This document discusses key principles of data protection from South Africa's Protection of Personal Information Act (POPI), including lawful processing of personal information, consent requirements, and security safeguards. It emphasizes the responsibilities of data controllers and operators to protect personal data through transparency, proper purpose and retention of data, compliance with privacy policies, and implementing security measures. The document provides examples and guidance on how organizations can achieve POPI compliance.

1. A practical approach to data
protection
Protection of Personal Information Act Workshop
2014-09-18

2. Share your thoughts
You can find me on Twitter as @pauljacobson
2014-07-24
#POPIready

3. Useful links at http://j.mp/popiready

4. Key principles and themes

5. Lawful processing conditions
✤ Accountability!
✤ Purpose limitation!
✤ Purpose specification!
✤ Further processing limitation!
✤ Information quality!
✤ Openness!
✤ Security safeguards!
✤ Data subject participation

6. Conditions for lawful processing of
personal information *
* Subject to exceptions

7. Consent and data collection

8. Privacy in a digital world is complicated

9. “The very practice of privacy is all about control in a world in which we
fully know that we never have control. Our friends might betray us, our
spaces might be surveilled, our expectations might be shattered. But this
is why achieving privacy is desirable. People want to be *in* public, but
that doesn’t necessarily mean that they want to *be* public. There’s a
huge difference between the two. As a result of the destabilization of
social spaces, what’s shocking is how frequently teens have shifted from
trying to restrict access to content to trying to restrict access to meaning.
They get, at a gut level, that they can’t have control over who sees
what’s said, but they hope to instead have control over how that
information is interpreted. And thus, we see our collective imagination
of what’s private colliding smack into the notion of public. They are less
of a continuum and more of an entwined hairball, reshaping and
influencing each other in significant ways.”
– danah boyd writing in her article “What is Privacy?”

10. Consent, justification and objection
01

11. “… it seems to be a sensible approach to say that the scope of
a person’s privacy extends a fortiori only to those aspects in
regard to which a legitimate expectation of privacy can be
harboured.”
– Bernstein and Others v Bester NO and Others

12. Options
Consent
Legitimate interests
Contractual conclusion or performance

13. ‘‘consent’’ means any voluntary, specific and informed
expression of will in terms of which permission is given for
the processing of personal information

14. Example

16. Only where consent is required may a data
subject withdraw permission

17. “Legitimate interests” is vague, undefined
and, yet, a very interesting justification

18. “The processing is necessary for the purposes of legitimate
interests pursued by the data controller or by the third party
or parties to whom the data are disclosed, except where the
processing is unwarranted in any particular case by reason of
prejudice to the rights and freedoms or legitimate interests of
the data subject.”
– Section 6, Schedule 2, UK Data Protection Act

19. Still, the “Lawful processing of personal information
conditions” provide broad parameters and context for
“legitimate interests” arguments …

20. 01
Special personal information

21. ✤ Children’s personal information!
✤ Religious or philosophical beliefs*!
✤ Race or ethnic origin!
✤ Trade union membership*!
✤ Political persuasion!
✤ Health or sex life!
✤ Criminal behaviour or biometric information

22. Example

23. ‘‘child’’ means a natural person under the age of 18 years who is not
legally competent, without the assistance of a competent person, to
take any action or decision in respect of any matter concerning him-or
herself;

24. How transparent are you?

25. Write clear privacy statements

26. Examples

30. Privacy statement essentials
✤ What personal information do you collect?!
✤ What do you do with that personal information?!
✤ When may the personal information be disclosed and to
whom?!
✤ How long do you retain personal information, where do you
retain it and what are your safeguards?!
✤ How may a data subject interrogate your databases?

31. Example

33. “A responsible party must take reasonably practicable steps
to ensure that the personal information is complete, accurate,
not misleading and updated where necessary.”
– Section 16, the Protection of Personal Information Act

34. Do you facilitate meaningful access to
personal information you hold?

35. Example

37. Data processing

38. “Personal information may only be processed if, given the
purpose for which it is processed, it is adequate, relevant
and not excessive.”
– Section 10, the Protection of Personal Information Act

39. Purpose specification
“Personal information must be collected for a specific, explicitly
defined and lawful purpose related to a function or activity of
the responsible party”
Be transparent about the purpose

40. Examples

44. Further processing must align with the original purpose*
* There are exceptions too

45. Data integrity and retention

46. “… records of personal information must not be retained any
longer than is necessary for achieving the purpose for which
the information was collected or subsequently processed …”
– Section 13, Protection of Personal Information Act

47. Don’t lose sight of the bigger data
retention compliance picture
Electronic Communications
and Transactions Act
Protection of Personal
Information Act
Everything else

48. POPI places special emphasis on
security safeguards

49. “A responsible party must secure the integrity and
confidentiality of personal information in its possession or
under its control by taking appropriate, reasonable
technical and organisational measures …”
– Section 19, Protection of Personal Information Act

50. Examples

52. “A responsible party must, in terms of a written contract
between the responsible party and the operator, ensure that
the operator which processes personal information for the
responsible party establishes and maintains the security
measures referred to in section 19 …”
– Section 21, Protection of Personal Information Act

53. Identifying key risk areas

54. Helpful questions
How do you process personal information?
Are you the responsible party or the operator?
Is your reputation at risk and what could go wrong?

55. Do you engage in direct marketing?

56. Do you process personal information on your responsible
party customers’ behalf?

57. Be responsible, reduce reputational harm risk in the process

58. Transparent dealings with
stakeholders
2014 Heartbleed Bug
OpenSSL exploit came to light
Providers proactively contacted users
and recommended password changes

59. “The way to gain good reputation is to endeavor to be what
you desire to appear”
– Socrates

60. Implementation

61. What does your policy framework say you do?
What should your people be doing?
What are your people actually doing?

62. Communicate effectively
01
with your teams

63. 01
Document your processes and monitor compliance

64. Paul Jacobson 083 444 8260
webtechlaw.com/contact
Thank you for your time.
Please feel free to contact me if we can assist you or answer questions.