Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protection of Personal Information Bill (POPI)


Published on

A short presentation that focuses on the proposed POPI law, how it impacts businesses, technology, IT depts & the cloud. It was based on a draft so some aspects may have changed.

Published in: Business, Technology
  • Be the first to comment

Protection of Personal Information Bill (POPI)

  1. 1. Protection of Personal Information Bill
  2. 2. Agenda  Going to cover most of the law  Purpose to give an overview and provide a starting point for further discussion and action  This is not about the Protection of State Information Bill aka “Secrecy Bill”
  3. 3. Disclaimer  I am not a lawyer (duh) – this is about a law – thus you should have a lawyer check and work with you on this.  We are talking about a bill, not an act.  Not covered:  The legal aspects about the regulator and information protection officers.  Code of conduct aspects.  Unsolicited Electronic Communications aspects.
  4. 4. Goal of the bill To promote the protection of personal information processed by public and private bodies; to introduce information protection principles so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Protection Regulator; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.
  5. 5. One Page View CollectInformation Must collect direct from person Some exclusion apply ProcessInformation Process means anything Some limits on what you can process Retention Keep for as short a time as possible Deletion Delete so it is not recoverable Security Reasonable security steps must be taken DataSubjectParticipation You can find out who has your data You can change your data Notification Notification must be given if there is loss or damage to data Enforcement Punishments
  6. 6. Timelines  Section 14 of the Constitution: Every has a right to privacy  Bill created in 2009  Seven drafts to date  Expected to be enacted in three to six months1  Companies will have between six and twelve months to put the law into place. 1. Webber Wentzel Attorneys:;
  7. 7. Who this applies to  This is aimed at protecting the information of all citizens of the country – so you!  Any company that processes or outsources data to third parties needs to comply with it.  As all organisations have information on staff, share holders etc… this means all businesses are affected.
  8. 8. Who it doesn’t apply to  is non-commercial, and non-governmental or related to household activities;  has been de-identified to the extent that it cannot be re-identified again;  is held by or on behalf of a public body, which involves national security or deals with the identification of the proceeds of unlawful activities and the combating of money laundering activities;  is created exclusively for journalistic purposes.
  9. 9. What does it apply to? ‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as blocking, degradation, erasure or destruction of information;
  10. 10. Processing Limitations  Must process lawfully  Minimal set of data  Relevant data only  Give the purpose  Consent must be given  Required for the conclusion or performance of the contract  You may opt out, at any time, and the processing must stop
  11. 11. Impact on the cloud?  Applies to all people & companies that are within South Africa and  Applies to all people & companies that have systems that do processing in South Africa  There is additional consent need to store & process data outside of the borders of the country
  12. 12. Collecting Information has implications to further processing  Must be collected directly from the data subject  Except  It is in a public record already  The data subject has consented to collection from a third party  Collection from a third party without consent, where it would not prejudice the data subject  Collection from a third party without consent where it is required  For example getting a criminal record from the police
  13. 13. Retention  Kept only for the processing  Can be kept for longer if  Required by law  Required for functions/activities  Agreed to in contract  Historical, statistical or research provided appropriate safe guards
  14. 14. Retention for Decision Making  Data must be retained for as long as the law says  If there is not law, for a reasonable period  This is so that access requests can be fulfilled
  15. 15. Destruction of Data  Data must be destroyed ASAP  Data must be destroyed in such a way it cannot be reconstructed
  16. 16. Security Measures  Reasonable technical & organisational measures to prevent  Loss of & damage to data  Unlawful access  What do you need to do  Identify all risks (internal & external)  Maintain & regularly validate safe guards  Follow generally accepted information security practices
  17. 17. Notification of security compromises  Must notify the regulator  Must notify the data subject  Must be done ASAP, except if instructured by SAPS, NIA or regulator to delay  Notification must be done in one of the following ways  Mailed to physical or postal address  Emailed  Placed on the web site  Published in the news media  As directed by the regulator  Notification must contain enough information for the data subject to take protective measures  Must, if known, contain the identity of the unauthorised person
  18. 18. Data Subject Participation  A data subject, having provided adequate proof of identify, can request, free of charge, if a company has information on them.  A data subject, having provided adequate proof of identify, can request what the information is & who it has been provided to.  Reasonable cost can be applied but an estimate must be given first.  Parts can be denied – requires compliance with grounds set out in PIPA
  19. 19. Data Modification  A data subject can request the data to be changed or deleted  The reasonable party must comply with it, and provide evidence of it.
  20. 20. You may not process parts of information if they relate to  Children  data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour.  There are reasonable exceptions for example  Religion: If the information is being processed by an organisation and the data relates to belonging to that organisation. For example religious information & churches  Health: if the organisation is an insurance or medical organisation
  21. 21. Notification  The regulator must be notified prior to initial processing, must include  Name & address of who is using the data  Purpose  Description of data collected  Who the data will be supplied to  If it will leave South Africa  Description of security measure
  22. 22. Enforcement  Process: Complaint  Decision of Action  Investigation  Assessment  Enforcement Notice  Appeal  Can issue warrants and do search & seizure  Offences: Obstruction, breach of confidentiality, failure to comply  Penal sanctions: Imprisonment (up to 10 years) and/or fine  Fine: R 10 million1  Civil action can also be taken 1. Webber Wentzel Attorneys:
  23. 23. Impact on other laws Amendments & Repeals to  Promotion of Access to Information Act, 2000  ECT Act, 2002  National Credit Act, 2005
  24. 24. Examples  Blackberry with company information left on train & does not have a pin. The company is at fault. 1  Outsourced company doing storage of backups and loses the backup medium. The backups contain customer information. The backup is not encrypted. The company is at fault. 2 1. Webber Wentzel Attorneys:; 2. Webber Wentzel Attorneys:
  25. 25. KPMG Cheat Sheet  From: of-Personal-Information-Bill/Pages/default.aspx  Broken down into the eight principals and has a number of easy to answer questions about an organisation that can help comply.
  26. 26. Shorten List  Have someone accountable in the organisation for the management of data, data information policies & managing communication in this regard  Have a document of data we collect  Detail how & why it was collected, if further processing is needed and when it will be destroyed  Include the why on the documents we use  Educate staff on this  Ensure we have security risk assessments for the data and that reasonable security is in place in all areas  Ensure people have a way to access & update their information