2014-09-18 protection of personal information act readiness workshop
DESCRIPTION
I presented at the 3rd Protection of Personal Information Act readiness workshop of 2014 on the topic of practical data protection practices. I focused on high level constraints and useful approaches to policy development and data processing strategies.TRANSCRIPT
![Page 1: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/1.jpg)
2014-09-18
A practical approach to data protectionProtection of Personal Information Act Workshop
![Page 2: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/2.jpg)
2014-07-24
Share your thoughtsYou can find me on Twitter as @pauljacobson
#POPIready
![Page 4: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/4.jpg)
Key principles and themes
![Page 5: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/5.jpg)
Lawful processing conditions
✤ Accountability!
✤ Purpose limitation!
✤ Purpose specification!
✤ Further processing limitation!
✤ Information quality!
✤ Openness!
✤ Security safeguards!
✤ Data subject participation
![Page 6: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/6.jpg)
Conditions for lawful processing of personal information *
* Subject to exceptions
![Page 7: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/7.jpg)
Consent and data collection
![Page 8: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/8.jpg)
Privacy in a digital world is complicated
![Page 9: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/9.jpg)
“The very practice of privacy is all about control in a world in which we fully know that we never have control. Our friends might betray us, our spaces might be surveilled, our expectations might be shattered. But this is why achieving privacy is desirable. People want to be *in* public, but
that doesn’t necessarily mean that they want to *be* public. There’s a huge difference between the two. As a result of the destabilization of
social spaces, what’s shocking is how frequently teens have shifted from trying to restrict access to content to trying to restrict access to meaning.
They get, at a gut level, that they can’t have control over who sees what’s said, but they hope to instead have control over how that
information is interpreted. And thus, we see our collective imagination of what’s private colliding smack into the notion of public. They are less
of a continuum and more of an entwined hairball, reshaping and influencing each other in significant ways.”
– danah boyd writing in her article “What is Privacy?”
![Page 10: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/10.jpg)
01Consent, justification and objection
![Page 11: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/11.jpg)
“… it seems to be a sensible approach to say that the scope of a person’s privacy extends a fortiori only to those aspects in regard to which a legitimate expectation of privacy can be
harboured.”
– Bernstein and Others v Bester NO and Others
![Page 12: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/12.jpg)
Options
Consent
Legitimate interests
Contractual conclusion or performance
![Page 13: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/13.jpg)
‘‘consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for
the processing of personal information
![Page 14: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/14.jpg)
Example
![Page 16: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/16.jpg)
Only where consent is required may a data subject withdraw permission
![Page 17: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/17.jpg)
“Legitimate interests” is vague, undefined and, yet, a very interesting justification
![Page 18: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/18.jpg)
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the
processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of
the data subject.”
– Section 6, Schedule 2, UK Data Protection Act
![Page 19: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/19.jpg)
Still, the “Lawful processing of personal information conditions” provide broad parameters and context for
“legitimate interests” arguments …
![Page 20: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/20.jpg)
01
Special personal information
![Page 21: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/21.jpg)
✤ Children’s personal information!
✤ Religious or philosophical beliefs*!
✤ Race or ethnic origin!
✤ Trade union membership*!
✤ Political persuasion!
✤ Health or sex life!
✤ Criminal behaviour or biometric information
![Page 22: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/22.jpg)
Example
![Page 23: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/23.jpg)
‘‘child’’ means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him-
or herself;
![Page 24: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/24.jpg)
How transparent are you?
![Page 25: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/25.jpg)
Write clear privacy statements
![Page 26: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/26.jpg)
Examples
![Page 29: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/29.jpg)
![Page 30: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/30.jpg)
Privacy statement essentials
✤ What personal information do you collect?!
✤ What do you do with that personal information?!
✤ When may the personal information be disclosed and to whom?!
✤ How long do you retain personal information, where do you retain it and what are your safeguards?!
✤ How may a data subject interrogate your databases?
![Page 31: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/31.jpg)
Example
![Page 33: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/33.jpg)
“A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate,
not misleading and updated where necessary.”
– Section 16, the Protection of Personal Information Act
![Page 34: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/34.jpg)
Do you facilitate meaningful access to personal information you hold?
![Page 35: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/35.jpg)
Example
![Page 37: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/37.jpg)
Data processing
![Page 38: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/38.jpg)
“Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant
and not excessive.”
– Section 10, the Protection of Personal Information Act
![Page 39: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/39.jpg)
Purpose specification
“Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of
the responsible party”
Be transparent about the purpose
![Page 40: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/40.jpg)
Examples
![Page 44: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/44.jpg)
Further processing must align with the original purpose*
* There are exceptions too
![Page 45: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/45.jpg)
Data integrity and retention
![Page 46: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/46.jpg)
“… records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed …”
– Section 13, Protection of Personal Information Act
![Page 47: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/47.jpg)
Don’t lose sight of the bigger data retention compliance picture
Electronic Communications and Transactions Act
Protection of Personal Information Act
Everything else
![Page 48: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/48.jpg)
POPI places special emphasis on security safeguards
![Page 49: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/49.jpg)
“A responsible party must secure the integrity and confidentiality of personal information in its possession or
under its control by taking appropriate, reasonable technical and organisational measures …”
– Section 19, Protection of Personal Information Act
![Page 50: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/50.jpg)
Examples
![Page 52: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/52.jpg)
“A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that
the operator which processes personal information for the responsible party establishes and maintains the security
measures referred to in section 19 …”
– Section 21, Protection of Personal Information Act
![Page 53: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/53.jpg)
Identifying key risk areas
![Page 54: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/54.jpg)
How do you process personal information?
Helpful questions
Are you the responsible party or the operator?
Is your reputation at risk and what could go wrong?
![Page 55: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/55.jpg)
Do you engage in direct marketing?
![Page 56: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/56.jpg)
Do you process personal information on your responsible party customers’ behalf?
![Page 57: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/57.jpg)
Be responsible, reduce reputational harm risk in the process
![Page 58: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/58.jpg)
Transparent dealings with stakeholders
2014 Heartbleed Bug
OpenSSL exploit came to light
Providers proactively contacted users and recommended password changes
![Page 59: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/59.jpg)
“The way to gain good reputation is to endeavor to be what you desire to appear”
– Socrates
![Page 60: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/60.jpg)
Implementation
![Page 61: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/61.jpg)
What are your people actually doing?
What should your people be doing?
What does your policy framework say you do?
![Page 62: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/62.jpg)
01
Communicate effectively with your teams
![Page 63: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/63.jpg)
01
Document your processes and monitor compliance
![Page 64: 2014-09-18 Protection of Personal Information Act readiness workshop](https://reader034.vdocuments.us/reader034/viewer/2022051610/548d381ab47959d36e8b4616/html5/thumbnails/64.jpg)
Thank you for your time.Please feel free to contact me if we can assist you or answer questions.
webtechlaw.com/contact
Paul Jacobson 083 444 8260