Werksmans presentations on popi

Follow this event on Twitter: #WerksmansPOPI
Noticing Noticed Notices
Neil Kirby
16 May 2013

WHO?
Information Officer
2

WHY?
The purpose of the Act
(section 2)
3

WHAT?
Security compromises
Requests in respect of data-correction
Compliance: encourage and ensure
Regulator liaison
Chapter 6 investigations
Promotion of Access to Information Act No. 2 of 2000
4

CHAPTER 6
Prior authorisation processing
Notification required-once-off
Written and detailed
Await reply in respect of investigation
4 weeks : more detailed investigation
13 week limit
Results
5

IN ADDITION
Deputies
Regulations : responsibilities
Manner and forms
Complaints, investigations, search & seizure,
information notice, assessments, enforcement notice,
appeals and a section99(1) action
6

THANK YOU
Neil Kirby
16 May 2013
Nothing in this presentation should be construed as formal
legal advice from any lawyer or this firm. Readers are
advised to consult professional legal advisors for guidance
on legislation which may affect their businesses.
© 2013 Werksmans Incorporated trading as Werksmans
Attorneys. All rights reserved.

When you speak you begin
with “A, B, C”. When you
comply you begin with “Don’t
bother me”?
Ina Meiring
16 May 2013

Duties and responsibilities of the Information Officer
Section 55(1): “An information officer’s responsibilities
include—
(a) the encouragement of compliance, by the body, with
the conditions for the lawful processing of personal
information;
(b) dealing with requests made to the body pursuant to
this Act;
(c) working with the Regulator in relation to
investigations conducted pursuant to Chapter 6 in
relation to the body;
(d) otherwise ensuring compliance by the body with the
provisions of this Act; and
(e) as may be prescribed”
9

Conditions for lawful processing
Condition 1:
Accountability
The responsible party must ensure that the conditions
for lawful processing and all the measures that give
effect to such conditions, are complied with at the time
of the determination of the purpose and means of the
processing and during the processing itself.
10

Processing limitation (2)
Personal information must be processed lawfully and in a
reasonable manner that does not infringe the privacy of
the data subject.
Adequate, relevant and not excessive (purpose) (minimal)
Only if –
the data subject consents to the processing;
processing is necessary: contract to which the data subject is
party;
processing complies with an obligation imposed by law on
the responsible party;
processing protects a legitimate interest of the data
subject;
processing is necessary for the proper performance of a
public law duty by a public body; or
processing is necessary for pursuing the legitimate
interests of the responsible party or of a third party to
whom the information is supplied.
11

Processing limitation (2)
The data subject may withdraw consent and may object
to the processing of personal information (unless
legislation provides for such processing).
Personal information must be collected directly from the
data subject, unless –
the information is contained in or derived from a public
record or has deliberately been made public by the data
subject;
the data subject or a competent person where the data
subject is a child has consented to the collection of the
information from another source;
collection of the information from another source would
not prejudice a legitimate interest of the data subject;
12

Collection directly from the data subject
Personal information must be collected directly from the data subject, unless
collection of the information from another source is necessary—
to avoid prejudice to the maintenance of the law by any public body,
including the prevention, detection, investigation, prosecution and
punishment of offences;
to comply with an obligation imposed by law or to enforce legislation
concerning the collection of revenue as defined in section 1 of the
South African Revenue Service Act, 1997 (Act No. 34 of 1997);
for the conduct of proceedings in any court or tribunal that have
commenced or are reasonably contemplated;
in the interests of national security; or
to maintain the legitimate interests of the responsible party or of a
third party to whom the information is supplied;
compliance would prejudice a lawful purpose of the collection; or
compliance is not reasonably practicable in the circumstances of the
particular case.
13

Purpose specification (3)
Personal information must be collected for a specific,
explicitly defined and lawful purpose related to a
function or activity of the responsible party.
The data subject must be aware of the purpose of the
collection of the information.
No records must be retained any longer than is
necessary for achieving the purpose for which the
information was collected or subsequently processed,
unless—
required or authorised by law;
the responsible party requires the record for lawful
purposes;
required by a contract between the parties thereto;
or
the data subject has consented to the retention of
the record.
14

Further processing limitation (4)
Further processing of personal information must be in
accordance or compatible with the purpose for which it
was collected
The responsible party must take account of—
the relationship between the purpose of the intended
further processing and the purpose for which the
information has been collected;
the nature of the information concerned;
the consequences of the intended further processing for
the data subject;
the manner in which the information has been collected;
and
any contractual rights and obligations between the parties
15

Information quality (5)
The responsible party must take reasonably
practicable steps to ensure that the personal
information is complete, accurate, not
misleading and updated where necessary.
In taking the steps referred to the responsible
party must have regard to the purpose for
which personal information is collected or
further processed.
16

Openness (6)
A responsible party must –
maintain documentation of all processing operations;
ensure that the data subject is aware of –
the information being collected;
the name and address of the responsible party;
the purpose ;
whether or not the supply of the information by
that data subject is voluntary or mandatory;
the consequences of failure to provide the
information;
any particular law authorising requiring the
collection of the information;
17

Openness(6)
A responsible party must ensure that the data subject is
aware of-
further information such as the—
recipient or category of recipients of the information;
nature or category of the information; and
existence of the right of access to and the right to
rectify the information collected;
the right to object to the processing of personal
information;
the right to lodge a complaint to the Information
Regulator and the contact details of the Information
Regulator.
18

Security safeguards (7)
A responsible party must secure the integrity and
confidentiality of personal information in its
possession or under its control by taking appropriate,
reasonable technical and organisational measures to
prevent—
loss of, damage to or unauthorised destruction of
personal information; and
unlawful access to or processing of personal
information.
19

Operator
A person who processes personal information for a responsible
party in terms of a contract or mandate, without coming under
the direct authority of that party.
An operator or anyone processing personal information in behalf
of a responsible party or an operator must-
process such information only with the knowledge or
authorisation of the responsible party; and
treat personal information which comes to their knowledge
as confidential and not disclose it,
unless required by law or in the course of the proper
performance of their duties.
20

Security measures
A responsible party must, in terms of a
written contract between the responsible
party and the operator, ensure that the
operator which processes personal information
for the responsible party establishes and
maintains the security measures referred to in
section 19.
The operator must notify the responsible party
immediately where there are reasonable
grounds to believe that the personal
information of a data subject has been
accessed or acquired by any unauthorised
person.
21

Data subject participation(8)
A data subject has the right to—
request a responsible party to confirm, free of charge, whether
or not the responsible party holds personal information about
the data subject; and
request from a responsible party the record or a description of
the personal information about the data subject held by the
responsible party, including information about the identity of all
third parties, or categories of third parties, who have, or have
had, access to the information—
(i) within a reasonable time;
(ii) at a prescribed fee, if any;
(iii) in a reasonable manner and format; and
(iv) in a form that is generally understandable.
22

Checklist
The nature (and volume?) of personal information
processed within your organisation and whether it is
complete, accurate and up to date. You will have to
undertake an audit of human resources, IT (for security
and contingency measures), marketing, customer sales
and support.
Do you have a data privacy policy which also addresses
information security (security safeguards) ? Does this
policy describe sufficient physical, technological and
organizational data security measures? This policy
should also address the conditions for lawful processing
(and further processing) within your organisation and
within the Group.
Do you disclose personal information to third parties
(e.g. sub-contractors) and do you have contracts and
security measures in place to ensure data privacy?
23

Checklist
Do you have a process for notification of security
compromises (assuming you have addressed disaster
recovery, and risks of unauthorised access).
Have you established who will be appointed as
Information Officers and deputy information officers and
do they do know what their obligations under POPI will
be? Does your business understand when notifications
to the Regulator must be made?.
Have you reviewed your employment contracts to
address data privacy and information security?
24

Checklist
Have you reviewed the terms and conditions of products
and services sold to customers to deal with your
compliance obligations under POPI (e.g. consents
required)?
Do you have a process in your organisation to deal with
complaints about inaccuracies of personal information or
when a data subject wishes to exercise any of the
rights under clause 5 of POPI?
Do you or will you provide training to employees and
how will the policy be communicated within your
organisation and to external parties?
25

Checklist
Do you transfer data outside the borders of SA and does
your policy provide for this?
Have you reviewed your marketing procedures and
processes to determine compliance with POPI (and
other applicable law)?
Do you have a document retention policy which also
addresses destruction thereof within a certain period?
The document retention policy should take into account
any personal information retained.
26

Quick wins
27
Get there!
Empower your people
Designate role, prepare appointment
documentation for Information Officer
Review or prepare standard
templates for data sharing or
processing in agreements
Inventory of databases and
flows
Review or prepare template
data transfer contracts
Review or revise or prepare
privacy policies and notices
directed at customers and
business partners
Review or prepare notices
directed at employees with
respect to processing of
employee data
Assess where notifications are
required
Review or prepare data
processing contracts
Direct marketing: implement
protocols for opt-in/opt-out
processes...
Review/develop internal
protocols and processes

THANK YOU
Ina Meiring
16 May 2013

Houses of straw, houses of
sticks and houses of bricks
Ahmore Burger-Smidt

Obligations for the Protection of Personal Information
can have a significant impact on business...
The way that any organisation processes and handles the personal
information of its customers, employees, business partners and service
providers is crucial
Non compliance with the duties imposed by legislation may result in
regulatory action, civil liability, damage to reputation and, in extreme
cases, even criminal prosecution

Follow this event on Twitter: #WerksmansPOPI 31
National Comprehensive Data Protection/Privacy
Laws and Bills 2012

The big picture programme
32
Privacy
Programme
POLICY & PROCEDURES
• Employee, Customer and Partner
Policies and Procedures
• Enterprise-Wide Standard
Operation Procedures
PRIVACY ANALYSIS
• Life-cycle based Data Flow Analysis
(information acquisition, use,
storage, distribution and
destruction) with multiple options
(organizational, business unit,
geography, process, system or
employee or customer data)
• Risk-based Assessments and Gap
Analysis
• Risk Prioritisation
CULTURAL TRANSFORMATION
• Governance
• Enterprise Directives (Policies,
Processes, Guidelines, Scenarios,
Taxonomy)
• Value-Adoption Assessments
• Web-enabled tools (dynamic
content/role and activity based)
SOLUTION SET DESIGN
• Policy & Procedures
• Cultural Transformation
• System/Product Architecture
• Detailed Roadmaps (Prioritisation,
inter-dependencies and estimated
resources and time)
PRIVACY STRATEGY
• Brand Opportunities
• Regulatory Environment
• Governance
• Communications Plan
• Strategic Roadmaps
SYSTEM ARCHITECTURE
• Strategy (data location,
centralised vs decentralized)
• Functional requirements
• Technical Specifications
• Development
• Implementations
• Change Management
• Quality assurance
MONITORING & REPORTING
• Processes
• Regulatory safe Harbour
• Extended Enterprise
• Systems/Applications
• Internal Audit Programs
• Web-based monitoring tools
• Incident Response
PRIVACY FRAMEWORK
• Methodology
• Tool-based Framework
• Detailed Requirements Analysis
(brand, regulatory, policy)

The 5 Key principles
33
Know what you have- files and computors
Who, how, what, where
Who has access
Keep only what you need
Legitimate business need
What does the law require
Protect the information that you keep
Physical and electronic security
Network security, laptop, firewalls, remote access
Take stock
Scale down
Lock it
Pitch it
Plan ahead
A plan to respond to security incidents
Who in the team will lead
Step-by-step guideline
Properly dispose of what you don’t need
Disposal processes, effective disposal
Process and Policy

Implementing the 5 key principles:
Werksmans methodology
34
Applicable legislative landscape
ResponsibilitiesDuties
Types of records
Processes
Werksmans
insight
POPI
Compliance
Road-map
Close existing gaps
Compliance officerPolicies and procedures
Incident management process
Training
Alignment with legislation
Security / processes and procedures
Security
Ownership
Current state Desired state

What does this look like
35
3. Resource
planning
4. Empowerment:
Documentation
1. Situation
Assessment
2. Risk
Management
Understand current
practices, arrangements
and agreements
As-Is – To-Be Report
Identify philosophy and
overall strategy
Add to business process
map
Formulate change and
communication strategy
Risk Management Plan
Organisation specific
resource plan
Compliance cultureStrategic
Outcome
Operational
Analysis
Outcome
Understand way forward Enable staff and
empower organisation
Define “people” privacy
structure
Draft job descriptions as
identified
Draft and amend customer
facing documentation
Draft call centre scripts
Awareness
Ability to hold staff
accountable
Embed risk management
tool
Formulate overarching HR
Plan
Training- workshop and
online
Draft/Review operator
contracts
Information classification
Identification of types of
processes
Define implementation
dependencies
Design and implement risk
management tool
Draft security compromises
process
Draft step guide to
information requests
Draft special information
processing procedure
Draft Policies
Draft standard agreements
or templates for intra-group
data transfers
Draft documentation - trans
border information
transfers

Only once you understand …..
36
Storage
Use
Sharing
Archive
Acquisition
Destruction
Information
Management
Lifecycle

The way forward should suit your specific business
37
Text
Your POPI approach
POPI compliance should never be an
impediment to your business. POPI
compliance should have:
• a relevant approach
• practical approach
• innovative and creative outcome
• Allow your business to focus on strategy, risk
management, corporate governance and future growth!

THANK YOU
Ahmore Burger-Smidt
16 May 2013

BORDER CROSSINGS:
Cross Border Data Transfer
Section 72 of POPI
Tammy Bortz
16 May 2013

INTRODUCTION
Internet: massive movement of data between jurisdictions
Benefits:
ability to move data around depending on where there is
processing capacity/resources
transfer data to jurisdictions where data processing cheaper
Business enabler:
Service providers rely on the internet as their biggest business
tool. Over the years huge growth in revenue generated by online
service providers: e-commerce (able to reach many more
customers – no longer need a physical presence), cloud computing
(and in turn end users who use cloud services)
Consumers: communication tool, wider choice of goods/services
(which in turn creates competition)
Business: process data in different regions based on resources, no
longer need staff/operations in centralized location, scale down on
IT spend
40

INTRODUCTION
SMME’s: no longer require costly infrastructure and
resources: easy access to email, accounting packages,
and ERP all via the internet – turn on and off based on
need -
cloud services
cheap and easily accessible advertising platforms:
Facebook, linked in etc.
Africa: access to Internet growing (laying of fibre):
enables online access to educational resources/medical
resources
Increase international trade
41

LEGAL OBSTACLES
Data transfer impeded by global data privacy laws
No one global data protection law/data framework –
businesses that wish to transfer data between
jurisdictions have to familiarizes themselves and
navigate through a patchwork of laws and global rules
Certain jurisdictions – far more prescriptive than others
as to the basis on which personal information can enter
and leave its jurisdiction as well as how the data of its
citizens should be protected
“data protectionism”- governments have in place laws
that enable them to have control over data sitting in
their jurisdiction – favor local interests and competition
42

MAJOR PLAYERS: EUROPEAN UNION
Data Protection Directive: Directive 95/46/EC
Each EU member country must pass its own national law
which is in compliance with the directive
Many have such legislation – UK most well know
Others: Finland, Germany, Ireland, Isle of Mann
Cannot transfer personal data out of the EU unless target
jurisdiction has “adequate protection” ie laws in place that
offer same level of protection as that offered by the EU
Exceptions to this are (“adequate protection”):
White listed countries
US-EU Safe harbor
Use of EU approved data export agreements/model contract
clauses
Binding corporate rules
43

MAJOR PLAYERS: EUROPEAN UNION
Findings of adequacy: Canada, Guernsey, Jersey:
Participation in Safe Harbor scheme
Standard/Model Contractual Clauses: directive issued by
EU Commission 2001/2004/2010.
Transfers made in terms of an agreement which contains
these clauses - target company deemed to have adequate
controls in place
Binding Corporate Rules
44

BINDING CORPORATE RULES
Binding Corporate Rules or "BCRs"
allow multinational corporation, international organizations
and groups of companies to make intra-organizational
transfers of personal data across borders in compliance
with EU Data Protection laws.
BCR’s were developed as an alternative to the Safe Harbor
principles (which are for US organizations only) and the EU
Model Contract Clauses.
Must be approved by the data protection authority in
each EU Member State (such as the Information
Commissioners Office in the UK) in which the
organization will rely on the BCR’s.
Examples of organizations who have BCR’s: Citigroup,
Accenture, Novartis, Phillips
45

MAJOR PLAYERS: USA
USA: no overriding legislation that protects personal
information of US citizens
Legislation at industry level
Safe Harbor: US organizations that participate in the
safe harbor scheme are “white listed” – ie, EU will
allows transfer of personal data to the US
Obama Administration: 2012 issues framework for
national protection of personal data legislation – aligns
with EU data protection principles
Purpose: to enable seamless transfer of data
between the USA and EU member states
46

SOUTH AFRICA
Currently, no single overriding data protection law in place which regulates
cross border data transfer – this will change once POPI passed into law.
In particular, EU will regard RSA as a jurisdiction which has an adequate level of
protection
Current restrictions on outward transfer
Constitution and Common Law and which grants rights to privacy to South
African citizens and under what circumstances such rights can be
overridden –
Consent
Necessity
Contracts:
Contractual clauses which may prevent data transfer
Confidentiality undertakings
Legislation for regulated industries
Financial Advisory and Intermediary Services Act , as read with its
Codes of Conduct
National Health Act
47

SOUTH AFRICA
Financial Service Providers
o “The Codes of Conduct for Administrative and Discretionary
[FSP’s] (Government Gazette 25299, 8 August 2003]: FSP’s may
not without [investors] prior written approval, sell to or provide a
third party with an [investors] details unless obliged to by, or in
terms of any law
o “General Code of Conduct for Authorised [FSP’s] and
Representatives (Government Gazette 25299 8 August 2003) : an
FSP may not disclose any confidential information acquired or
obtained from an [investor] or in regard to such [investor] unless
the written consent of the [investor] has been obtained
beforehand or disclosure of the information is required in the
public interest or under any law.”
48

TRANSFER OUT: SECTION 72
A responsible party cannot transfer personal information to a third party who is in a foreign
country.
Exemptions:—
the third party who is the recipient of the information is subject to a law, binding corporate
rules, binding agreement or a memorandum of understanding entered into between two or
more public bodies, which provide an adequate level of protection that—
(i) effectively upholds principles for reasonable processing of the information that are
substantially similar to the conditions for the lawful processing of personal information
relating to a data subject who is a natural person and, where applicable, a juristic
person; and (ii) includes provisions, that are substantially similar to this section, relating
to the further transfer of personal information from the recipient to third parties who are
in a foreign country;
consent;
transfer necessary for the performance of a contract between the data subject and the
responsible party, or for the implementation of pre-contractual measures taken in response
to the data subject’s request;
transfer necessary for the conclusion /performance of a contract concluded in the interest of
the data subject between the responsible party and a third party; or
transfer is for the benefit of the data subject, and—
it is not reasonably practicable to obtain the consent of the data subject to that transfer;
and
if it were reasonably practicable to obtain such consent, the data subject would be likely
to give it.
49

BINDING CORPORATE RULES/MOU
Available to public bodies
Must be approved by data protection authorities
“Binding corporate rules’’: personal information processing
policies, within a group of undertakings (being a controlling
undertaking and its controlled undertakings) which are
adhered to by a responsible party or operator within that
group of undertakings when transferring personal information
to a responsible party or operator within that same group of
undertakings in a foreign country
Where the transfer is made in terms of a non-binding
memorandum of understanding [BCR’s?] the public body
remains accountable in terms of POPI for the protection of the
personal information.
50

CONSENT
Must be voluntary, specific and informed expression of will in
terms of which permission is given for the processing of personal
information
Guidance from the EU Commission as to what would be regarded
as consent for purposes of this exemption –
individual must know why data is being transferred and where
possible, to which jurisdictions
Not be given under duress
Specific for purpose for which given – cannot transfer for any other
purpose
How and at what point must this consent be obtained?
Physical forms
Website
Point of Sale
51

PERFORMANCE OF A CONTRACT/IMPLEMENTATION OF PRE-
CONTRACTUAL MEASURES
“Transfer necessary for the performance of a contract between the data subject and
the responsible party or for the implementation of pre-contractual measures taken
in response to the data subject’s request (transfer is a necessary step the individual
has asked the organisation to take for purposes of contract conclusion)”
Examples
individual books a hotel in the USA through a South African travel agent.
RSA travel agent will need to transfer the booking details to the USA to fulfil
its contract with the individual.
customer of a South African credit-card issuer uses their card in Japan. It
may be necessary for the card issuer to transfer some personal data to
Japan to validate the card and/or reimburse the seller
A South African based internet trader (retailer) sells goods online. Goods
are delivered direct to the customer from the manufacturer. If customer
orders goods that are manufactured in the Ukraine, the trader needs to
transfer a delivery name and address to the Ukraine to carry out the
contract.
Transfer will not be regarded as necessary where due to the structure of the
business ie: the company decides to locate a business operation off shore (here,
transfer not necessary but convenient)
52

NECESSARY FOR THE CONCLUSION/PERFORMANCE OF A
CONTRACT CONCLUDED IN THE INTEREST OF THE DATA
SUBJECT
53
“The transfer is necessary for the conclusion or performance of a
contract concluded in the interest of the data subject between the
responsible party and a third party””
“Interest” not defined
Will be in the interest of a data subject if some benefit to the data
subject ie -
Lower cost of processing passed on the customer
Better security
Improve service offering
Use of offshore redundancy: decrease risk of outages

BENEFIT AND NOT PRACTICABLE TO OBTAIN CONSENT
54
Transfer is for the benefit of the data subject, and—
(i) it is not reasonably practicable to obtain the consent of the data subject
to that transfer; and
(ii) were reasonably practicable to obtain such consent, the data subject
would be likely to give it
“Benefit”: lower cost of processing passed on the customer, better
security, improve service offering, use of offshore redundancy, decrease
risk of outages
“not practicable to obtain”
subjective enquiry
Example: where thousands of customers/impossible to track all
customers
Compare cost of seeking consent against benefit to disclose
If practicable: data subject would give consent
What data is being transferred?
Would need to look at the purpose for which data being transferred
What protection is afforded in the offshore jurisdiction?

TRANSFER IN
Transfer in
POPI: remove barriers for transfer from EU to RSA, USA
where organization has subscribed to Safe Harbor
Current Position
Where does the data sit?
Are there any laws in such jurisdiction which may inhibit
the inward transfer of such data to South Africa?
Assess this before transfer data to such jurisdiction
55

THANK YOU
Tammy Bortz
16 May 2013

Werksmans presentations on popi

More Related Content

What's hot

Viewers also liked

Similar to Werksmans presentations on popi

More from Werksmans Attorneys

Recently uploaded

Werksmans presentations on popi