Protection of Personal Information
Seminar
presented by
Adv. Alan Lambert
Sunnyside Hotel
25 October 2012
Agenda
•
•
•
•
•
•
Introduction.
Purpose, definition and application.
Conditions for lawful processing.
Exemptions from the processing Conditions.
Supervision.
Prior authorisation, codes of conduct, direct
marketing, automated decision making and
transborder transfers.
• Enforcement, offences, penalties and
administrative fines
Introduction
• POPI is set to become law shortly and will bring
South Africa in line with other jurisdictions that
have similar legislation (such as the 1995 EU
Directive, currently under review).
• POPI will place a significant compliance burden
on companies and public bodies, as such bodies
are likely to possess substantial personal data
records (electronically and hard copy).
Introduction
• POPI will become South Africa’s primary
legislation dealing with the processing of
personal information.
• POPI will significantly affect the manner in
which companies collect, store, process and
disseminate personal information.
Privacy laws around the globe
Chapters 1 & 2 of the Bill
Purpose, definitions and application
Sections 1 - 7
TH!NK
PRIVACY
Purpose of POPI
• POPI:
– gives effect to the constitutional right to privacy;
– regulates the manner in which personal
information may be processed; and
– provides rights and remedies to protect personal
information.
• Promotes the protection of personal
information processed by the private and the
public sectors.
What is personal information?
(“PI”)
• PI relates to an identifiable, living, natural
person, and where applicable, an identifiable,
existing juristic person, including, but not
limited to:
– race, gender, sex, pregnancy, marital status, national
or ethnic origin, colour, sexual orientation, age,
physical or mental health, disability, religion,
conscience, belief, culture, language and birth of a
person;
What is PI?
– education, medical, financial, criminal or employment
history;
– the biometric information of the person;
– personal opinions, views or preferences;
– id number, symbol, e-mail address, physical address,
telephone number or other particular assignment to a
person;
– private or confidential correspondence;
– the personal views, opinions or preferences of the person;
– a name if it appears together with other PI or if disclosure
of the name itself would reveal PI about the person; and
– the views or opinions of another individual about the
person.
PI in the workplace
• POPI applies to PI that employers may collect and
keep on any person who might wish to work,
work, or has worked for the employer. Such
people include:
–
–
–
–
–
–
–
applicants (successful or unsuccessful);
former applicants (successful or unsuccessful);
employees (current and former);
agency staff (current and former);
casual staff (current and former);
temporary staff (current and former); and
contract staff (current and former).
What is processing of PI?
• Is any operation or activity, whether or not by
automatic means, including:
– collection, receipt, recording, organisation, collation,
storage, updating or modification, retrieval, alteration,
consultation or use;
– dissemination by means of transmission, distribution or
making available in any form;
– merging, linking, as well a restriction, degradation, erasure
or destruction.
Processing lifecycle
What is a record and responsible
party?
• A record is any recorded information regardless of form
or medium, including:
– writing, electronic information, label, marking, image, film,
map, graph, drawing, tape; and is
• in the possession or under the control of a responsible
party;
• whether or not it has been created by the responsible
party; and regardless of when it came into existence.
• A responsible party is a public or private body which
determines the purpose and means of
processing PI.
Other key concepts
• ‘consent’ – any voluntary, specific and informed
expression agreeing to the processing of PI;
• ‘data subject’ – means the person to whom the PI
relates;
• ‘de-identify’ – means to delete any information
that:
– identifies the data subject;
– can be used or manipulated to identify the data subject;
– can be linked to other information to identify the
data subject;
Application provisions
• POPI applies to the processing of PI by a
responsible person domiciled in the Republic and
where processing happens in the Republic*;
• POPI will override other legislation that contains
inconsistent provisions relating to the processing of
PI.
• If other legislation provides for more extensive
conditions for the processing of PI the other
legislation will prevail.
*unless the processing is used solely to forward PI through the Republic.
Rights of a data subject
• A data subject has the right (amongst others):
– to object, on reasonable grounds, to the processing
of his, her or its PI;
– to be notified that PI has been accessed or acquired
by an unauthorised person;
– to establish whether a responsible party holds PI and
request access to it;
– to request the correction, destruction or deletion
of his, her or its PI.
Information excluded
• POPI excludes processing of PI:
– for purely personal or household activity;
– that has been de-identified to the extent that it cannot be reidentified again;
– by or on behalf of a public body and:
• which involves national security; or
• the purpose of which is the prevention, detection,
investigation or proof of offences;
– solely for the purpose of literary or artistic expression, to the
extent that the right to privacy is balanced with the right to
freedom of expression;
– by Cabinet, its committees and Executive Council of
provinces.
TH!NK
PRIVACY
Chapter 3 of the Bill
Conditions for the lawful processing of personal
information
&
Processing of special personal information
Sections 8 to 35
Some things to keep in mind …
Staff training
Company policies &
procedures
Company documents
IT systems
Organisational
structure
Security
Condition 1. Accountability
• The responsible party must ensure that the
conditions set out in Chapter 3 are complied
with at the time of:
– determining the purpose;
– collecting the PI; and
– during the processing itself.
Condition 2. Processing limitations
• PI must be processed lawfully and in a
reasonable manner that does not infringe the
privacy of the data subject;
• PI may only be processed if, given the purpose
for which it is processed, it is adequate,
relevant and not excessive.
Condition 2. Processing limitations
• PI may only be processed if;
– the data subject consents to the processing;
– processing is necessary for the conclusion or
performance of a contract to which the data subject is
a party;
– there is a legal obligation to do the processing;
– processing protects the legitimate interests of the
data subject;
– processing is necessary for the proper performance of
a public law duty by a public body;
– processing is necessary for the pursuit of legitimate
interests of the responsible party.
Condition 2. Processing limitations
• A data subject may object, at any time, on
reasonable grounds, to the processing of their
PI. The responsible party may then no longer
process the PI.
• PI must be collected directly from the data
subject except if:
– the information is contained in a public record or has
deliberately been made public by the data subject;
– the data subject has consented to the collection from
another source;
Condition 2. Processing limitations
• collection from another source would not prejudice a
legitimate interest of the data subject;
• collection from another source is necessary:
–
–
–
–
–
to maintain law and order;
to enforce legislation concerning the collection of revenue;
for the conduct of court or tribunal proceedings;
in the interests of national security;
to maintain the legitimate interests of the responsible party.
• compliance would prejudice a lawful purpose of the
collection; or
• compliance is not reasonably practicable in the
circumstances of the particular case.
Condition 3. Purpose specification
• PI must be collected for a specific, explicitly defined and
lawful purpose related to the function or activity of the
responsible party.
• The data subject must be made aware of the purpose of
the collection.
• Records must not be retained any longer than is necessary
for achieving the purpose for which it was collected
unless;
–
–
–
–
further retention is required by law;
the responsible party reasonably requires to keep it;
retention is required by a contract between the parties;
the data subject consents to the further retention.
Condition 3. Purpose specification
• Records may be retained for longer periods for
historical, statistical or research purposes if the
responsible party establishes appropriate safeguards
against the information being used for any other
purpose.
• PI must be destroyed, deleted or de-identified as
soon as is reasonably practical.
• Destruction or deletion must be done in a manner
that prevents its reconstruction in an intelligible
form.
Condition 3. Purpose specification
• A responsible party must restrict processing of PI if:
– its accuracy is contested by the data subject , until the
accuracy is verified;
– the responsible party no longer needs the PI for
achieving the purpose for which it was collected, but
needs to be retained for purposes of proof;
– the processing is unlawful and the data subject
opposes its destruction or deletion.
• Where a restriction is lifted, the data subject must
be informed to the lifting.
Condition 4. Further processing
limitation
• Further processing must be compatible with the
purpose for which it was collected. Account must
be taken of:
– the relationship between the purpose of the further
processing and the purpose for which the PI was collected;
– the nature of the information;
– consequences of further processing for the data subject;
– any contractual rights and obligations; and
– the manner in which the information was collected.
Condition 4. Further processing
limitation
• The further processing is not incompatible if:
– the data subject gives consent to further processing;
– the information is available in a public record or has
been made public by the data subject;
– further processing is necessary:
•
•
•
•
to avoid prejudice to the maintenance of law and order;
to comply with an obligation imposed by law;
for the conduct of proceedings in any court or tribunal; or
in the interest of national security.
Condition 4. Further processing
limitation
– further processing is necessary to prevent or
mitigate a serious and imminent threat to:
• public health or safety; or
• the life or health of the data subject or another
individual.
– the information is used for historical, statistical or
research purposes and the responsible party
ensures that further processing is carried out
solely for such purposes; or
– the further processing is in accordance with an
exemption granted by the Regulator.
Condition 5. Information quality
• A responsible party must take reasonably
practical steps to ensure that PI is complete,
accurate, not misleading and updated where
necessary.
Condition 6. Openness
• When collecting PI the responsible party must take
reasonably practicable steps to ensure the data
subject is aware of :
–
–
–
–
the information being collected;
the name and address of the responsible party;
the purpose for which the information is being collected;
whether or not the supply of the information is voluntary
or mandatory;
– the consequences of failure to provide the information;
– any particular law authorising the requiring of the
collection;
Condition 6. Openness
– the right of access to and the right to rectify the
information collected;
– the fact that, where applicable, the responsible party
intends to transfer the information to a third
country/international organisation and the level of
protection afforded by that third country/organisation;
and
– the right to object to the processing of the information.
• This must done prior to collecting PI if the PI is
collected directly from the data subject, or in any
other case as soon as is reasonably practical after
collection.
Condition 6. Openness
• It is not necessary to comply with the condition
of openness if:
– the data subject consents to the non-compliance;
– compliance will prejudice the legitimate interest of
the data subject;
– non-compliance is necessary:
•
•
•
•
to maintain law and order;
comply with obligations imposed by law;
for the conduct of proceedings in any court or tribunal; or
in the interest of national security.
Condition 6. Openness
– compliance would prejudice a lawful purpose of
collection;
– compliance is not reasonably practicable or the
information will:
• not be used in a form in which the data subject may be
identified; or
• be used for historical, statistical or research purpose.
Condition 7. Security safeguards
• A responsible party must secure the integrity and
confidentiality of the PI in its possession or under
its control by taking appropriate, reasonable
technical and organisational measures to prevent:
– loss, damage or unauthorised destruction of the PI;
– unlawful access to, or processing of the PI.
• Due regard must be had to generally accepted
information security practices and procedures –
generally and industry specific.
Condition 7. Security safeguards
• A responsible party must take reasonable
measures to:
– identify foreseeable internal and external risks to
PI in its possession or under its control;
– establish and maintain appropriate safeguards
against risks identified;
– regularly verify that the safeguards are effectively
implemented; and
– ensure that safeguards are regularly updated in
response to new risks.
Condition 7. Security safeguards
• Anyone processing PI on behalf of a responsible
party must:
– treat the information as confidential and not disclose it
unless required by law;
– apply the same security measures as the responsible
party;
– the processing must be governed by a written contract
ensuring safeguards are in place; and
– if domiciled outside the Republic, comply with local
protection of personal information laws.
• It is the responsible party’s duty to ensure
compliance with the above.
Condition 7. Security safeguards
• Where there are reasonable grounds to
believe that PI has been accessed or acquired
by any unauthorised person the responsible
party must:
– notify the Regulator; and
– the data subject.
• Notification must be done as soon as possible
after the discovery of the compromise.
Condition 7. Security safeguards
• Notification to the data subject must be in
writing and communicated in at least one of
the following ways:
– mailed to last known physical or postal address;
– e-mailed to last known e-mail address;
– placed in a prominent position of the responsible party's
website;
– published in the news media; or
– as may be directed by the Regulator.
• The notification must contain enough data to
allow the data subject to take protective
measures.
Condition 8. Data subject participation
• Access to PI:
– request confirmation, free of charge, whether or
not the responsible party holds PI about the data
subject; and
– request the record or description of the PI,
including information about the identity of all
third parties who have had access to the
information – a non-excessive fee may be charged.
– a responsible party may or must refuse to disclose
information in terms of parts 2 and 3 of PAIA.
Condition 8. Data subject participation
• Correction of PI
– data subject may request responsible party to:
• correct or delete PI that is inaccurate, irrelevant,
excessive, out of date, incomplete, misleading or
obtained unlawfully;
• delete or destroy PI that the responsible party is no
longer authorised to retain.
Special personal information
• A responsible party may not process special PI
unless:
– processing is carried out with the consent of the data
subject;
– processing is necessary due to legal obligations;
– processing is for historical, statistical or research
purposes to the extent that:
• the purpose serves public interest; or
• it would be impossible or involve disproportionate effort to
ask for consent: and
• sufficient guarantees are provided to ensure that the
processing does not adversely affect the privacy of the data
subject to a disproportionate extent.
Special personal information
– the information has deliberately been made public
by the data subject; or
– provisions of sections 28 to 34 are complied with.
• The regulator may, upon application, and by
notice in the Gazette authorise a responsible
party to process special PI if such processing is
in the public interest and appropriate
safeguards have been put in place.
Section 28: Religious and philosophical
beliefs
• The prohibition does not apply if the
processing is carried out by:
– spiritual or religious organisations if the special
information concerns data subjects belonging to
those organisations; and
– the special information may not be supplied to
third parties without the consent of the data
subject.
Section 29: Race or ethnic origin
• The prohibition does not apply if the
processing is carried out to:
– identify data subjects and only when this is
essential for that purpose; and
– comply with laws and other measures designed to
protect or advance persons, or categories of
persons, disadvantaged by unfair discrimination.
Section 30: Trade union membership
• The prohibition does not apply to the
processing by the trade union to which the
data subject belongs if such processing is
necessary to achieve the aims of the trade
union.
• No PI held by a trade union may be supplied
to third parties without the consent of the
data subject.
Section 32: Health or sex life
• The prohibition does not apply to the
processing carried out by:
– medical professionals, healthcare
institutions/facilities or social services if such
processing is necessary for the proper treatment
and care of the data subject;
– insurance companies, medical aid schemes,
medical aid scheme administrators and managed
health care organisations if the processing is
necessary for:
Section 32: Health or sex life
• assessing the risk to be insured or covered and the data subject
has not objected to the processing;
• the enforcement of any contractual rights and obligations.
– schools, if such processing is necessary to provide
special support for learners;
– administrative bodies, pension funds and employers if
such processing is necessary for:
• the implementation of the provisions of laws, pension
regulations or collective agreements which create rights
dependant on the health or sex life data of the data subject: or
• the reintegration or support of workers entitled to
benefit in connection with any sickness or work incapacity.
Section 32: Health or sex life
• The information may only be processed subject
to an obligation of confidentiality by virtue of
office, employment, profession or legal provision,
or established by a written agreement between
the responsible party and the data subject.
• PI concerning inherited characteristics may not
be processed unless:
– a serious medical interest prevails; or
– the processing is necessary for historical, statistical
or research activity.
Section 33: Criminal behaviour
• The prohibition does not apply if the processing is
carried out by bodies charged by law with
applying criminal law.
• The prohibition does not apply to responsible
parties who process the information for their
own lawful purposes to:
– asses an application in order to take a decision about,
or provide a service to, that data subject; or
– protect their legitimate interests in relation to criminal
offences which have been, or can reasonably be
expected to be, committed against them or against
persons in their service.
Sections 34 & 35: Children
• A responsible party may not process the PI
concerning a child unless the processing is:
– has the prior consent of a competent person;
– necessary for the establishment, exercise or defence
of a right or obligation in law;
– for historical, statistical or research purposes to the
extent that:
• the purpose serves public interest; or
• it appears impossible or would involve a
disproportionate effort to ask for consent.
Chapter 4 of the Bill
TH!NK
PRIVACY
Exemption from conditions for
processing of personal information
Sections 36 to 38
Exemption
• Processing of PI is not in breach of a condition if
the Regulator grants an exemption by giving notice
in the Gazette if the Regulator is satisfied that:
• public interest outweighs, to a substantial degree, any
interference with the privacy of the data subject; or
• processing involves a clear benefit to the data subject or third
party that outweighs, to a substantial degree, any interference
with the privacy of the data subject.
Public interest includes interest of national security, prevention,
detection or prosecution of offences, important economic and
financial interests of a public body and historical, statistical
or research activity.
Chapter 5 of the Bill
Supervision
Information Regulator &
Information Officer
Sections 39 to 56
TH!NK
PRIVACY
Information Regulator
• The Bill provides for the “Information
Regulator” that:
– has jurisdiction throughout the Republic;
– is independent, impartial and must exercise it’s
powers without fear, favour or prejudice;
– must exercise its powers and perform its functions
in accordance with POPI and PAIA; and
– is accountable to the National Assembly.
Information Regulator
• The powers, duties and functions of the
Regulator are:
– to provide education and give advice;
– to monitor and enforce compliance;
– to consult with interested parties;
– to handle complaints;
– to conduct research and report to Parliament;
– to issue, make guidelines and approve codes of
conduct;
– to facilitate cross-border cooperation; and
Information officer
• PAIA is applicable with the necessary changes
– the information officer of a private body is
the CEO, or equivalent officer.
• A private body must designate persons, if any,
as deputy information officers to perform the
duties required in terms of the Bill.
• Deputy information officers must be
registered with the Regulator.
Information officer
• An information office’s responsibilities include:
– encouraging compliance for lawful processing of PI;
– dealing with requests made pursuant to the Bill;
– working with the Registrar in relation to
investigations;
– ensuring compliance with the Bill; and
– as may be prescribed by the Regulator.
Chapters 6 to 9 of the Bill
Codes of Conduct
Direct Marketing
Automated Decision Making
Transborder Information Flows
Sections 57 to 72
TH!NK
PRIVACY
Prior Authorisation
• Prior authorisation is needed only once and
not each time that PI is received or processed,
except where the processing departs from
that which has been previously been
authorised.
• Prior authorisation is not applicable if a code
of conduct for a specific sector has come into
force.
Codes of Conduct
• A code must:
– incorporate all 8 conditions for lawful processing;
– prescribe how the conditions are to be applied,
given the particular features of the sector or
sectors;
– specify appropriate measures for PI matching
programmes if applicable;
– provide for review of the code by the Regulator;
and
– provide for the expiry of the code.
Codes of Conduct
• A code may apply to any one or more of the
following:
– any specified information or class of information;
– any specified body or class of bodies;
– any specified activity or class of activity; or
– any specified industry, profession, or vocation or
classes thereof.
Direct marketing
• Direct marketing means unsolicited electronic
communication.
• The processing of PI for the purpose of direct
marketing by any form of electronic
communication* is prohibited unless the data
subject:
– has given consent; or
– is a customer of the responsible party and if:
• the responsible party has obtained the contact details of the
data subject in the context of the sale of a product or
service;
* Includes automatic calling machines, facsimile machines, SMS’s or e-mail
Direct marketing
• it is for marketing the responsible parties own similar
products or services; and
• if the data subject has been given reasonable
opportunity to object, free of charge, at the time the
information was collected or on the occasion of each
communication for the purpose of marketing.
• A responsible party may only approach a data
subject whose consent is required, and who has not
previously withheld such consent, once to gain
consent and such consent must be in the
prescribed manner and form.
Automated decision making
• A data subject may not be subject to a decision which
affects him, her or it to a substantial degree which is based
solely on the basis of the automated processing of PI
intended to provide a profile of such person unless:
– the decision is taken in connection with the conclusion or
execution of a contract; and
– appropriate measures have been taken to protect the data
subjects interests.
– there must be an opportunity for the data subject to make
representations about a decision made; and
– the responsible party must provide sufficient
information to enable the data subject to
make such representation.
Transborder information flows
• PI may not be transferred to a third party in a
foreign country unless:
– the recipient is subject to a law or agreement
which provides an adequate level of protection
that:
• effectively upholds substantially similar conditions for
the lawful processing of PI; and
• includes substantially similar provisions relating to the
further transfer of PI to third parties in foreign
countries;
Transborder information flows
– the data subject consents to the transfer;
– the transfer is necessary for the performance or
conclusion of a contract between the data subject
and responsible party;
– the transfer is necessary for the performance or
conclusion of a contract concluded in the interests
of the data subject between the responsible party
and a third party; or
Transborder information flows
– the transfer is for the benefit of the data subject,
and:
• it is not reasonably practical to obtain consent; and
• if it were reasonably practical to obtain consent, the
data subject would be likely to give it.
Chapters 10 & 11 of the Bill
TH!NK
Complaints and enforcement
Offences, penalties and
administrative fines
PRIVACY
Sections 73 to 109
Complaints
• Interference with the protection of PI of a data
subject consists of:
– any breach of the conditions for lawful processing;
– a breach of the provisions of a code of conduct;
– non-compliance regarding:
•
•
•
•
notification of security compromises;
direct marketing;
automated decision making; or
transborder information flows.
Complaints
• Complaints must be made to the Regulator in
writing.
• On receipt of a complaint the Regulator must
conduct a pre-investigation into the matter and
may:
–
–
–
–
decide to take no action;
decide to conduct a full investigation;
refer the complaint to the Enforcement committee; or
refer the complaint to another regulatory body if it
falls more properly within the jurisdiction of the
other regulatory body.
Complaints
• The Regulator may, on its own initiative,
commence an investigation.
• Regulator has power to summon appearance of
persons, require information under oath, enter
and search premises and conduct private
interviews.
• If entrance is unreasonably refused, a warrant
may be issued but only after 7 days have lapsed
after written requesting entrance has been
given.
Enforcement
• After completing an investigation into a
complaint the Regulator may refer such matter
to the Enforcement Committee for
consideration, a finding and recommendations:
– must consider all such referrals and make a finding;
and
– may make recommendations to the Regulator for
any action that should be taken against:
• a responsible party; or
• an information officer or head of a private body.
Enforcement
• If the Regulator is satisfied that a responsible party has
interfered with the protection of PI of a data subject,
the Regulator may issue an enforcement notice
requiring the responsible party to either:
– take specified steps to within a specific period ; or
– to stop processing PI specified in the notice within a
specific period.
• A responsible party may request amendments to, or
cancellation of, an enforcement notice due to changed
circumstances.
• A responsible party may appeal within 30 days of
receiving the enforcement notice to the High Court.
Offences, penalties and fines
• Any person who hinders, obstructs or
unlawfully influences the Regulator or any
person acting under the direction of the
Regulator is guilty of an offence.
• A responsible party which fails to comply with
an enforcement notice.
• For the above
– Imprisonment not exceeding 10 years and/or a
fine.
Offences, penalties and fines
• A responsible party which in purported
compliance with an enforcement notice makes a
statement knowing it to be false is guilty of an
offence.
• Any person who intentionally obstructs a person
in the execution of a warrant is guilty of an
offence.
• For the above
– Imprisonment not exceeding 12 months and/or
a fine.
Administrative fines
• The Regulator may issue, by way of hand delivery, an
responsible party (“infringer”)with an infringement
notice.
• Such notice must specify the amount of an administrative
fine payable up to a maximum of R 10 million.
• Within 30 days of receipt of such notice the infringer may:
– pay the administrative fine;
– make instalment arrangements to pay the fine; or
– elect to be tried in court on a charge of having committed an
offence in terms of the Bill.
Administrative fines
• Failure to comply with an infringement notice
may result in the Regulator filing a statement
with any competent court that the amount of
the fine is correct, and such statement thereupon
has all the effects of a civil judgement.
• Administrative fines and prosecution are
mutually exclusive.
• Fines payable must be paid into the National
Revenue Fund.
Chapters 12 of the Bill
Transitional arrangements
TH!NK
PRIVACY
Section 114
Transitional arrangements
• Expected timeframe for implementation:
• the National Assembly approved the Bill on 11
September;
• Bill was sent to the NCoP on 20 September; and
• If the NCoP has no issues with the Bill it will
probably be enacted within 2 months.
• All processing of PI must within one year after
the commencement of the Act be done in
conformance with the Act.
Any questions?