PROTECTION OF PERSONAL INFORMATION

The Facilitator:Grant Wilkinson – Executive

Grant matriculated at Muir College in Uitenhage and progressed to the University of Port Elizabeth,

where he attained his LLB degree.

At University he was involved in numerous activities and was awarded awards including holding office as

Public Relations Officer of the Law Committee (1999/2000); Vice – Chairman of Law Committee

(2000/2001), AC Cilliers prize for best performance in Civil Procedure ;Golden Key Academic Honours

Society.

Grant completed his articles at Greyvensteins Nortier in Port Elizabeth, before staying on as a civil

litigation attorney, appearing in both the Magistrates and High Courts by the age of 24.

Grant then went on to work for an employer’s organisation, SEESA, where he worked in the EL and PE

branches, before settling with Global in Cape Town. He continues to study a variety of courses.

2

Grant is a versatile individual whose career has been moulded in the hotbed of the Eastern Cape. Grant is a hardworking, dedicated individual

whose eye for detail has made him a contracts specialist. Grant belies the old saying of “Jack of all Trades and Master of None” and has utilised

his commercial law and psychology backgrounds to good effect in his roles as executive, attorney, mediator and facilitator. Grant is a Chartered

Professional of the SABPP and has been a contributory author in a multinational book on Drugs and Alcohol in the Workplace and his articles

have been published in numerous publications including HR Future and Business Day Tax & Law Review

Grant designed and implemented the GBS Labour Audit process and is also the anchor facilitator and Institute Liaison for GBS’s Diploma in

Labour Law and has lectured for various institutes including inter alia: Da Vinci Institute of Technology; Rhodes Investec Business School and the

University of Stellenbosch Business School(where he is a member of the Faculty for the African continent).

Grant has been the CAPES and a business representative at the Department of Labour’s consultation process as well as the Parliamentary

sessions on the Labour Law Amendment process

LINKED LEGISLATION

Protection of personal information (section 50 –

51 of the Electronic Communications and Transactions Act 25 of

2002)

Consumer’s right to Privacy (section 11 –12 of the Consumer Protection Act 68 of

2008)

The Right of Access to any information that is held by

another person & that is required for the exercise/

protection of any right (section 9

of the Promotion of Access to Information Act 2 of 2000)

27 APRIL 1995

31 MARCH 2011

30 AUGUST 2002

9 MARCH 2001

PARTIAL PROMULGA

TION

PURPOSE OF THE ACT

1. To safeguard personal information.

2. Regulate the manner in which personal information may be

processed.

3. Provide persons with rights and remedies to protect their personal

information.

4. Establish voluntary and compulsory measures to ensure respect

for and to promote, enforce and fulfil the rights protected by this

Act.

APPLICATION OF THE ACT

3 (1) This Act applies to the processing of personal information –

(a) entered in a record by or for a responsible party by making use of automated or non-automated means:

(b) where the responsible party is –

(i) domiciled in the Republic; or

(ii) not domiciled in the Republic, but makes use of automated or non-automated means in the Republic…

EXCLUSIONS FROM THE ACT

6. (1) This Act does not apply to the processing of personal information-

(a) in the course of a purely personal or household activity;

(b) that has been de-identified to the extent that it cannot be re-identified again;

(c) by or on behalf of a public body and –

(i) which involves national security…

(ii) the purpose of which is the prevention, detection, includingassistance in the identification of the proceeds of unlawfulactivities and the combating of money laundering activities,investigation or proof of offences, the prosecution of offendersor the execution of sentences or security measures…

(d) by the Cabinet and its committees or the Executive Council of aprovince; or

(e) relating to the judicial functions of a court…

IMPORTANT DEFINITIONS

“data subject”• means the person to whom personal information relates;

“de-identify”• in relation to personal information of a data subject, means to delete any

information that-

(a) identifies the data subject;

(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or

(c) can be linked by a reasonably foreseeable method to otherinformation that identifies the data subject

“direct marketing”• means to approach a data subject, either in person or by mail or electronic

communication, for the direct or indirect purpose of –

(a) promoting or offering to supply, in the ordinary course of business,any goods or services to the data subject; or requesting the datasubject to make a donation of any kind for any reason.

(b) requesting the data subject to make a donation of any kind for anyreason.

JUNKMAIL

“electronic communication”• means any text, voice, sound or image message sent over

an electronic communications network which is stored in the network or in the recipient’s terminal until it is collected by the recipient;

“personal information”

• means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to -

(a) information relating to the race, gender, sex, pregnancy, maritalstatus, national, ethnic or social origin, colour, sexual orientation,age, physical or mental health, well-being, disability, religion,conscience, belief, culture, language and birth of the person;

(b) information relating to the education or the medical, financial,criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address,telephone number, location information, online identifier or otherparticular assignment to the person;

(d) the biometric information of the person;

(e) the personal opinions, views or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of aprivate or confidential nature of further correspondence that wouldreveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal informationrelating to the person or if the disclosure of the name itself would revealinformation about the person

“personal information”…

“processing”means any operation or activity or any set of operations, whether or

not by automatic means, concerning personal information, including :

12. Personal information must be collected directly from the data subject,unless:-

(a) the information is contained in or derived from a public record or hasdeliberately been made public by the data subject;

(b) the data subject has consented to the collection of the information fromanother source;

(c) collection of the information from another source would not prejudice alegitimate interest of the data subject…

“personal information”…

“record”* means any recorded information-

(a) regardless of form or medium, including any of the following:(i) writing on any material;(ii) information produced, recorded or stored by means of any tape-recorder,

computerequipment, whether hardware or software or both, or other device, and anymaterialsubsequently derived from information so produced, recorded or stored;

(iii) label, marking or other writing that identifies or describes any thing of which it

forms part, or to which it is attached by any means;(iv) book, map, plan, graph or drawing;(v) photograph, film, negative, tape or other device in which one or more visual

imagesare embodied so as to be capable, with or without the aid of some otherequipment,of being reproduced.

(b) in the possession or under the control of a responsible party;(c) whether or not it was created by a responsible party; and(d) regardless of when it came into existence;

“responsible party”• means a public or private body or any other person which, alone or in

conjunction with others, determines the purpose of and means for processing personal information

CONDITIONS FOR LAWFUL PROCESSING OF

PERSONAL INFORMATION

THE LAWFUL PROCESSING OF PERSONAL INFORMATION

8 CONDITIONS

1. ACCOUNTABILITY (section 8)

2. PROCESSING LIMITATION (section 9 – 12)

3. PURPOSE SPECIFICATION (section 13 -14)

4. FURTHER PROCESSING LIMITATION (section 15)

5. INFORMATION QUALITY

6. OPENNESS

7. SECURITY SAFEGAURDS

8. DATA PARTICIPATION

CONDITION 1 = ACCOUNTABILITY

Section 8 – The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

Ask yourself this…

1. Is there currently an individual / adepartment responsible for overallinformation security compliance?

2. Is each department currently being monitored with information securitystandards?

Plan of Action

DUTIES AND RESPONSIBILITIES OF INFORMATION OFFICER

(1) An information officer’s responsibilities include -

(a) the encouragement of compliance, by the body, with theconditions for the lawful processing of personal information;

(b) dealing with requests made to the body pursuant to this Act;

(c) working with the Regulator in relation to investigationsconducted pursuant to Chapter 6 in relation to the body;

(d) otherwise ensuring compliance by the body with the provisionsof this Act; and

(e) as may be prescribed.

(2) Officers must take up their duties in terms of this Act only after theresponsible party has registered them with the Regulator.

Section 56 provides for the designation & delegation of deputy information officers.

CONDITION 2 = PROCESSING LIMITATIONPERSONAL INFORMATION MAY ONLY BE PROCESSED IF:-

(a) the data subject consents to the processing; or

(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party; or

(c) processing complies with an obligation imposed by law on the responsible party; or

(d) processing protects a legitimate interest of the data subject; or

(e) processing is necessary for the proper performance of a public law duty by a public body;or

(f) Processing is necessary for pursuing the legitimate interests of the responsible party or of a third partyto whom the information is supplied.

In Layman’s Terms…

* That personal information is processed in a lawful manner that does notunreasonably infringe upon the privacy of the individual to whom the personalinformation relates (clause 8)

* That only the minimum amount of personal information be processed as isrelevant to achieve the purpose for which it is required. An organisation maynot request more information than is necessary to achieve a particularpurpose (clause 9)

* That the explicit consent of the individual is obtained prior to the processing ofpersonal information. If the individual is obtained prior to the processing ofpersonal information. If the individual objects to such processing, theorganisation may not continue with the processing of that information(clause 10)

* That the organisation must collect the personal information directly from theindividual except in situations that are specifically excluded from the Act, forexample if the information is contained in a public record or was deliberately madepublic to the purpose for which it is needed.

Ask yourself this…1. Is there a formal policy for the processing of personal

information.

2. Does your policy for processing of information identity the basis in terms ofwhich the information may be processed? (i.e. consent, legislation,

contract?)

3. For which purposes does your business process the different categories ofinformation?

4. How does your business assess whether the type of personal information is adequate for, and relevant to, the purpose for which it is collected?

5. How does your business ensure that the type of information requested andprovided is not excessive for its purpose?

6. Does your business have procedures in place for de-identifying personalinformation?

7. Does your business obtain the consent of individuals before processing theirpersonal information?

Ask yourself this…8. When is consent obtained?

9. How is consent obtained?

10. Does your business record instances of non-consent?

11. Does your business supply personal information to third parties?

12. If yes, does your organisation obtain consent from the relevant individual tosupply their personal information to third parties?

13. Does your business obtain personal information directly from the individualconcerned?

14. Does your business use intermediaries or agents to collect personalinformation?

CONDITION 3 = PURPOSE SPECIFICATION1. Steps must be taken to ensure that the data subject is aware of the purpose of

the collection of the information.

2. Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed unless:-

(a) retention is required or authorised by law;

(b) the responsible party requires the record for lawful purposes related to its functions or activities;

(c) retention is required by a contract between the parties thereto; or

(d) the data subject has consented to the retention of the record.

3. Records of personal information may be retained for periods in excess for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.

4. A responsible party must destroy or delete a record of personal informationor de-identify it as soon as reasonably practical after the responsible party is nolonger authorised to retain the record.

5. The destruction or deletion of a record of personal information must be donein a manner that prevents its reconstruction.

1. Ensure that personal information is only processed for specific, explicitlydefined and legitimate reasons relating to the functions or activities ofthe organisation;

2. Take steps to make the data subject (person whose personal informationis being processed) aware of the purposes for which the personalinformation will be processed; and

3. Establish mechanisms to ensure that personal information is only keptfor as long as it is required to fulfil the purpose for which it wascollected.

In Layman’s Terms…

1. For which purposes does your business collect personal information?

2. Does your business classify personal information in terms of the purpose forwhich it is processed?

3. Does your business inform relevant persons about the specific purposes forwhich their personal information is required?

4. Does your business clearly identify the names and categories of all people andorganizations to whom the information will be supplied?

5. When and how does your business inform relevant persons of the purposes forwhich their personal information is required?

6. Does your business offer relevant persons the opportunity to restrict thepurposes for which their personal information will be processed:

7. Does your business offer relevant persons the opportunity to object to therecipients to whom the personal information will be supplied?

Ask yourself this…

8. Does your business document retention policy make provision for the retention of records containing personal information?

9. What is your business’ process for destroying and / or de-identifyingrecords at the end of the retention period?

10. Does your business inform relevant persons about the duration forwhich the record will be retained and how these records will bedestroyed at the end of the retention period?

Ask yourself this…

Keeping the information for longer…

1. If the organisation is required to keep the information in terms of anyother law;

2. If the organisation needs to keep the information for a lawful purposerelated to its activities (as long as any further purpose is communicatedto the data subject);

3. If the organisation is contractually bound to keep the information (aslong as the data subject’s rights are not unreasonably intruded upon); or

4. If the data subject consents to the organisation keeping the informationfor an extended period

CONDITION 4 = FURTHER PROCESSING LIMITATION

Further processing of personal information must be compatible with the purpose for which it was collected.

* Once an organisation has identified and obtained consent for specific, legitimate and explicitly defined purposes, the processing of such personal information may only occur insofar as it is necessary for the fulfilment of those purposes.

* Thus, the Further Processing Limitation requires that an organisation may only use personal information for those purposes that were specified at the time that the individual consented to the processing of the information.

* If personal information is to be used for any other purpose or disclosed to any other recipients, the further consent of the individual must be obtained.

To assess whether further processing is compatible with the purpose of collection, the responsible

party must take into account:

* the relationship between the further processing and the original purposefor which the information was collected, i.e. how close is the linkbetween the original purpose and the intended further processing.

* the nature of the information, e.g. is it sensitive personal information.

* the consequences of the further processing for the individual, i.e. is theindividual likely to benefit from or be prejudiced as a result of thefurther processing.

* the manner in which the information was collected, e.g. was theinformation collected directly from the individual or obtained from anindirect source.

* any contractual rights and obligations between the organisation, theindividual and any other party (the fulfilment of such rights maypossibly depend on the occurrence of the further processing)

Information will also be deemed compatible if:

* the individual consents to the further processing.

* the personal information is publicly available.

* it is necessary in terms of any law, to further a legal or public interest orto prevent serious harm.

* the personal information is used for historical, statistical or researchpurposes but has been de-identified.

* such processing has been exempted in terms of the Act

1. Does your business process personal information for any other purpose except the identified purposes that are disclosed to the individual concerned?

2. What type of personal information does your business general subject to further processing?

3. How does this further processing affect the individual to whom theinformation relates?

4. Does your business inform the individual concerned when personalinformation is used for a purpose other than originally disclosed?

5. When and how is this communicated to the individual?

Ask yourself this…

CONDITION 5 = INFORMATION QUALITYThe responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

Neither “reasonableness” nor“practicality” is defined in the

Act. As a result, what is “reasonable” or “practicality” is defined in the Act.As a result, what is “reasonable” or

“practicable” is going to depend largely on the circumstances of

a particular organisation or industry.

1. Does your business have a process for checking the accuracy and completeness of records containing personal information?

2. Does your business provide the opportunity to individuals toperiodically verify and update their personal information?

3. How and when are individuals made aware of these processes?

4. Does your business have a process for monitoring and tracking updatesto personal information?

5. Who is responsible in your organisation for ensuring that recordscontaining personal information remain relevant, accurate and up-todate?

Ask yourself this…

CONDITION 6 = OPENNESSPersonal information may only be processed by responsible party that has notified the regulator

If personal information is collected the responsible party must take reasonable practical steps to ensure that the data subject is aware of:-

the information being collected;

the name and address of the responsible party;

the purpose for which the information is being collected;

whether or not the supply of the information by that data subject is voluntaryor mandatory;

the consequences of failure to provide the information;

any particular law authorising or requiring the collection of the information;

any further information such as the recipient or category of recipients of theinformation, nature or category of the information and existence of the right ofaccess to and the right to rectify the information collected

Exclusions…The organisation will not have to comply with the data subject notification requirement in certain situations, including the following:

1. if the individual consents to the non-compliance or the non-compliancewill not be prejudicial to the individual.

2. if the non-compliance is necessary for the maintenance of law and orderor in the interests of national security.

3. to enforce legislation for SARS purposes.

4. if compliance is not reasonably practicable in the circumstances of theparticular case (e.g. in the case of an emergency).

5. if the information will be used in such a way that the individual will notbe identified or for historical, statistical or research purposes.

Ask yourself this…1. Has your organisation compiled a manual and made it

available in terms of the Promotion of Access to Information Act?

2. Does your business regularly review and / or update the manual?

3. Who in your business is responsible for liaising with the Regulator interms of the Promotion of Access to Information Act?

4. Does your business use personal information for historical, statisticaland research purposes?

5. Has your business identified all the relevant legislation which requiresthe collection, storage or disclosure or personal information for

various purposes?

CONDITION 7: SECURITY SAFEGUARDS

The underlying theme of Condition 7 is that all personal information should be kept secure against the risk of loss, unauthorised access, interference, modification, destruction or disclosure.

Clauses 18, 19, 20 and 21 of the Act set out the specific requirements of this principle in some detail. In terms of the Act the obligation to maintain the security of personal information is made up of the following elements:

* the organisation’s responsibility to implement securitymeasures to safeguard personal information held by theorganisation;

* the organisation’s responsibility in respect of personalinformation that is processed by third parties on behalf of

the organisation;

* the organisation’s responsibility to notify stakeholders ifpersonal information has been compromised in any way.

Ask yourself this…1. Does your business’ risk management strategy include risks related to the

processing of personal information?

2. Does your business have an information security policy? If so, does the

policy make specific reference to personal information?

3. Does your business have strong identification and authentication controls to limit access topersonal information?

4. Does your business back up personal information on a regular basis?

5. Does your business limit the number and categories of employees who have access to personal information? How?

6. Does your business enter into agreement with third parties who process personal information on behalf of the business? If yes, do these agreements address issues relating to information security safeguards, confidentiality, legal compliance and jurisdiction of laws?

7. How does your business ensure the reliability of third parties before allowing them to process personal information?

8. What is the manner of notification used by your organisation in the event of personalinformation breaches?

NOTIFICATION OF SECURITY COMPROMISESWhere there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party, or any third party processing personal information under the authority of a responsible party, must notify the-

(a) the Regulator; and

(b) data subject (unless the identity of such date subject cannot be established)

The notification must be made as soon as reasonably possible after the discovery of the compromise.

The notification to a data subject must be in writing and communicated to the data subject in at least one of the following ways:-

(a) Mailed to the data subject’s last known physical or postal address;

(b) Sent by e-mail to the data subject’s last known e-mail address;

(c) Placed in a prominent position on the website of the responsible party;

(d) Published in the news media; or

(e) As may be directed by the Regulator.

The notification must provide sufficient information to allow the data subject to take any protective measures against the potential consequences of the compromise.

CONDITION 8: DATA PARTICIPATION Condition 8 empowers individuals to access and/or request the correction of deletion of any personal information held about them that may be inaccurate, misleading or outdated. This enables them to have a level of direct influence over the processing of their personal information.

Accessing personal information:

In terms of clause 22, an individual may make two types of

requests, namely:

* confirmation of whether an organisation holds any personal informationabout them; or

* a description of the personal information held about them, includingdetails of any third parties that may have access to that information

CORRECTION OF PERSONAL INFORMATIONA data subject may request a responsible party to-

(a) correct or delete personal information about the data subject in itspossession that is inaccurate, irrelevant, excessive, out of date,incomplete, misleading or obtained unlawfully; or

(b) destroy or delete a record of personal information about the datasubject that the reasonable party is no longer authorised to retain.

Ask yourself this…1. Does your business have systems in place through which

individuals can access and amend their personal information?

2. Does your business have an information officer to deal with

requests relating to personal information?

3. Does your business notify individuals (employees and customers) about the manner

in which they may access and/or update their personal information?

4. What is the form and manner in which individuals may request access toinformation?

5. Does your business charge any fees for accessing personal information?

6. If yes, are these fees in line with those set in terms of the Promotion of Access of

Information Act?

7. How does your business verify the identity of individuals who requests access topersonal information?

8. Does your business have a system to track requests for access to personalinformation?

9. Does your business have a verification procedure to ensure accuracy andcompleteness of personal information?

10. Does your business have a system to notify third parties of updates, corrections ordeletion of personal information?

PROCESSING OF SPECIAL PERSONAL INFORMATION

A responsible party may NOT process personal information concerning-

(a) child who is subject to parental control in terms of the law; or

(b) data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sex life or criminal behaviour

EXEMPTIONS(a) Data subject’s race - processing is allowed if it is necessary to comply with laws

and other measures designed to protect or advance persons or categories ofpersons disadvantaged by unfair discrimination.

(b) Data subject’s trade union membership – does not apply to theprocessing by the trade union to which the data subject belongs.No personal information may be supplied to third parties without theconsent of the data subject.

(c) Data subject’s health or sexual life – this does not apply to-

i. Medical professionals, health care institutions or social services;

ii. Insurance companies, medical aid administrators and managedhealthcare organisations;

iii. Schools when providing special support for pupils or makingspecial arrangements in connection with their health or sexual life;

iv. Institutions of probation, child protection or guardianship,

v. The minister and the minister of correctional services whenimplementing prison sentences or detention measures;

vi. Administrative bodies, pension funds, employers or institutionsworking for them when:-

a) implementing the provisions of laws, pension regulations or collectiveagreements which create rights dependent on the health or sexual lifeof the data subject or;

b) the reintegration of or support for workers and personsentitled to benefit in connection with sickness or workincapacity.

(d) The information may only be processed by responsible parties subjectto an obligation of confidentiality by virtue of office, employment,profession or legal provision, or established by a written agreementbetween the responsible party and a data subject

(e) Data subject’s criminal behaviour – the prohibition does not apply toresponsible parties who process the information for their own lawfulpurpose to-

(i) assess an application by a data subject in order to take a decision about,or provide a service to, that data subject; or

(ii) protect their legitimate interests in relation to criminal offences whichhave been, or can be expected to be, committed against them or againstpersons in their service

3. The processing of information concerning personnel in the service of theresponsible party must take place in accordance with the rulesestablished in compliance with labour legislation.

THANK YOU !

GRANT WILKINSONCell : 082 570 8595

E-mail :grant@globalbusiness.co.zaTwitter : Wilkinson_SA

Linkedin : za.linkedin.com/pub/grant-wilkinson/36/49a/795/

53