protection of personal - ensafrica · protection of personal information bill cont ... regulator:...
TRANSCRIPT
Protection of Personal
Information (“POPI”)
Era Gunning
director | Banking and Finance
Protection of Personal Information Bill
20 August 2013 - National Assembly passed the Protection ofPersonal Information Bill [B9D of 2009]
19 November 2013 - signed into law by the President
Section 115 - Act will come into force on a date to bedetermined by the President by proclamation in the Gazette
11 April 2014 - Regulations, Regulator and definitions
3
Protection of Personal Information Bill cont…
24 July 2015: Parliament calls for nominations for candidates for five positions within the Regulator
13 April 2016: the Portfolio Committee on Justice and Correctional Services (“the Committee”) shortlists 10 candidates for positions within the Regulator
17 May 2016: the Committee recommends that Adv. Pansy Tlakula be appointed as chairperson and four other candidates as members of the Regulator
1 December 2016: Regulator appointed
transitional period of 1 year
8 September 2017: Draft Regulations
what is “personal information”?
information relating to an identifiable:
living natural person
existing juristic person as far as applicable
personal information
race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture and birth
education or medical, financial, criminal or employment history
any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assigned to the person
biometric information
personal information
personal opinions, views or preferences
the views or opinions of another individual about the person
correspondence sent by the person that is implicitly or explicitly of a private/confidential nature
the name of the person if it appears with other personal information relating to the person, or if the disclosure of the name itself would reveal information about the person
7
what is “processing”?
any activity concerning personal information, e.g.
the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use
dissemination by means of transmission, distribution or making available in any other form
merging, linking, restriction, degradation, erasure or destruction of information
8
what processing activities are covered?
processing of personal information by public and private bodies:
• entered into a “record” – if recorded by non-automated means, it must form part of a filing system ; AND
• by or on behalf of a responsible party that is:
domiciled in South Africa
not domiciled in South Africa, using automated or non-automated means situated in South Africa, unless only used to forward personal information through the Republic
9
who are the roleplayers?
Data Subject: the person to whom the information relates
Responsible Party: a private or public body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information
Operator: a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of the responsible party
Regulator: the Regulator established by POPI
10
further restrictions on application (exemptions)
POPI does not regulate:
pure household or personal activities
information that has been de-identified
information by or on behalf of a public body - national
security, defence or public safety, or prevention, investigation
or proof of offences, the prosecution or the execution of
sentences
processing for purely journalistic purposes if subject to a
code of ethics that provide adequate safeguards for
protection
the 8 processing conditions
accountability data controllers and responsible parties must comply with these eight principles
processing limitation data should only be obtained by limited and lawful processing that does not unnecessarily infringe privacy
purpose specification purpose for which personal data is collected must be specific, explicitly defined and lawful
further processing limitation further processing must be compatible with the purpose for which data is collected
the 8 protection conditions cont..
information quality reasonably practicable steps to ensure personal information is complete, accurate, not misleading and updated
openness notify the Regulator that it processes personal information where pre-approval is required and advise the data subject of certain mandatory information in regard to the collection
security safeguards the integrity and confidentiality of the personal information must be secured.
data subject participation the data subject has certain access rights , including a right to request its deletion
impact of key pieces of legislation on direct marketing
Electronic Communications and Transactions Act
Consumer Protection Act
Protection of Personal Information Act
Protection of Personal Information Act
the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject
• has given his, her or its consent to the processing; or
• is a customer of the responsible party
consent to direct marketing
a responsible party may only request consent once if (i) consent is required and (ii) consent was not previously withheld
direct marketing communications must contain —
• details of the identity of the sender or the person on whose behalf the communication has been sent
• an address or other contact details to which the recipient may send a request that such communications cease
existing customers
a responsible party may only process the personal information of a customer:
• if contact details were obtained in the context of the sale of a product or service
• for the purpose of direct marketing of the responsible party's own similar products or services
• if the data subject has been given a reasonable opportunity to object, for free and without unnecessary formality:
at the time when the information was collected; and
on the occasion of each marketing communication if the data subject had not previously refused use
17
IMPACT OF DRAFT REGULATIONS –FORM 4
transborder information flows
a responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless certain requirements are met
has far reaching implications for parties who transact in foreign jurisdictions, multinationals, companies engaged in cloud-computing transactions, outsourcing transactions etc.
however will also apply to anybody sending an email or other communication containing personal information to a foreign country
transborder information flows cont.
third party must be subject to
• a law; or
• binding corporate rules; or
• binding agreement
which provides an adequate level of protection (i) substantially similar to the principles and (ii) includes provisions substantially similar to Chapter 9 to restrict further transfer
• the data subject consents to the transfer
• transfer is necessary for the performance of a contract between the data subject and the responsible party, or the implementation of pre-contractual measures taken in response to a data subject’s request
• transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject
• the transfer is for the benefit of the data subject and (i) not reasonably practicable to obtain consent and (ii) if it were reasonably practicable, the data subject would be likely to give consent
non-compliance
any person may lodge a complaint with Regulator
the Regulator may try and secure settlement
if no settlement possible, the Regulator may initiate investigation
if breach, the Regulator may issue enforcement notice
Data Subject / Regulator may sue responsible party for damages
non-compliance cont…
uncertain what amounts would be awarded, but court would be entitled to award:
• damages for patrimonial and non-patrimonial loss
• aggravated damages
• interest
• legal fees
12 months to 10 years/fine (R10 million!) or both
general rule – beautiful consent clause
personal information may only be processed if consent is obtained
consent must must be “voluntary, specific and informed”
“ingredients” of a beautiful consent clause:
• notification requirements
• transborder transfers
• record retention
• further use
• direct marketing
23
ensure now that your data house is ok
step 1: preliminary meeting / conference call with stakeholders
obtain information and understand the business areas in terms of the application of POPI
engage with stakeholders and identify key personal information processing areas, such as:
• client data;
• human resources, and corporate communication; and
• record management
get ‘high-level buy in’ to POPI compliance
ensure now that your data house is ok cont.
step 2: POPI audit
stakeholders to complete POPI Audit Questionnaires
prepare POPI Audit Spreadsheet (i.e. list items to be audited, including job application forms, terms and conditions, service-level agreements, PAIA Manual and existing policies and procedures)
ensure now that your data house is ok cont.
step 3: amendment of existing documentation
action POPI Audit Findings Report (i.e. amend existing documents identified as non-compliant in step 2 for POPI compliance)
26
ensure now that your data house is ok cont.
step 4: risk identification and POPI toolkit
assess the need to develop and implement or amend further policies, procedures and terms and conditions (“POPI Toolkit”) including -
• data protection policy;
• consent policies and forms;
• data access policy;
• security breaches policy; and
• employee privacy requirements
ensure now that your data house is ok cont.
step 5: preparation for POPI implementation
prepare a tailor-made POPI Toolkit
draft a customised POPI manual/guide in plain language
draft an model consent clause template
ensure now that your data house is ok cont.
step 6: information officer preparation
set up of Information Officer function and suggested framework for managing internal POPI compliance procedures, escalation channels and working committees post-POPI implementation
training of Information Officer, including POPI Toolkit training
data protection breaches
a London HIV clinic that leaked data on 781 of its patients hasbeen fined £180,000
56 Dean Street, based in London's Soho, sent an emailnewsletter with all patient email addresses in the 'To' field,rather than the 'Bcc' field
the email addresses allowed for the identification of thepatients – 730 of the 781 contained people's full names –and constituted a "serious breach" of data protection rules,the Information Commissioner's Office (ICO) said
http://www.wired.co.uk/article/56-dean-street-fine-data-protection-hiv
data protection breaches cont.
in 2010, the Commissioner imposed a fine of £60,000 on A4e Ltd when a laptop containing unencrypted PI relating to 24,000 individuals who had used community legal advice centers was stolen from the house of an employee
he also fined Hertfordshire County Council £100,000 for twice sending child abuse documents intended for counsel to the wrong fax number
data protection breaches cont.
data protection breaches cont…
in 2007, the Spanish data protection authority imposed a fine of EUR1,081,822 on Zeppelin Television SA, which produces the Spanish version of the Big Brother television reality show, for failure to protect the PI of applicants and contestants and failure to obtain their express consent to the processing of sensitive PI and to the transfer of their PI to third parties
this fine was confirmed by Spain’s Supreme Court
thank you | questions
Era Gunningdirector | ENSafrica [email protected]+27 (0)11 302 3157+27 (0)82 788 0827
Privacy and Cybersecurity
- Practical Steps
- Cybersecurity Bill
Ridwaan Boda• head of Technology, Media and
Telecommunications Law
• member of the United Nations Global Pulse Privacy Advisory Group
overview
• elements of Proactive Compliance
• relationship between Privacy and Cyber Security
• specific interventions
• data opportunities
• General Data Protection Regulation (GDPR) – more of a concern than POPI?
• Cybersecurity Bill
• cyber insurance
37
elements of proactive compliance
understand the law - training
appoint / reconsider / outsource role of informationofficer
implement Risk Management Framework (e.g. POPIToolkit)
in addition, specific interventions required including:
Privacy By Design / Privacy Engineering
Privacy Impact Assessments and Data Flow Diagrams
Data Ethics Councils
relationship between privacy and cybersecurity
recognition that the boundaries and overlap betweenprivacy and security
security models may be applied to identify gaps and toaddress privacy concern
this is called privacy by design or privacy engineering
39
Privacy by Design
what is Privacy by Design?
principles of Privacy by Design / Privacy Engineering
• proactive and preventative – not reactive nor remedial
• lead with privacy as the default setting
• embed privacy into design
• privacy and security important – no trade-offs
• ensure end-to-end security
• maintain visibility and transparency
• respect user privacy
40
Privacy by Design objectives
three primary components of Privacy by Design Objectives
• predictability
• manageability
• disassociabilityImage: nist.gov
41
Privacy by Design strategies
42
Privacy Impact Assessments and DFD
what are privacy impact assessments?
included in the GDPR as a requirement
examples of when this should be done:
• new product / marketing initiatives launches
• cloud computing transactions
• M&A activities
• expansion into foreign territories
• cross border projects
• new projects
data flow diagrams / data mapping
Data Ethics Councils
why a data ethics council?
is an information officer enough?
role of council
relationship with board of directors
relationship with information officer
44
data opportunities
data – “the new oil” – Mark Zuckerberg
(big) data – “the worlds most valuable resource” –The Economist
commercial exploitation of big data
privacy issues
commercial model
contracts
internal safeguards
data philanthropy
45
GDPR
POPI not the only concern
on May 25, 2018 the new set of privacy rules formed by the GDPR take effect
every organization — regardless of its location —doing business with the EU market will need to make changes to its oversight, technology, processes, and people to comply with the new GDPR rules
time is running out!
Cybercrimes and Cybersecurity Bill
Bill in its second draft
submitted to National Assembly on 21 February
2017
public hearings held earlier this year; further
hearings scheduled for later this year
no timeline at this stage for finalisation of Bill
47
chapters in the Bill
chapter 1 - definitions
chapter 2 - cybercrimes
chapter 3 - malicious communication
chapter 4 - jurisdiction
chapter 5 - powers to investigate, search and access or seize
chapter 6 - mutual assistance
chapter 7 - 24/7 point of contact
chapter 8 - evidence
chapter 9 - obligations of electronic communications service providers and financial
institutions
chapter 10 - structures to deal with cyber security
chapter 11 - critical information infrastructure protection
chapter 12 - agreements with foreign states
chapter 13 – general provisions
aims of the Bill
create cybercrime offences
prescribe penalties for cybercrimes
criminalise distribution of harmful data messages
provide interim protection orders
regulate jurisdiction for cybercrimes
regulate power to investigate
regulate aspects of mutual legal assistance
establish 24/7 point of contact
provide for proof of certain facts by affidavit
impose obligations on electronic communications service providers
and financial institutions to assist to investigate & report
cybercrimes
aims continued
provide for establishment of structures - promote
cybersecurity & build capacity
regulate the identification and declaration of critical
information infrastructures
creates measures to protect critical information
infrastructures
provide that the Executive may enter into agreements
with foreign States to promote cybersecurity
50
cybercrimes
cybercrimes detailed
• s 2 - unlawful securing of access
• s 3 - unlawful acquiring of data
• s 4 - unlawful acts in respect of software and hardware tools
• s 5 - unlawful interference with data or computer program
• s 6 - unlawful interference - computer data storage medium or computer system
• s 7 - unlawful acquisition, possession, provision, receipt or use or password,
access codes or similar data or devices
• s 8 - cyber fraud
• s 9 - cyber forgery and uttering
• s 10 - cyber extortion
• s 11 - aggravated offences
• s 12 – attempting, conspiring, aiding, abetting, inducing, inciting, instigating,
instructing, commanding or procuring to commit offence
• s 13 - theft of incorporeal
• s 14 - penalties
• s 15 - competent verdicts
51
malicious communication
s 16 – data message broadcasted or distributed by means of a
computer system that incites damage to property or violence
against people is an offence
s 17 - data message broadcasted or distributed by means of a
computer system that is harmful is an offence. Harmful:
• damage to property, violence
• intimidates, encourages or harasses a person to harm themselves or
another
• is inherently false information aimed at causing mental, psychological,
physical or economic harm
s 18 – data message broadcasted or distributed by means of a
computer system that is of an intimate image of an identifiable
person without that persons consent is an offence
s 19 – a complainant may apply for an interdict
52
cyber insurance
multimedia liability
security and privacy liability
privacy regulatory defence and penalties
privacy breach response costs, customer notification expenses and customer support and credit monitoring expenses
network asset protection
cyber extortion
cyber terrorism coverage
thank you | questions
Ridwaan Bodadirector | ENSafrica
+27 (0)83 345 1119