the protection of personal information act...
TRANSCRIPT
Ulundi Behrtel
THE PROTECTION OF
PERSONAL INFORMATION ACT
(POPI)
www.ulundibehrtel.com
Protecting Personal Information
- data management
POPI Act :
lawful processing of
personal information
overriding principle of
authorisation before
processing
www.ulundibehrtel.com
www.ulundibehrtel.com
PRIVACY
“a state in which one is not observed
or disturbed by other people”
vs
CONFIDENTIALITY
“a set of rules or a promise
that limits access or places restrictions
on certain types of information”
www.ulundibehrtel.com
Everyone has the right of access to
information (sect 32)
Promotion of Access to Information Act (PAIA)
Everyone has the right to privacy (sect 14)
Protection of Personal Information Act (POPI )
www.ulundibehrtel.com
Constitutional roots of privacy and
confidentiality
Main objectives of POPI
lawful processing of ..
personal information
overriding principle of authorisation
before processing
www.ulundibehrtel.com
“Personal information“
Personal Information includes, but is not limited to –
race, gender, sex, pregnancy, marital status, national, ethnic
or social origin, colour, sexual orientation, age, physical or
mental health, well-being, disability, religion, conscience,
belief, culture, language and birth of the person
education or the medical, financial, criminal or employment
history of the person
any identifying number, symbol, e-mail address, physical
address, telephone number or other particular assignment
to the person
www.ulundibehrtel.com
“Personal information“
Personal Information includes, but is not limited to –
the blood type or any other biometric information of the
person
the personal opinions, views or preferences of the person
correspondence sent by the person that is implicitly or
explicitly of a private or confidential nature or further
correspondence that would reveal the contents of the
original correspondence
www.ulundibehrtel.com
“Personal information“
Personal Information includes, but is not limited to –
the views or opinions of another individual about the person
the name of the person if it appears with other Personal
Information relating to the person or if the disclosure of
the name itself would reveal information about the person
www.ulundibehrtel.com
“Special Personal Information“
"Special Personal Information”:
a child who is subject to parental control in terms of
the law; or
a person’s religious or philosophical beliefs, race
or ethnic origin, trade union membership, political
opinions, health, sexual life, or criminal behaviour
www.ulundibehrtel.com
“Processing”
Any activity or operation involving Personal Information,
whether automated or not
It includes the
collection, recording, organisation
storage, updating or modification, retrieval
consultation, use
dissemination by means of transmission, distribution
or making available in any other form
merging, linking
blocking, erasure or destruction of information
www.ulundibehrtel.com
“Processing”
i.e. Personal Information –
stored in
– databases, address books, manual filing systems
– payroll systems
– Information sent via email, found in word processing
programmes
– exchanged in contracts with the suppliers, and
– recorded on CCTV and in telephone records
www.ulundibehrtel.com
Conditions for processing
“Accountability’’:
responsibility to ensure compliance with the conditions
‘‘Processing limitation’’:
lawful and reasonable manner, must be consented to,
collected directly from the data subject, be “adequate,
relevant and not excessive”
‘‘Purpose specification’’:
purpose specific and explicitly defined (and consented to).
‘‘Information quality’’:
responsible party to take steps to ensure info is complete,
accurate, not misleading and updated
www.ulundibehrtel.com
Conditions for processing
“Further processing limitation":
only if it formed part of the original consent of processing;
‘‘Openness’’:
notifying persons (data subjects) of the data-collection
‘‘Data subject participation’’:
right to request confirmation of personal information being held
and to correct information
‘‘Security safeguards’’:
measures that should be taken to prevent loss, damage,
unauthorised and unlawful access
www.ulundibehrtel.com
Processing of “special personal
information"
In general, prohibited, unless –
consent has been provided
the data is necessary to exercise a right or fulfill a legal
obligation
sufficient guarantees provided for protection of individual
privacy
www.ulundibehrtel.com
Processing of “special personal
information"
Sect 32:
Medical practitioners, healthcare facilities, insurance
companies and medical schemes/administrators deal with
authorisations relating to health exempted, BUT
requires that information
– only be processed under a contractual duty of
confidentiality, unless
– there is a legal duty to process the information
www.ulundibehrtel.com
Codes by Regulator*
Incorporate all the information protection
principles or set out obligations that provide a
functional equivalent of all the obligations set out
in those principles; and
Prescribe how the information protection principles
are to be applied, or are to be complied with, given
the particular features of the sector or sectors of
society in which the relevant responsible parties
are operating
* Information Protection Regulator
www.ulundibehrtel.com
POPI Act:
APPLICATION IN PRACTICE
www.ulundibehrtel.com
Know the rights of data subjects
i.r.o. their personal information
Be notified about collection of information
Establish whether personal information is held on him/her
Request the destruction, correct or deletion of
personal information
Object against processing
Not be subjected to automated processes that have
legal consequences, e.g. on credit-worthiness,
reliability, health, personal preferences or conduct
www.ulundibehrtel.com
8 Data Principles: what it means
Know what record is kept, what is in it, and where will
it go – e.g. Practice Terms and Conditions
Info stored (e.g. patient records) or reworked must be Adequate
Relevant
Not excessive in view of purpose
Specific, lawful purpose related to a function or activity
e.g. rendering of health care, employment
When and for how long records may be retained e.g.
policy or SOP
www.ulundibehrtel.com
8 Data Principles: what it means
Ensure that info in your possession is: Complete
Accurate, not misleading
Updated
Rights of person (data subject) to request what info
is held, to correct and to delete e.g. training / SOP re
liaison with patients by admin support staff
Appropriate and reasonable security measures
Physical and electronic (regularly tested and
updated, data recovery plans)
www.ulundibehrtel.com
www.ulundibehrtel.com
@Ethics_Behrtel
Cell: 084 999 2080