The Protection of Personal Information Act 2013
Personal Information is your business
25.09.14
KOMESHNI PATRICK
TECHNOLOGY LAWYER/DIRECTOR/ENDCODE.ORG
Contents










Definitions
Aims
Exemptions
Key Role Players for POPI
8 Conditions of POPI
POPI and Consent
POPI and Notification
Giving PI Away
POPI for Business
PI & Cybercrime
What is Personal Information (PI)?

Section 1

Identifiable, living, natural person or identifiable, existing juristic person

Race, sex, gender, name, sexual orientation, age, mental health

Medical, financial, criminal or employment history

E-mail address, physical address, telephone number, location information, online identifier

Biometric information

Personal opinions, views or preferences

Private correspondence

Opinions of another individual about the person

name of the person if it appears with other personal information relating to the person or if the
disclosure of the name itself would reveal information about the person
What is Special Personal Information?

Section 1

The religious or philosophical beliefs

race or ethnic origin

trade union membership

political persuasion

health or sex life or biometric information of the person

The criminal behaviour of the person to the extent that such information relates to—

The alleged commission by the person of any offence

Any proceedings in respect of any offence allegedly committed by the person or the disposal of such
proceedings
What is Processing?

Sections 1 and 4 of POPI


Processing means any activity whether by automatic means or not, concerning personal
information, including

The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval,
alteration, consultation or use;

Dissemination by means of transmission, distribution or making available in any other form; or

Merging, linking, as well as restriction, degradation, erasure or destruction of information;
Processing must be for a defined and legitimate purpose that is clear to the DS from whom
you are collecting the PI
The Protection of Personal Information 4 of 2013 (POPI)
Aims:

Protection of PI processed by private and public bodies

Minimum requirements for processing of PI

Establishment of Information Regulator

Codes of Conduct

Rights protection against SPAM and automated decision-making

Regulate cross-border flow
Exemptions from POPI
Personal &
Household
• Personal address
book
• Personal Computer
De-identified
& cannot be
re-identified
Public
Bodies
involved in
national
security
• Prevention and
detection of unlawful
activities
• Terrorism, money
laundering, offenses
Judicial
Function of
a Court
• Section 166 of the
Constitution
Terrorism
Journalistic,
literary,
artistic
• Anonymous Surveys
• Course Evaluation
• Terrorist & Related
Activities Act 33 of
2004
• Freedom of
Expression (S16
Constitution)
• Codes of Ethics
govern PI
infringements
Key Role Players for POPI
Data Subject
Responsible Party
Operator
Competent Person
Information Regulator
• The person to whom PI relates
• Public or private body or any other person which determines the purpose of and means
for processing PI
• Person who processes PI for a RP in terms of a contract or mandate, without coming
under the direct authority of that party
• Any person legally competent to consent to any action or decision being taken in respect
of any matter concerning a child
• A juristic person established in terms of the Act accountable to the National Assembly
and appointed by the Minister of Justice
8 Conditions of POPI
Accountability
Processing
Limitation
•RP to ensure conditions for lawful processing
•Minimality – adequate, relevant and not excessive
•Consent, Justification, Objection
•Collection directly from Data Subject
Purpose
Specification
• specific, explicitly defined and lawful purpose
• Records of PI must not be retained longer than is necessary for achieving
the purpose
• Exemption: record required by law, historical, statistical or for research
• destroy/delete/de-identify a record of PI once purpose achieved
Further
Processing
Limitation
•To be compatible with original purpose of collection if not, consent
for further processing is required
8 Conditions of POPI
Information
Quality
•RP must take steps to ensure PI is complete, accurate and not
misleading
Openness
•Records of the processing cycle for operations must be maintained
and made available to the DS
•Obligation on RP to notify the DS upon collection of PI
Security
Safeguards
•Integrity and confidentiality of PI must be maintained to prevent loss,
damage, unauthorised destruction, unlawful access or processing
•Operator must notify RP if there are reasonable grounds to believe that
the PI was accessed by an unauthorised person and the RP has to
notify the Regulator and the DS
Data Subject
Participation
• Right to be informed - DS can be requested free of charge if PI held
• Where DS requests copy of the record, the RP can charge a fee
• DS can request correction or deletion of PI that is inaccurate, irrelevant, out
of date, excessive, incomplete, misleading or unlawfully obtained
POPI and Consent
General Consent Section
Section 11
Retention of Records
Section 14(1)(d)
• Consent from DS for processing PI
• Consent can be withdrawn at any time.
• Where the DS is a child, consent is needed from a Competent
Competent Person
• For records to be retained longer than is needed for achieving the
achieving the purpose of the data processing, the DS must consent.
POPI and Consent
Restriction on processing
processing
Section 14(7)
• The RP must restrict processing of information if:
• The accuracy is contested by DS and RP has to verify the PI
• May only be processed:
• With DC consent or Competent Person’s consent
• For purposes of proof
• To protect a right of another natural or legal person
• For public interest
POPI and Consent
Further Processing Section
Notification of Collection
Collection
Section18(4)(a)
• Further processing of information that is inconsistent with the
with the original purpose of collection can only occur if the DS
the DS consents.
• The DS can consent to not being notified when their information is
information is collected.
POPI and Consent
Special Personal
Information
Section 27
Religious Beliefs Section
Section 28(3)
• The DS must consent to the processing of special personal
personal information.
• Information regarding religious or philosophical beliefs can be
can be processed only by religious or spiritual institutions to which
institutions to which the DS belongs without consent.
• Consent from the DS is needed when this data is supplied to third
supplied to third parties.
POPI and Consent
Trade Union Membership
Membership
Section 30(2)
Political Persuasion
Section 31(2)
• Information regarding trade union membership can be processed
processed only by the trade union or its controlling body to which
body to which the DS belongs.
• Consent from the DS is needed when this data is supplied to third
supplied to third parties.
• Information regarding political persuasion can be processed only by
processed only by institutions founded on political principles to
principles to which the DS belongs without consent.
• Consent from the DS is needed when this data is supplied to third
supplied to third parties.
POPI and Consent
Information regarding
Children Section 34
• Processing PI regarding children can only occur with the consent
the consent from a person who has legal competency to make
to make decisions regarding that child.
• Processing for direct marketing is prohibited unless the DS gives
DS gives consent.
Direct Marketing Section
Section 69
• To request consent, the RP may approach the DS for consent
consent only once and only if the DS has not previously withheld
previously withheld consent.
POPI and Consent
Foreign Country Transfer
Transfer
Section 72(1)
Minister’s Powers Section
Section 112(2)(f)
• RP may not transfer PI to a third party in a foreign country unless
country unless the DS has consented or the transfer benefits the
benefits the DS and it is impractical to obtain consent and the DS
and the DS would likely give consent. Foreign country should have
should have similar processing protection as POPI.
• The Minister has the power to create regulations regarding the
regarding the manner and form within which the DS’s consent must
consent must be obtained or requested for direct marketing.
POPI and Notification
Notification to DS when
when collecting PI Section
Section 18
Security measures regarding
regarding information
processed by operator
Section 21
• Notification to DS when collecting personal information
• The Operator must notify the RP immediately where there are
there are reasonable grounds to believe that the personal
personal information of a DS has been accessed or acquired by any
acquired by any unauthorised person
POPI and Notification
Notification of Security
Compromises
Section 22
• Where there are reasonable grounds to believe that the personal
personal information of a DS has been accessed or acquired by any
acquired by any unauthorised person, the RP must notify the
notify the Regulator and the DS
Correction of personal
personal information
Section 24
• The RP must notify a DS, who has made a request for correction or
correction or deletion of record of the action taken as a result of
result of such request
POPI and Notification
Responsible party
party to notify
Regulator if
processing is
subject to prior
authorisation
Section 58
• RP must notify and obtain prior authorization from the Regulator
Regulator for processing for the following:
• for a purpose other than the original purpose as intended at
intended at collection
• with the aim of linking the information together with information
information processed by other responsible parties
• process information on criminal behaviour
• process information for the purposes of credit reporting or
Giving Your PI Away
Shopping online
Subscribing or
registering
Competitions,
prizes, rewards
Online games and
virtual worlds
Social Media
Online Browsing
Employment
Name
Surname
email address
telephone number
postal address
city
Education
credit card
number
ID number
physical address
POPI for Business
Financial
Education
Gaming
Transport
Social Media
Advertising
Music
Telecoms
Personal Information is
your Business
Credit
Sports
Insurance
Mapping
IT
Banking
Medical
POPI for Business
1
2
3
4
3
4
5
6
7
8
• POPI Strategy
• Appoint an Information Officer
•Privacy Policy
• Consider who the Data Subjects are
• Limit the collection type and amount to the purpose
• Third party Transfer
• Cross-border transfer
• Direct Marketing Practices
• Special Personal Information
• Children’s Personal Information
• Directories
POPI for Business
• -Obtain consent DS to use PI for the specified purpose
Creating
Business
Process
POPI for Business
Well managed brand
Strengthens the brand
Conveys that the business understands its legal obligations to the client
Builds
trust in the brand
POPI for Business
Privacy infringement
Loss of Intellectual Property
Defamation
Loss of sensitive information
Security compromise - issues of national security
Financial loss
POTENTIAL FOR LITIGATION
Brand Damage
PI and Cyber Crime
Cybercrime
PI
PI & Cybercrime
Lloyd’s 2013 Risk Index Report
Cyber security has moved from 12th position to 3rd position as a global concern to business.
The 2013 Norton Report
South Africa has the third highest number of cybercrime victims following Russia and China.
PwC’s Global State of Information Security Survey 2014
reported a rise of 25% in security incidents with a 51% rise in spend on security. Overall, this
makes up only 4% of the IT spend.
PI & Cybercrime
South Africa’s National Cyber Security Policy Framework was passed in March 2012
18 months later
Department of Communications appointed the National Cyber Security Advisor in October
2013
Goal
co-ordinate government actions on cyber security and ensure co-operation between
government, the private sector and civil society on addressing cyber threats
PI & Cybercrime
The Electronic Communications and Transactions Act 2002
9 years later
No cyber inspectors to enforce cyber security
Wolfpack Information Risk’s report – The South African Cyber Threat Barometer
2012/13
no national computer security incident response team
no national response team to co-ordinate a cyber defence strategy
Annual losses in 3 sectors = R2.65 billion
PI & Cybercrime
India
Sponsored training for 500 000 “cyber warriors”
South Korea
5000 cyber specialists are developed annually
United Kingdom
11 centres established for cyber skills development allied to the universities
South Africa
?
Thanks, Questions?
Komeshni Patrick
Komeshni.patrick@endcode.org
www.endcode.org