA and POPIA, the CEO or head of the each public and private body is by default an information officer and he or she may designate or delegate a deputy information officer. This is an appointment by operation of law, in terms of which the CEO, DG, HOD of equivalent officers are automatically information officers. • An Information Officer must be registered by the Responsible party with the Regulator. 19 19
DUTIES AND RESPONSIBILITIES OF INFORMATION OFFICERS • Encouragement of compliance with the conditions for the lawful processing of personal information; • Dealing with requests made to the body pursuant to POPIA; • Working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body; 20 20
CONT • Otherwise ensuring compliance by the body with the provisions of POPIA; • Ensure that a compliance framework is developed, implemented, monitored and maintained; • Ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information; 21 21
CONT • Ensure that a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the PAIA; • Ensure that internal measures are developed together with adequate systems to process requests for information or access thereto; • Ensure that internal awareness sessions are conducted regarding POPIA, its regulations, codes of conduct; and • Information Officers must take up their duties only after the responsible party has registered them with the Regulator. 22 22
DESIGNATION AND DELEGATION OF DEPUTY INFORMATION OFFICERS • Each public and private body must make provision, in the manner prescribed in section 17 of PAIA, for the designation of such number of persons, if any, as deputy information officers to perform the duties stipulated in section 55(1) of POPIA, POPIA Regulations or any power or duty conferred or imposed on an Information Officer by POPIA to an information officer of that public or private body. • The Regulator had published a Guidance Note on Information Officers and Deputy Information Officers. 23 23
GUIDELINES ON DEVELOPING CODES OF CONDUCT ( Section 60-68) • POPIA empowers the Regulator from time to time to issue, amend and revoke codes; to prepare written guidelines that would assist bodies to develop or to apply codes; to approve codes; and to consider afresh, upon application the determinations by adjudicators under approved codes; • The purpose of a code is to establish a voluntarily accountability tool and to promote transparency for relevant bodies on how personal information should be processed. Codes do not replace the relevant provisions in POPIA, but operate in support of the requirements in POPIA; 24 24
CONT. A code of conduct cannot limit a data subjects right to privacy, as provided for in POPIA; • The relevant bodies bound by an issued or approved code of conduct must not perform an act or engage in a practice that breaches the approved code; • A breach of an approved code is deemed to be a breach of the conditions for the lawful processing of personal information referred to in Chapter 3 and shall be dealt with in terms of Chapter 10 of POPIA; and 25 25
CONT. • The reason for developing a code may include: - providing clarity on how the conditions for lawful processing of personal information are to be applied and complied with given the particular features of a relevant body; - providing a functional equivalent means of fulfilling the obligations related to the conditions for the lawful processing of personal information; - promoting an organisational paradigm shift change in a relevant body relating to the lawful processing of personal information; 26 26
CONT. - stipulating conditions for the lawful processing of personal information for specified information or classes of information; - stipulating conditions for the lawful processing of personal information for any specified activity or class of activity; - outlining rules and procedures for information matching programmes if such programmes are used within a specific sector; 27 27
CONT. - outlining how the legitimate interests of data subjects are to be protected insofar as automated decision making affect them; - enabling the review of a code by the Regulator; - providing details regarding the expiry of a code; and - providing a procedure of dealing with complaints. 28 28
Enforcement Section 57 (1) of POPIA provides that a responsible party must obtain prior authorisation from the Regulator, (only once, except where the processing departs from that which has been authorised) prior to any processing if that responsible party plans to- • process any unique identifiers of data subjects for a purpose other than the one for which the identifier was specifically intended at collection; and with the aim of linking the information together with information processed by other responsible parties; PRIOR AUTHORISATION 30 29
Enforcement • process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties; • process information for the purposes of credit reporting; or • transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information. CONT. 31 30
Enforcement • Please also note that, in accordance with section 57(2) of POPIA, the Regulator may, from time to time and if necessary, prescribe categories or types of information processing that is subject to prior authorization, if it considers that such processing carries a particular risk for the legitimate interests of the data subject. The requirement of prior authorisation is not applicable if a code of conduct has been issued and is in operation. CONT. 32 31
Enforcement • Unless a Code of Conduct has been issued by the Regulator and has come into force in a specific sector/ industry in which the responsible party operates, the responsible party who is currently processing or intends to process the personal information of data subjects which is subject to prior authorisation must submit their applications prior to processing or any further processing. • Application form for Prior Authorisation and Guidance Note on Prior Authorisation may be downloaded from the Regulator’s website. CONT. 33 32
Enforcement What are the prescribed timeframes for finalising the application for prior authorisation? • The Regulator may approve or reject an application for prior authorisation within four (4) weeks of receipt of prior authorisation application, unless the Regulator decides to conduct a detailed investigation. • In the event that the Regulator decides to conduct a more detailed investigation, the Regulator will inform the responsible party in writing of the reasonable period within which it plans to finalise a detailed investigation, which period will not exceed thirteen (13) weeks. CONT. 34 33
Enforcement • On conclusion of the more detailed investigation, the Regulator will issue a statement or report about the lawfulness of the information processing. If a statement or report conclude that the information processing is not lawful, such report or statement shall be deemed to be an enforcement notice served in terms of section 95 of POPIA. CONT. 35 34
CONT. • However, if the Regulator fails to finalise the application within the prescribed period of 13 weeks, the responsible party may presume a decision in its favour and continue with its processing. This presumption is rebuttable, meaning that should the Regulator finds that information processing is unlawful, the responsible party will have to comply with its directive as contained in the statement or report. 36 35
CHALLENGES • Functionally, the Regulator operates independently but administratively it still uses the policies and systems of the Department of Justice and Constitutional Development. • Lack adequate resources to establish the administrative capacity of the Regulator. • Lack of adequate resources for the effective execution of the broad mandate of the Regulator. • Lack of critical mass of experts in POPIA in the country. 37 36
CONCLUSION List of Guidance Notes the Regulator will be issuing before 30 June 2021- • Guidance Note on Exclusions from POPIA • Guidance Note on Exemption from the conditions for lawful processing of personal information; • Guidance Note on notification of security compromises or breaches; • Guidance Note on processing of personal information across- borders; • Guidance Note on direct marketing; and • Guidance Note on application to process special personal information and personal information of children. 38 37
TAKE CONTROL OF YOUR PRIVACY INFORMATION REGULATOR 39 38

Recommended

Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal InformationFrancois Naude Jr.
 
Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popiWerksmans Attorneys
 
The Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMThe Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMMyron Duncan Burton Betshanger
 
The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013Myron Duncan Burton Betshanger
 
Popi act presentation
Popi act presentationPopi act presentation
Popi act presentationKholisile Mazaza
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africablogzilla
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Werksmans Attorneys
 

Recommended

Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal InformationFrancois Naude Jr.
 
Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popiWerksmans Attorneys
 
The Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMThe Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMMyron Duncan Burton Betshanger
 
The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013Myron Duncan Burton Betshanger
 
Popi act presentation
Popi act presentationPopi act presentation
Popi act presentationKholisile Mazaza
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africablogzilla
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Werksmans Attorneys
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
CEU DPA
CEU DPACEU DPA
CEU DPABERBERGRACEMARJORIE
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Werksmans Attorneys
 
Data privacy act of 2012 presentation
Data privacy act of 2012 presentationData privacy act of 2012 presentation
Data privacy act of 2012 presentationKittelson & Carpo Consulting
 
Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Robert MacLean
 
Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Jason Haislmaier
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Jay Castillo
 
POPI
POPI POPI
POPI POPI ACT Protection of Personal Info
 
Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Kirk Go
 
FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information) FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information) Philippine Press Institute
 
Data privacy act
Data privacy actData privacy act
Data privacy actansherina erika dejan
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4Wynthorpe
 
POPI Seminar FINAL
POPI Seminar FINALPOPI Seminar FINAL
POPI Seminar FINALImraan Kharwa
 
The Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationThe Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationEndcode_org
 
POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentationOvationsGroup
 
POPI Update 2013
POPI Update 2013POPI Update 2013
POPI Update 2013Contact Centre Management Group
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesjo bitonio
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarLance Michalson
 
Overview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawOverview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawFatmaAkram2
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017CloudWATCH Consortium
 
Ppt
PptPpt
PptGareth Badrian
 

More Related Content

What's hot

Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Werksmans Attorneys
 
Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Robert MacLean
 
Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Jason Haislmaier
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Jay Castillo
 
Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Kirk Go
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4Wynthorpe
 
The Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationThe Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationEndcode_org
 
POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentationOvationsGroup
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesjo bitonio
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarLance Michalson
 

What's hot (19)

Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the Philippines
 
CEU DPA
CEU DPACEU DPA
CEU DPA
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...
 
Data privacy act of 2012 presentation
Data privacy act of 2012 presentationData privacy act of 2012 presentation
Data privacy act of 2012 presentation
 
Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)
 
Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
 
POPI
POPI POPI
POPI
 
Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)
 
FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information) FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information)
 
Data privacy act
Data privacy actData privacy act
Data privacy act
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4
 
POPI Seminar FINAL
POPI Seminar FINALPOPI Seminar FINAL
POPI Seminar FINAL
 
The Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationThe Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A Presentation
 
POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentation
 
POPI Update 2013
POPI Update 2013POPI Update 2013
POPI Update 2013
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperatives
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminar
 

Similar to Clyrofor popia readiness webinar

Overview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawOverview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawFatmaAkram2
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017CloudWATCH Consortium
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")Parsons Behle & Latimer
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018ProColombia
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
PDPA Compliance Preparation
PDPA Compliance PreparationPDPA Compliance Preparation
PDPA Compliance PreparationLawPlus Ltd.
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson LLP
 
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
Lorson Resources Limited - Records & Information Presentation: Data Protectio...Lorson Resources Limited - Records & Information Presentation: Data Protectio...
Lorson Resources Limited - Records & Information Presentation: Data Protectio...Lorson Resources Limited
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management Endcode_org
 
Duites and Responsibilities of Public Information Officer under the Right To ...
Duites and Responsibilities of Public Information Officer under the Right To ...Duites and Responsibilities of Public Information Officer under the Right To ...
Duites and Responsibilities of Public Information Officer under the Right To ...ParthSagdeo2
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfDaviesParker
 
Freedom of Information and Data Protection
Freedom of Information and Data ProtectionFreedom of Information and Data Protection
Freedom of Information and Data ProtectionEquiGov Institute
 

Similar to Clyrofor popia readiness webinar (20)

Overview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawOverview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection Law
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
 
Ppt
PptPpt
Ppt
 
China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdf
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
 
PDPA Compliance Preparation
PDPA Compliance PreparationPDPA Compliance Preparation
PDPA Compliance Preparation
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017
 
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
Lorson Resources Limited - Records & Information Presentation: Data Protectio...Lorson Resources Limited - Records & Information Presentation: Data Protectio...
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
2
22
2
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
RTI-20210906114526.ppt
RTI-20210906114526.pptRTI-20210906114526.ppt
RTI-20210906114526.ppt
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
 
Duites and Responsibilities of Public Information Officer under the Right To ...
Duites and Responsibilities of Public Information Officer under the Right To ...Duites and Responsibilities of Public Information Officer under the Right To ...
Duites and Responsibilities of Public Information Officer under the Right To ...
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdf
 
Freedom of Information and Data Protection
Freedom of Information and Data ProtectionFreedom of Information and Data Protection
Freedom of Information and Data Protection
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Clyrofor popia readiness webinar

  • 1. CLYROFOR POPIA Readiness Webinar Presented by: Mr. N Nemasisi- Executive: PAIA Mr. ML Makhubela- Senior Manager- POPIA Date: 23 April 2021 1 1
  • 2. ROLES AND RESPONSIBILITIES OF THE INFORMATION REGULATOR The Regulator is established in terms of Section 39 of the Protection of Personal Information Act No.4 of 2013 (POPIA), which enjoins the Regulator to be independent and impartial, and to perform its functions and exercise its powers without fear, favour or prejudice. As an independent institution that is accountable to the National Assembly, subject only to the Constitution and the law, the decisions of the Regulator can only be reviewed by a Court of law. 2 2
  • 3. CONT. • The Regulator consists of five (5) members, namely the Chairperson and four ordinary members (Members) who are appointed by the President on the recommendation of the National Assembly for a period of five years, which is renewable. • The Chairperson and two (2) ordinary members are full time and the other two (2) ordinary members are part-time. • One (1) full time ordinary member is designated for POPIA and the other for PAIA. 3 3
  • 4. CONT. • The current Members took office on 1 December 2016 and their five (5) year term ends in November 2021 with the exception of one (1) Member who joined the Regulator on 01 December 2020 after the resignation of one part time member. 4 4
  • 5. MANDATE OF THE REGULATOR The Regulator has a wide mandate which is provided for in section 40 of POPIA. Its mandate includes the following: - to provide education; - to monitor and enforce compliance; - to consult with interested parties; - to handle complaints; - to conduct research and to report to Parliament; 5 5
  • 6. CONT. - to issue, amend or revoke codes of conduct; - to make guidelines to assist bodies to develop or apply for codes of conduct; and - to facilitate cross- border cooperation in the enforcement of privacy laws. 6 6
  • 7. PURPOSE OF POPIA (section 2) • Give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at: “balancing the right to privacy against other rights, particularly the right of access to information; and protecting important interests, including the free flow of information within the Republic and across international borders”. 7 7
  • 8. CONT. • Regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information; • Provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and • Establish voluntary and compulsory measures, including the establishment of a Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act... 8 8
  • 9. APPLICATION OF POPIA ( section 3) • POPIA applies to the processing of personal information entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when recorded personal information is processed by non- automated means, it forms part of a filing system or is intended to form part thereof. • POPIA takes precedence over other laws that regulates processing of personal information – materially inconsistent with POPIA. 9 9
  • 10. CONT. • POPIA does not prevent a public or private body from exercising its powers. •10 10
  • 11. CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION 29 11
  • 13. Eight Conditions of Lawful Processing • Responsible party must ensure compliance with the conditions for lawful processing. Accountability • PI must be processed lawfully, in a reasonable manner that does not infringe the privacy of the data subject. • Minimality- adequate, relevant and not excessive. Consent, justification and objection;Collection directly from data subject Processing Limitation • Collection for a specific purpose; retention and restriction of records; records must not be retained for a period longer than for the initial purpose. • Exemptions: record required by law, historical, statistical , research. Destroy /De-Identify a record once purpose is attained. Purpose Specification 13
  • 14. CONT. 14 12 • Further processing must be compatible with the purpose of collection failing which consent must be obtained, further processing is necessary for the maintenance of the law, comply with an obligation imposed by law, conduct of court proceedings, in the interests of national security, prevent or mitigate a serious and imminent threat historical, research, statistical purposes Further Processing Limitation • Personal information must be complete, accurate, not misleading and updated. Information Quality • Responsible party must maintain records, Notification to data subject when collecting personal information Openness
  • 16. REGULATOR’S STATE OF READINESS • On 1 July 2021 all responsible parties must ensure that all processing of personal information complies with POPIA. The enforcement powers of the Regulator will come into effect on this date. • On 30 June 2021, the Regulator will be responsible for the promotion and enforcement of the rights protected by PAIA. This function is currently performed by the South African Human Rights Commission ( SAHRC). 16 16
  • 17. CONT. • On 1 July 2021 section 58(2) of POPIA shall become applicable to the processing of personal information referred to in section 57 of POPIA (processing subject to prior authorisation). • Guidance Note on Information Officers and Deputy Information Officers, 01 Apr 2021 • Guidance Note on applications for Prior Authorisation, 11 Mar 2021; • Guidelines to develop Code of Conduct, 15 Feb 2021. 17 17
  • 18. CONT. • Regulations made by the Regulator in terms of section 112(2) of POPIA has or will come into operation as follows: - Regulation 5 (application for issuing a code of conduct) came into effect on 1 March 2021; - Regulation 4 (responsibilities of Information Officers) will come into effect on 1 May 2021; and - Residual regulations will come into effect on 1 July 2021. 18 18
  • 19. INFORMATION OFFICERS AND DEPUTY INFORMATION OFFICERS (SECTIONS 55 AND 56) • In terms of both PAIA and POPIA, the CEO or head of the each public and private body is by default an information officer and he or she may designate or delegate a deputy information officer. This is an appointment by operation of law, in terms of which the CEO, DG, HOD of equivalent officers are automatically information officers. • An Information Officer must be registered by the Responsible party with the Regulator. 19 19
  • 20. DUTIES AND RESPONSIBILITIES OF INFORMATION OFFICERS • Encouragement of compliance with the conditions for the lawful processing of personal information; • Dealing with requests made to the body pursuant to POPIA; • Working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body; 20 20
  • 21. CONT • Otherwise ensuring compliance by the body with the provisions of POPIA; • Ensure that a compliance framework is developed, implemented, monitored and maintained; • Ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information; 21 21
  • 22. CONT • Ensure that a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the PAIA; • Ensure that internal measures are developed together with adequate systems to process requests for information or access thereto; • Ensure that internal awareness sessions are conducted regarding POPIA, its regulations, codes of conduct; and • Information Officers must take up their duties only after the responsible party has registered them with the Regulator. 22 22
  • 23. DESIGNATION AND DELEGATION OF DEPUTY INFORMATION OFFICERS • Each public and private body must make provision, in the manner prescribed in section 17 of PAIA, for the designation of such number of persons, if any, as deputy information officers to perform the duties stipulated in section 55(1) of POPIA, POPIA Regulations or any power or duty conferred or imposed on an Information Officer by POPIA to an information officer of that public or private body. • The Regulator had published a Guidance Note on Information Officers and Deputy Information Officers. 23 23
  • 24. GUIDELINES ON DEVELOPING CODES OF CONDUCT ( Section 60-68) • POPIA empowers the Regulator from time to time to issue, amend and revoke codes; to prepare written guidelines that would assist bodies to develop or to apply codes; to approve codes; and to consider afresh, upon application the determinations by adjudicators under approved codes; • The purpose of a code is to establish a voluntarily accountability tool and to promote transparency for relevant bodies on how personal information should be processed. Codes do not replace the relevant provisions in POPIA, but operate in support of the requirements in POPIA; 24 24
  • 25. CONT. A code of conduct cannot limit a data subjects right to privacy, as provided for in POPIA; • The relevant bodies bound by an issued or approved code of conduct must not perform an act or engage in a practice that breaches the approved code; • A breach of an approved code is deemed to be a breach of the conditions for the lawful processing of personal information referred to in Chapter 3 and shall be dealt with in terms of Chapter 10 of POPIA; and 25 25
  • 26. CONT. • The reason for developing a code may include: - providing clarity on how the conditions for lawful processing of personal information are to be applied and complied with given the particular features of a relevant body; - providing a functional equivalent means of fulfilling the obligations related to the conditions for the lawful processing of personal information; - promoting an organisational paradigm shift change in a relevant body relating to the lawful processing of personal information; 26 26
  • 27. CONT. - stipulating conditions for the lawful processing of personal information for specified information or classes of information; - stipulating conditions for the lawful processing of personal information for any specified activity or class of activity; - outlining rules and procedures for information matching programmes if such programmes are used within a specific sector; 27 27
  • 28. CONT. - outlining how the legitimate interests of data subjects are to be protected insofar as automated decision making affect them; - enabling the review of a code by the Regulator; - providing details regarding the expiry of a code; and - providing a procedure of dealing with complaints. 28 28
  • 29. Enforcement Section 57 (1) of POPIA provides that a responsible party must obtain prior authorisation from the Regulator, (only once, except where the processing departs from that which has been authorised) prior to any processing if that responsible party plans to- • process any unique identifiers of data subjects for a purpose other than the one for which the identifier was specifically intended at collection; and with the aim of linking the information together with information processed by other responsible parties; PRIOR AUTHORISATION 30 29
  • 30. Enforcement • process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties; • process information for the purposes of credit reporting; or • transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information. CONT. 31 30
  • 31. Enforcement • Please also note that, in accordance with section 57(2) of POPIA, the Regulator may, from time to time and if necessary, prescribe categories or types of information processing that is subject to prior authorization, if it considers that such processing carries a particular risk for the legitimate interests of the data subject. The requirement of prior authorisation is not applicable if a code of conduct has been issued and is in operation. CONT. 32 31
  • 32. Enforcement • Unless a Code of Conduct has been issued by the Regulator and has come into force in a specific sector/ industry in which the responsible party operates, the responsible party who is currently processing or intends to process the personal information of data subjects which is subject to prior authorisation must submit their applications prior to processing or any further processing. • Application form for Prior Authorisation and Guidance Note on Prior Authorisation may be downloaded from the Regulator’s website. CONT. 33 32
  • 33. Enforcement What are the prescribed timeframes for finalising the application for prior authorisation? • The Regulator may approve or reject an application for prior authorisation within four (4) weeks of receipt of prior authorisation application, unless the Regulator decides to conduct a detailed investigation. • In the event that the Regulator decides to conduct a more detailed investigation, the Regulator will inform the responsible party in writing of the reasonable period within which it plans to finalise a detailed investigation, which period will not exceed thirteen (13) weeks. CONT. 34 33
  • 34. Enforcement • On conclusion of the more detailed investigation, the Regulator will issue a statement or report about the lawfulness of the information processing. If a statement or report conclude that the information processing is not lawful, such report or statement shall be deemed to be an enforcement notice served in terms of section 95 of POPIA. CONT. 35 34
  • 35. CONT. • However, if the Regulator fails to finalise the application within the prescribed period of 13 weeks, the responsible party may presume a decision in its favour and continue with its processing. This presumption is rebuttable, meaning that should the Regulator finds that information processing is unlawful, the responsible party will have to comply with its directive as contained in the statement or report. 36 35
  • 36. CHALLENGES • Functionally, the Regulator operates independently but administratively it still uses the policies and systems of the Department of Justice and Constitutional Development. • Lack adequate resources to establish the administrative capacity of the Regulator. • Lack of adequate resources for the effective execution of the broad mandate of the Regulator. • Lack of critical mass of experts in POPIA in the country. 37 36
  • 37. CONCLUSION List of Guidance Notes the Regulator will be issuing before 30 June 2021- • Guidance Note on Exclusions from POPIA • Guidance Note on Exemption from the conditions for lawful processing of personal information; • Guidance Note on notification of security compromises or breaches; • Guidance Note on processing of personal information across- borders; • Guidance Note on direct marketing; and • Guidance Note on application to process special personal information and personal information of children. 38 37
  • 38. TAKE CONTROL OF YOUR PRIVACY INFORMATION REGULATOR 39 38