This document provides an overview of privacy and data protection laws that organizations must comply with. It notes that boards have a duty under King III to ensure compliance with relevant IT laws. All organizations should be aware of applicable privacy laws and ensure training programs cover these laws. Key roles like the CIO, CRO, and legal teams need awareness of privacy obligations. The document lists some relevant South African laws and provides contact information for an ICT lawyer who can help organizations understand how to apply these laws.

1. Be aware of the Privacy and Protection of Personal Information (PPI) laws that apply to your organisation John Giles ICT lawyer john@michalsons.com 083 322 2445 t. 086 011 1245 skype. johngiles www.OnlineLegal.co.za www.MichalsonsAttorneys.com

2. Thank you

3. The goal today

4. King III

5. What must your organisation comply with? “the board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered.“

6. Ignorance of the law is no excuse You should have a working understanding of the effect of the applicable laws, rules, codes and standards on the company and its business. The induction and ongoing training programmes should incorporate an overview of and any changes to applicable laws, rules, codes and standards. You should sufficiently familiariseyourself with the general content of applicable laws, rules, codes and standards to discharge your legal duties. You should understand the context of the law, and how other applicable laws interact with it.

7. Who needs to be aware? CAE CRO Legal CO CIO

8. Impossible Task?

9. Overwhelmed?

10. The benefits of being aware?

11. FinlandPersonal DP Act In force 1 June 1999 NorwayPersonal D Reg Act In force 14 April 2000 DenmarkAct on Processing f PD In force 1 July 2000 SwedenPersonal Data Act In force 24 October 1998 Ireland*- Bill to be approved BelgiumData Protection Act In force 1 Sep 2001 United KingdomData ProtectionAct In force 1 March 2000 Germany*- Bill to be approved Luxembourg* - Bill to be approved AustriaData Protection Act In force 1 January 2000 NetherlandsPersonal DP Act In force June 2001 CanadaPIP&ED Act Commenced 1 Jan 2001 ItalyData Protection Act In force 8 May 2000 MexicoeCommerce Act In force 7 June 2000 France*- Bill to be approved United States (Federal)CPP Act 1984 VPP Act 1988 COPP Act 1998 In force 21 April 2000 HIPA Act In force 14 April 2001 GLB Act In force 1 July 2001 ‘General’ Act In consideration SpainData Protection Act In force 14 January 2000 AustraliaPrivacy Act In force 21 Dec 2001 Hong KongPersonal Data (Privacy) In force 20 Dec 1996 GreeceProtection Processing PD In force 10 April 1997 New ZealandPrivacy Act In force 1 July 1993 PortugalPersonal DP Act In force 27 October 1998 TaiwanComputer Processed DP In force 11 August 1995 South KoreaeCommerce Act In force January 1999 Eastern EuropeEstonia(96) Poland (98)Solovak (98) Slovenia(99) Hungary (99)Czech(00) Latvia(00) Lithuania (00) SwitzerlandData Protection Act In force 1 June 1999 Global PerspectiveNational Private Sector Privacy Protection SOUTH AFRICA?

13. An Information System

14. Section 14(d) of the Constitution “14. Everyone has the right to privacy, which includes the right not to have- (d) the privacy of their communications infringed.”… Limitations

15. Common lawChildren’s ActCustoms and Excise Act

16. National Credit Act Confidential Information section 1 ‘personal information that belongs to a person and is not generally available to or known by others’ Section 68 Still stands – not repealed by PPI Bill

17. ECT Act

18. PAI Act

19. RICA

20. PPI Bill

21. To ask questions and find the detail

22. Thank you John Giles john@michalsons.com Michalsons Attorneys can help apply ICT laws to your specific circumstances www.MichalsonsAttorneys.com “ICT Law with Insight” Copyright © Michalsons 2002-2009 The information contained in this presentation is subject to change without notice. Michalsons makes no warranty with regard to the material, including the implied warranties of fitness for a particular purpose. Michalsons will not be liable for errors or for incidental or consequential damages in connection with this material. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons. This document is an unpublished work protected by the copyright laws and is proprietary to Michalsons. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons is prohibited. Contact John Giles at john@Michalsons.com for permission to copy.