FJ
Uploaded byFrancois Naude Jr.
130 views

Protection of Personal Information

This document provides an overview of South Africa's Protection of Personal Information Act (POPI), which was enacted in 2013 to protect personal privacy and regulate the processing of personal information. It defines key terms, outlines the law's application and exceptions, establishes 8 principles for lawful processing of data, and addresses international data transfers, complaints, offenses/penalties, and transitional arrangements requiring compliance within 1 year.

Embed presentation

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013 (“POPI”) OCTOBER 2016
INTRODUCTION • POPI was signed into law on 19 November 2013 • Commencement date of: • section 1; Part A of Chapter 5; and • section 112; and • section 113 was on 11 April 2014
INTRODUCTION • Rationale behind POPI: • Section 14 of the Constitution – right to privacy • to protect the misuse and abuse of personal information in RSA and cross- border flow of information • introducing a minimum set of requirements for the processing of personal information • establishing an Information Regulator to perform duties in terms of POPI and PAIA • to align legislation with modern society
IMPORTANT DEFINITIONS • “consent” – is any voluntary, specific and informed expression of will of which permission is given for the processing of personal information • “data subject” – is a person to whom personal information relates • “filing system” – is a structured set of personal information, whether centralised, decentralised or dispersed geographically • “operator” – is a person who processes personal information in terms of a contract or mandate
IMPORTANT DEFINITIONS • “personal information” – is information relating to an identifiable, living, natural person, juristic person including, but not limited to: • Race, gender, pregnancy, marital status, national, ethnic or social origin • Education, medical, financial, criminal or employment history • ID, symbol, e-mail address, physical address, telephone number, location, online identifier or particular assignment to the person • Correspondence sent by the person that is explicitly or implied to be confidential or private of nature or any further information that would reveal the contents of the original correspondence • about the person
IMPORTANT DEFINITIONS • Views or opinions of another individual about the person • Name of a person if it appears with other personal information relating to the person or if the disclosure itself would reveal the information
IMPORTANT DEFINITIONS • “processing” – means any operation or activity or set of operations, whether or not by automatic means, concerning personal information: • the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use • dissemination by means of transmission, distribution or making available in any other form • merging, linking, as well as restriction, degradation, erasure or destruction of information • “responsible party” – is a public or private body or any person which, alone or in conjunction with others, determines the purpose of and means for processing personal information
APPLICATION OF THE ACT • Applies to the processing of personal information where the information is entered in a record by a responsible party AND • when it is recorded by non-automated means, it forms part of a filing system or is intended to form part thereof AND • where the responsible party is domiciled in RSA • If not domiciled in RSA, but makes use of automated or non-automated means in the republic – unless those means are used only to forward personal information through the republic
CAVEATS • If any other legislation provides for lawful processing of personal information that are more extensive, then the extensive conditions will prevail – section 3 • POPI will apply in any other case irrespective of whether other legislation provides for the lawful processing of information
EXCLUSIONS • Section 6 determines that POPI does not apply: • when data is processed for personal or household activities • when personal information has been de-identified • if a public body processes personal information for national security, criminal matters or judicial functions • when personal information is processed for Journalistic, artistic or literary expression • Caveat in section 3 – more extensive protection in other legislation
LAWFUL PROCESSING • There are 8 principles that has to be followed: • Accountability • Processing limitation • Purpose specification • Further processing limitation • Information quality • Openness • Security safeguards • Data subject participation
LAWFUL PROCESSING • Accountability • The responsible party must ensure that he/she/it comply with the provisions of POPI at the time of determination of the purpose and means of the processing • Processing limitation • Lawfulness (should not infringe privacy) • Consent, justification and objection • Processing is just if there is an obligation, protects a legitimate interest of the data subject, pursuing legitimate interests of the responsible party • Consent may be withdrawn at any time
LAWFUL PROCESSING • Minimalism – purpose for which information is processed has to be: • Relevant • Not excessive • Adequate • Collection – directly from the data subject
LAWFUL PROCESSING • Purpose specification • Collection • Must be for a specific purpose relating to the function of the responsible party • The data subject must be informed of the purpose of collection • Retention and restriction • Not longer than it is necessary for unless required by law or for the function of the responsible party • Personal information must be destroyed, deleted or de-identified as soon as practicable after it is no longer required to be retained
LAWFUL PROCESSING • Further processing limitation • Must be for the purpose for it was collected for • Further processing is not incompatible with the purpose if further processing is necessary for compliance with section 1 of the SARS Act, No.34 of 1997 • Information quality • Openness • Documentation • Must maintain documentation of processing operations – section 14 or 51 of PAIA • Notification when collecting data
LAWFUL PROCESSING • Notify of the purpose of collecting the information • Whether supply is mandatory or voluntary • Flow of information is cross-border and need to advise on the other countries’ privacy laws
LAWFUL PROCESSING • Security Safeguards • Security measures on data integrity and confidentiality • appropriate and reasonable • Identify internal and external risks • Regularly verify, review and update safeguards • Information processed by operator • Only with authorisation of the responsible party • Confidentiality • Security Compromises • Need to notify the regulator and the data subject • Notify as soon as becoming aware of breach
LAWFUL PROCESSING • Data subject participation • Access to personal information • Correction of personal information • Manner of access – in accordance with PAIA • Prohibition on processing special personal information • Beliefs, race, sex, trade union membership and health (act contain more) • Criminal behaviour – all that is alleged • Section 27 - 33 list exclusions to special personal information
CROSS BORDER INFORMATION FLOW • Responsible party may not transfer personal information to a 3rd party in a foreign country unless: • The 3rd party has similar privacy laws, corporate rules or a biding agreement to that effect • The data subject consents to the transfer • The transfer is necessary for contractual performance • Transfer is necessary for the conclusion of agreements in the interest of the data subject • Transfer is for the benefit of the data subject
COMPLAINTS • Any person may submit a complaint with the Regulator • It must be in writing • The Regulator may then conduct a pre-investigation • Act as a conciliator at any time during the investigation • May decide not to take any action on a complaint • Conduct a full investigation • Refer the compliant to the Enforcement Committee • Take any other action referred to in terms of the Act
OFFENCES AND PENALTIES • 2 categories • Serious offences – fine or imprisonment of not more than 10 years • Less serious offences – fine or imprisonment of not more than 12 months • Administrative fines – not exceeding R10 million Rand
TRANSITIONAL ARRANGEMENTS • All processing of personal information must within 1 year conform to the Act • The 1 year period may be extended by the Minister

More Related Content

PDF
Werksmans presentations on popi
byWerksmans Attorneys
 
PPTX
The Popi Act 4 of 2013 - Implications for iSCM
byMyron Duncan Burton Betshanger
 
PPTX
Popi act presentation
byKholisile Mazaza
 
PPTX
Clyrofor popia readiness webinar
byLesedi Mnisi
 
PPTX
POPI Seminar FINAL
byImraan Kharwa
 
PPTX
Protection of Personal Information Bill (POPI)
byRobert MacLean
 
PPT
Safety And Security Of Data 4
byWynthorpe
 
PPT
Data Protection Act
byYizi
 
Werksmans presentations on popi
byWerksmans Attorneys
 
The Popi Act 4 of 2013 - Implications for iSCM
byMyron Duncan Burton Betshanger
 
Popi act presentation
byKholisile Mazaza
 
Clyrofor popia readiness webinar
byLesedi Mnisi
 
POPI Seminar FINAL
byImraan Kharwa
 
Protection of Personal Information Bill (POPI)
byRobert MacLean
 
Safety And Security Of Data 4
byWynthorpe
 
Data Protection Act
byYizi
 

What's hot

PDF
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
byJay Castillo
 
PPTX
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
byLorson Resources Limited
 
PDF
Data privacy act of 2012 presentation
byKittelson & Carpo Consulting
 
PPTX
Privacy in simple
byAurora Computer Studies
 
PDF
Philippine Data Privacy Act of 2012 (RA 10173)
byKirk Go
 
PPTX
Simple GDPR Overview
byGydeline Ltd
 
PPS
CEU DPA
byBERBERGRACEMARJORIE
 
PPTX
The Protection of Personal Information Act 4 of 2013
byMyron Duncan Burton Betshanger
 
PPTX
Data privacy act
byansherina erika dejan
 
PPTX
Data Privacy Act in the Philippines
byShirley Ingles-Cruz
 
PPT
Data Privacy Act of 2012 implication to cooperatives
byjo bitonio
 
PPTX
The Protection of Personal Information Act: A Presentation
byEndcode_org
 
PDF
Browne Jacobson - Administrative and public law - October 2017
byBrowne Jacobson LLP
 
PDF
Saying "I Don't": the requirement of data subject consent for purposes of dat...
byWerksmans Attorneys
 
PPT
Guernsey Data Protection Legislation
byjonbarclay
 
PPT
Gary Davis
bydri_ireland
 
PDF
Leg4
bybrock55
 
PPT
Crash Course on Data Privacy (December 2012)
byJason Haislmaier
 
PPTX
Cloud and security 6 jul2013 v2
byCharles Mok
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
byJay Castillo
 
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
byLorson Resources Limited
 
Data privacy act of 2012 presentation
byKittelson & Carpo Consulting
 
Privacy in simple
byAurora Computer Studies
 
Philippine Data Privacy Act of 2012 (RA 10173)
byKirk Go
 
Simple GDPR Overview
byGydeline Ltd
 
CEU DPA
byBERBERGRACEMARJORIE
 
The Protection of Personal Information Act 4 of 2013
byMyron Duncan Burton Betshanger
 
Data privacy act
byansherina erika dejan
 
Data Privacy Act in the Philippines
byShirley Ingles-Cruz
 
Data Privacy Act of 2012 implication to cooperatives
byjo bitonio
 
The Protection of Personal Information Act: A Presentation
byEndcode_org
 
Browne Jacobson - Administrative and public law - October 2017
byBrowne Jacobson LLP
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
byWerksmans Attorneys
 
Guernsey Data Protection Legislation
byjonbarclay
 
Gary Davis
bydri_ireland
 
Leg4
bybrock55
 
Crash Course on Data Privacy (December 2012)
byJason Haislmaier
 
Cloud and security 6 jul2013 v2
byCharles Mok
 

Viewers also liked

PPTX
Power point guía didáctica aea
byAlejandro Ramos
 
PPTX
Power point guía didáctica AEA
byAlejandro Ramos
 
PDF
Algoritmos Raster jairo andres rincon
byJAIRO ANDRES RINCON SANCHEZ
 
PDF
Computación Grafica jairo andres
byJAIRO ANDRES RINCON SANCHEZ
 
DOCX
Clase sobre las necesidades básicas de los niños (1) (1)
byVERÓNICA SINCHIGUANO
 
DOCX
Big Data Analysis and Terrorism
byAmanda Tapp
 
PPTX
Protection of Personal Information
byFrancois Naude Jr.
 
DOCX
Courier Mail Article_Career One_Russo Recruitment
bySalene Gallagher
 
PPTX
SEO & SEM Together
byLance Bachmann
 
PPTX
How to Avoid Making PPC Mistakes
byLance Bachmann
 
PDF
H block - protagonist
bydonamore1
 
PPTX
A range of reading notebooks
bydonamore1
 
PPTX
Dystopian Controls #2 DBlock
bydonamore1
 
PPTX
Guide to Winning Micro-Moments
byLance Bachmann
 
PPTX
H block characteristics
bydonamore1
 
Power point guía didáctica aea
byAlejandro Ramos
 
Power point guía didáctica AEA
byAlejandro Ramos
 
Algoritmos Raster jairo andres rincon
byJAIRO ANDRES RINCON SANCHEZ
 
Computación Grafica jairo andres
byJAIRO ANDRES RINCON SANCHEZ
 
Clase sobre las necesidades básicas de los niños (1) (1)
byVERÓNICA SINCHIGUANO
 
Big Data Analysis and Terrorism
byAmanda Tapp
 
Protection of Personal Information
byFrancois Naude Jr.
 
Courier Mail Article_Career One_Russo Recruitment
bySalene Gallagher
 
SEO & SEM Together
byLance Bachmann
 
How to Avoid Making PPC Mistakes
byLance Bachmann
 
H block - protagonist
bydonamore1
 
A range of reading notebooks
bydonamore1
 
Dystopian Controls #2 DBlock
bydonamore1
 
Guide to Winning Micro-Moments
byLance Bachmann
 
H block characteristics
bydonamore1
 

Similar to Protection of Personal Information

PPTX
Data Privacy & Protection for the Data Privacy Act
byisulanfc
 
PDF
Data privacy act of 2012.pdf
byrjrremolana
 
PPTX
DATA-PRIVACY-ACT OF 2012- draft only ppt.pptx
bygentlejosh3161
 
PPTX
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
PDF
Ppt
byGareth Badrian
 
PPTX
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
byUpekha Vandebona
 
PPTX
IT-TRENDS-FINALTERM understanding the self.pptx
byPaulJohnMadrigal
 
PPTX
Introduction to the Freedom of Information and Data Protection Act Trinidad a...
byEquiGov Institute
 
PDF
#POPIA2013 - SOUTH-AFRICA DATA REGULATION
byHERMANN DJOUMESSI, MA
 
PDF
Information Security: The Trinidad & Tobago Legal Context
byJason Nathu
 
PPSX
POPI Act compliance presentation
byOvationsGroup
 
PDF
POPI_Overview_E
bySamm V. Cooper - Dunstan
 
PDF
POPI_Overview_E
byBruce Hudson
 
PPTX
POPI Seminar
byMarketing Durban Chamber
 
PDF
Administrative and public law seminar
byBrowne Jacobson LLP
 
PDF
2014-04-16 Protection of Personal Information Act Readiness Workshop
byPaul Jacobson
 
PDF
2014-09-18 Protection of Personal Information Act readiness workshop
byPaul Jacobson
 
PDF
Practical steps to take in preparation for the Protection of Personal Informa...
byWerksmans Attorneys
 
PPTX
POPI Update 2013
byContact Centre Management Group
 
PDF
Put your left leg in, put your left leg out: the exclusions and exemptions of...
byWerksmans Attorneys
 
Data Privacy & Protection for the Data Privacy Act
byisulanfc
 
Data privacy act of 2012.pdf
byrjrremolana
 
DATA-PRIVACY-ACT OF 2012- draft only ppt.pptx
bygentlejosh3161
 
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
Ppt
byGareth Badrian
 
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
byUpekha Vandebona
 
IT-TRENDS-FINALTERM understanding the self.pptx
byPaulJohnMadrigal
 
Introduction to the Freedom of Information and Data Protection Act Trinidad a...
byEquiGov Institute
 
#POPIA2013 - SOUTH-AFRICA DATA REGULATION
byHERMANN DJOUMESSI, MA
 
Information Security: The Trinidad & Tobago Legal Context
byJason Nathu
 
POPI Act compliance presentation
byOvationsGroup
 
POPI_Overview_E
bySamm V. Cooper - Dunstan
 
POPI_Overview_E
byBruce Hudson
 
POPI Seminar
byMarketing Durban Chamber
 
Administrative and public law seminar
byBrowne Jacobson LLP
 
2014-04-16 Protection of Personal Information Act Readiness Workshop
byPaul Jacobson
 
2014-09-18 Protection of Personal Information Act readiness workshop
byPaul Jacobson
 
Practical steps to take in preparation for the Protection of Personal Informa...
byWerksmans Attorneys
 
POPI Update 2013
byContact Centre Management Group
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
byWerksmans Attorneys
 

Recently uploaded

PDF
10k to 5k followers Twitter Accounts for Sale.pdf
by2oe47406ufcwa3h5xe3s
 
PDF
How to purchase a safely verified Chime bank account ....pdf
byndsfcm3nubx18jc4s6f4
 
PDF
Buy TikTok Shop accounts & Twitter accounts in 2026..pdf
bygetsmmpro getsmmpro
 
PDF
Top 10 Sites To Buy Verified Binance Accounts.pdf
byndsfcm3nubx18jc4s6f4
 
PDF
Buy Google Ads Accounts_ A Conservative Guide for Everyday.pdf
byUSAALLHUB Digital Marketer in 2026
 
DOCX
How to Get a Verified Wise Account_ A Complete Buying 2026.docx
byDigital marketimg USA
 
PDF
Best 12 Ways to Buy Verified Chime Bank Accounts in 2025.pdf
by4b6fi2jol3skajahxend
 
PDF
MCB-Code-of-Conduct Mansehra postal service operation management
bytanolihaseeb21
 
PDF
Online 24 Best Consider To Buy LinkedIn Account Services .pdf
byGoogle Business Site is usaallhub
 
PDF
IT Solutions for Startups & Small to Mid-Sized Businesses
byDevout Tech Consultants
 
PDF
5 sites To Buy Facebook Accounts Safely_ 2025 Guide..pdf
bysy33nn1pvm0ykdle9x4r
 
PPTX
Time Series Econometrics (Final December 27,2025).pptx
byTamiratBeyene
 
PDF
The Best Marketplaces to Buy and Sell Snapchat Accounts ....pdf
bysy33nn1pvm0ykdle9x4r
 
PDF
How to Buy LinkedIn Followers and Connections.pdf
bysy33nn1pvm0ykdle9x4r
 
PPTX
LESSON BUSINESS MODEL business mode.pptx
byeraldacompagnonsdude
 
PDF
Buy TikTok Seller Account in usa 2026.pdf
bysy33nn1pvm0ykdle9x4r
 
PDF
How to Monetize Websites With Recurring Income Systems
byRandyOtterbridge1
 
PDF
Dimi Design Intelligence Parts V and VI.pdf
byBrij Consulting, LLC
 
PDF
Comments on Dimi Design Intelligence Addendum, All Parts.pdf
byBrij Consulting, LLC
 
PDF
Jay Bhaumik Plano - Skilled In Product Development
byJay Bhaumik Plano
 
10k to 5k followers Twitter Accounts for Sale.pdf
by2oe47406ufcwa3h5xe3s
 
How to purchase a safely verified Chime bank account ....pdf
byndsfcm3nubx18jc4s6f4
 
Buy TikTok Shop accounts & Twitter accounts in 2026..pdf
bygetsmmpro getsmmpro
 
Top 10 Sites To Buy Verified Binance Accounts.pdf
byndsfcm3nubx18jc4s6f4
 
Buy Google Ads Accounts_ A Conservative Guide for Everyday.pdf
byUSAALLHUB Digital Marketer in 2026
 
How to Get a Verified Wise Account_ A Complete Buying 2026.docx
byDigital marketimg USA
 
Best 12 Ways to Buy Verified Chime Bank Accounts in 2025.pdf
by4b6fi2jol3skajahxend
 
MCB-Code-of-Conduct Mansehra postal service operation management
bytanolihaseeb21
 
Online 24 Best Consider To Buy LinkedIn Account Services .pdf
byGoogle Business Site is usaallhub
 
IT Solutions for Startups & Small to Mid-Sized Businesses
byDevout Tech Consultants
 
5 sites To Buy Facebook Accounts Safely_ 2025 Guide..pdf
bysy33nn1pvm0ykdle9x4r
 
Time Series Econometrics (Final December 27,2025).pptx
byTamiratBeyene
 
The Best Marketplaces to Buy and Sell Snapchat Accounts ....pdf
bysy33nn1pvm0ykdle9x4r
 
How to Buy LinkedIn Followers and Connections.pdf
bysy33nn1pvm0ykdle9x4r
 
LESSON BUSINESS MODEL business mode.pptx
byeraldacompagnonsdude
 
Buy TikTok Seller Account in usa 2026.pdf
bysy33nn1pvm0ykdle9x4r
 
How to Monetize Websites With Recurring Income Systems
byRandyOtterbridge1
 
Dimi Design Intelligence Parts V and VI.pdf
byBrij Consulting, LLC
 
Comments on Dimi Design Intelligence Addendum, All Parts.pdf
byBrij Consulting, LLC
 
Jay Bhaumik Plano - Skilled In Product Development
byJay Bhaumik Plano
 

Protection of Personal Information

  • 1.
    PROTECTION OF PERSONALINFORMATION ACT NO. 4 OF 2013 (“POPI”) OCTOBER 2016
  • 2.
    INTRODUCTION • POPI wassigned into law on 19 November 2013 • Commencement date of: • section 1; Part A of Chapter 5; and • section 112; and • section 113 was on 11 April 2014
  • 3.
    INTRODUCTION • Rationale behindPOPI: • Section 14 of the Constitution – right to privacy • to protect the misuse and abuse of personal information in RSA and cross- border flow of information • introducing a minimum set of requirements for the processing of personal information • establishing an Information Regulator to perform duties in terms of POPI and PAIA • to align legislation with modern society
  • 4.
    IMPORTANT DEFINITIONS • “consent”– is any voluntary, specific and informed expression of will of which permission is given for the processing of personal information • “data subject” – is a person to whom personal information relates • “filing system” – is a structured set of personal information, whether centralised, decentralised or dispersed geographically • “operator” – is a person who processes personal information in terms of a contract or mandate
  • 5.
    IMPORTANT DEFINITIONS • “personalinformation” – is information relating to an identifiable, living, natural person, juristic person including, but not limited to: • Race, gender, pregnancy, marital status, national, ethnic or social origin • Education, medical, financial, criminal or employment history • ID, symbol, e-mail address, physical address, telephone number, location, online identifier or particular assignment to the person • Correspondence sent by the person that is explicitly or implied to be confidential or private of nature or any further information that would reveal the contents of the original correspondence • about the person
  • 6.
    IMPORTANT DEFINITIONS • Viewsor opinions of another individual about the person • Name of a person if it appears with other personal information relating to the person or if the disclosure itself would reveal the information
  • 7.
    IMPORTANT DEFINITIONS • “processing”– means any operation or activity or set of operations, whether or not by automatic means, concerning personal information: • the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use • dissemination by means of transmission, distribution or making available in any other form • merging, linking, as well as restriction, degradation, erasure or destruction of information • “responsible party” – is a public or private body or any person which, alone or in conjunction with others, determines the purpose of and means for processing personal information
  • 8.
    APPLICATION OF THEACT • Applies to the processing of personal information where the information is entered in a record by a responsible party AND • when it is recorded by non-automated means, it forms part of a filing system or is intended to form part thereof AND • where the responsible party is domiciled in RSA • If not domiciled in RSA, but makes use of automated or non-automated means in the republic – unless those means are used only to forward personal information through the republic
  • 9.
    CAVEATS • If anyother legislation provides for lawful processing of personal information that are more extensive, then the extensive conditions will prevail – section 3 • POPI will apply in any other case irrespective of whether other legislation provides for the lawful processing of information
  • 10.
    EXCLUSIONS • Section 6determines that POPI does not apply: • when data is processed for personal or household activities • when personal information has been de-identified • if a public body processes personal information for national security, criminal matters or judicial functions • when personal information is processed for Journalistic, artistic or literary expression • Caveat in section 3 – more extensive protection in other legislation
  • 11.
    LAWFUL PROCESSING • Thereare 8 principles that has to be followed: • Accountability • Processing limitation • Purpose specification • Further processing limitation • Information quality • Openness • Security safeguards • Data subject participation
  • 12.
    LAWFUL PROCESSING • Accountability •The responsible party must ensure that he/she/it comply with the provisions of POPI at the time of determination of the purpose and means of the processing • Processing limitation • Lawfulness (should not infringe privacy) • Consent, justification and objection • Processing is just if there is an obligation, protects a legitimate interest of the data subject, pursuing legitimate interests of the responsible party • Consent may be withdrawn at any time
  • 13.
    LAWFUL PROCESSING • Minimalism– purpose for which information is processed has to be: • Relevant • Not excessive • Adequate • Collection – directly from the data subject
  • 14.
    LAWFUL PROCESSING • Purposespecification • Collection • Must be for a specific purpose relating to the function of the responsible party • The data subject must be informed of the purpose of collection • Retention and restriction • Not longer than it is necessary for unless required by law or for the function of the responsible party • Personal information must be destroyed, deleted or de-identified as soon as practicable after it is no longer required to be retained
  • 15.
    LAWFUL PROCESSING • Furtherprocessing limitation • Must be for the purpose for it was collected for • Further processing is not incompatible with the purpose if further processing is necessary for compliance with section 1 of the SARS Act, No.34 of 1997 • Information quality • Openness • Documentation • Must maintain documentation of processing operations – section 14 or 51 of PAIA • Notification when collecting data
  • 16.
    LAWFUL PROCESSING • Notifyof the purpose of collecting the information • Whether supply is mandatory or voluntary • Flow of information is cross-border and need to advise on the other countries’ privacy laws
  • 17.
    LAWFUL PROCESSING • SecuritySafeguards • Security measures on data integrity and confidentiality • appropriate and reasonable • Identify internal and external risks • Regularly verify, review and update safeguards • Information processed by operator • Only with authorisation of the responsible party • Confidentiality • Security Compromises • Need to notify the regulator and the data subject • Notify as soon as becoming aware of breach
  • 18.
    LAWFUL PROCESSING • Datasubject participation • Access to personal information • Correction of personal information • Manner of access – in accordance with PAIA • Prohibition on processing special personal information • Beliefs, race, sex, trade union membership and health (act contain more) • Criminal behaviour – all that is alleged • Section 27 - 33 list exclusions to special personal information
  • 19.
    CROSS BORDER INFORMATIONFLOW • Responsible party may not transfer personal information to a 3rd party in a foreign country unless: • The 3rd party has similar privacy laws, corporate rules or a biding agreement to that effect • The data subject consents to the transfer • The transfer is necessary for contractual performance • Transfer is necessary for the conclusion of agreements in the interest of the data subject • Transfer is for the benefit of the data subject
  • 20.
    COMPLAINTS • Any personmay submit a complaint with the Regulator • It must be in writing • The Regulator may then conduct a pre-investigation • Act as a conciliator at any time during the investigation • May decide not to take any action on a complaint • Conduct a full investigation • Refer the compliant to the Enforcement Committee • Take any other action referred to in terms of the Act
  • 21.
    OFFENCES AND PENALTIES •2 categories • Serious offences – fine or imprisonment of not more than 10 years • Less serious offences – fine or imprisonment of not more than 12 months • Administrative fines – not exceeding R10 million Rand
  • 22.
    TRANSITIONAL ARRANGEMENTS • Allprocessing of personal information must within 1 year conform to the Act • The 1 year period may be extended by the Minister