2014-04-16 protection of personal information act readiness workshop

2014-04-16

Responsible Data ProcessingProtection of Personal Information Act Workshop

2014-04-16

Share your thoughtsYou can find me on Twitter as @pauljacobson

#POPIready

Understanding your data processing constraints

Lawful processing conditions

✤ Accountability!

✤ Purpose limitation!

✤ Purpose specification!

✤ Further processing limitation!

✤ Information quality!

✤ Openness!

✤ Security safeguards!

✤ Data subject participation

There are exceptions

Personal or household activity

Anonymised and can’t be associated !with a data subject again

By or on behalf of a!public body

National security Public defence Crime and money laundering

Cabinet or!Executive Councils Judicial proceedings

01

Journalistic, literary or artistic purposes

“solely for the purpose of journalistic, literary or artistic expression to the extent that such an exclusion is necessary to

reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.”

– Section 7(1), Protection of Personal Information Act

Regulatory function delegated to a code of ethics that will apply to the exclusion of the Act*

* This is provided for elsewhere and forms part of a distributed enforcement mechanism

Conditions for lawful processing of personal information

Consent and data collection

01Consent, justification and objection

“… it seems to be a sensible approach to say that the scope of a person’s privacy extends a fortiori only to those aspects in regard to which a legitimate expectation of privacy can be

harboured.”

– Bernstein and Others v Bester NO and Others

Options

Consent

Legitimate interests

Contractual conclusion or performance

Only in the case of consent may a data subject withdraw permission

“Legitimate interests” is vague, undefined and, yet, a very interesting justification

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the

processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of

the data subject.”

– Section 6, Schedule 2, UK Data Protection Act

Still, the “Lawful processing of personal information conditions” provide broad parameters and context for

“legitimate interests” arguments …

01

Special personal information

✤ Children’s personal information!

✤ Religious or philosophical beliefs*!

✤ Race or ethnic origin!

✤ Trade union membership*!

✤ Political persuasion!

✤ Health or sex life!

✤ Criminal behaviour or biometric information

How transparent are you?

‘‘consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for

the processing of personal information

“A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate,

not misleading and updated where necessary.”

– Section 16, the Protection of Personal Information Act

Do you facilitate meaningful access to personal information you hold?

Data processing

“Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant

and not excessive.”

– Section 10, the Protection of Personal Information Act

Purpose specification

“Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of

the responsible party”

Be transparent about the purpose

Further processing must align with the original purpose*

* There are exceptions too

Data integrity and retention

“… records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed …”

– Section 13, Protection of Personal Information Act

Don’t lose sight of the bigger data retention compliance picture

Electronic Communications and Transactions Act

Protection of Personal Information Act

Everything else

POPI places special emphasis on security safeguards

“A responsible party must secure the integrity and confidentiality of personal information in its possession or

under its control by taking appropriate, reasonable technical and organisational measures …”

– Section 19, Protection of Personal Information Act

“A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that

the operator which processes personal information for the responsible party establishes and maintains the security

measures referred to in section 19 …”

– Section 21, Protection of Personal Information Act

Identifying key risk areas

How do you process personal information?

Helpful questions

Are you the responsible party or the operator?

Is your reputation at risk and what could go wrong?

Do you engage in direct marketing?

Do you process personal information on your responsible party customers’ behalf?

Benefits of better protection frameworks

Clear privacy statements

Transparent dealings with stakeholders

2014 Heartbleed Bug

OpenSSL exploit came to light

Providers proactively contacted users and recommended password changes

Be responsible, reduce reputational harm risk in the process

“The way to gain good reputation is to endeavor to be what you desire to appear”

– Socrates

Thank you for your time.Please feel free to contact me if we can assist you or answer questions.

webtechlaw.com/contact

Paul Jacobson 083 444 8260