SlideShare ist ein Scribd-Unternehmen logo

The Protection of Personal Information Act: A Presentation

Als PPTX, PDF herunterladen
E
Endcode_org

What does the Protection of Personal information Act mean for business and for cybersecurity? Find out the implications of South Africa's new technology law Act.

Recht
1 von 32
The Protection of Personal Information Act 2013 Personal Information is your business 25.09.14 KOMESHNI PATRICK TECHNOLOGY LAWYER/DIRECTOR/ENDCODE.ORG
Contents  Definitions  Aims  Exemptions  Key Role Players for POPI  8 Conditions of POPI  POPI and Consent  POPI and Notification  Giving PI Away  POPI for Business  PI & Cybercrime
What is Personal Information (PI)?  Section 1  Identifiable, living, natural person or identifiable, existing juristic person  Race, sex, gender, name, sexual orientation, age, mental health  Medical, financial, criminal or employment history  E-mail address, physical address, telephone number, location information, online identifier  Biometric information  Personal opinions, views or preferences  Private correspondence  Opinions of another individual about the person  name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
What is Special Personal Information?  Section 1  The religious or philosophical beliefs  race or ethnic origin  trade union membership  political persuasion  health or sex life or biometric information of the person  The criminal behaviour of the person to the extent that such information relates to—  The alleged commission by the person of any offence  Any proceedings in respect of any offence allegedly committed by the person or the disposal of such proceedings
What is Processing?  Sections 1 and 4 of POPI  Processing means any activity whether by automatic means or not, concerning personal information, including  The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;  Dissemination by means of transmission, distribution or making available in any other form; or  Merging, linking, as well as restriction, degradation, erasure or destruction of information;  Processing must be for a defined and legitimate purpose that is clear to the DS from whom you are collecting the PI
The Protection of Personal Information 4 of 2013 (POPI) Aims:  Protection of PI processed by private and public bodies  Minimum requirements for processing of PI  Establishment of Information Regulator  Codes of Conduct  Rights protection against SPAM and automated decision-making  Regulate cross-border flow
Exemptions from POPI Personal & Household • Personal address book • Personal Computer De-identified & cannot be re-identified • Anonymous Surveys • Course Evaluation Public Bodies involved in national security • Prevention and detection of unlawful activities • Terrorism, money laundering, offenses Judicial Function of a Court • Section 166 of the Constitution Terrorism • Terrorist & Related Activities Act 33 of 2004 Journalistic, literary, artistic • Freedom of Expression (S16 Constitution) • Codes of Ethics govern PI infringements
Key Role Players for POPI Data Subject •The person to whom PI relates •Public or private body or any other person which determines Responsible Party the purpose of and means for processing PI •Person who processes PI for a RP in terms of a contract or mandate, without coming under the direct authority of that party Operator •Any person legally competent to consent to any action or decision being taken in respect of any matter concerning a child Competent Person •A juristic person established in terms of the Act accountable to the National Assembly and appointed by the Minister of Justice Information Regulator
8 Conditions of POPI •RP to ensure Accountability conditions for lawful processing •Minimality – adequate, relevant and not excessive •Consent, Justification, Objection •Collection directly from Data Subject Processing Limitation •specific, explicitly defined and lawful purpose •Records of PI must not be retained longer than is necessary for achieving the purpose •Exemption: record required by law, historical, statistical or for research • destroy/delete/de-identify a record of PI once purpose achieved Purpose Specification •To be compatible with original purpose of collection if not, consent for further processing is required Further Processing Limitation
8 Conditions of POPI •RP must take steps to ensure PI is complete, accurate and not misleading Information Quality •Records of the processing cycle for operations must be maintained and made available to the DS •Obligation on RP to notify the DS upon collection of PI Openness • Integrity and confidentiality of PI must be maintained to prevent loss, damage, unauthorised destruction, unlawful access or processing •Operator must notify RP if there are reasonable grounds to believe that the PI was accessed by an unauthorised person and the RP has to notify the Regulator and the DS Security Safeguards •Right to be informed - DS can be requested free of charge if PI held •Where DS requests copy of the record, the RP can charge a fee •DS can request correction or deletion of PI that is inaccurate, irrelevant, out of date, excessive, incomplete, misleading or unlawfully obtained Data Subject Participation
POPI and Consent •Consent from DS for processing PI •Consent can be withdrawn at any time. •Where the DS is a child, consent is needed from Competent Person General Consent Section 11 • For records to be retained longer than is needed achieving the purpose of the data processing, must consent. Retention of Section 14(1)(d)
POPI and Consent •The RP must restrict processing of information if: •The accuracy is contested by DS and RP has to the PI •Purpose is achieved but retain PI for proof •The processing is unlawful and the DS requests restriction rather than destruction •The DS requests PI be transmitted to another automated system Restriction on processing Section 14(7) •May only be processed: • With DC consent or Competent Person’s consent • For purposes of proof •To protect a right of another natural or legal • For public interest
POPI and Consent • Further processing of information that is with the original purpose of collection can only Further Processing the DS consents. Section 15(3)(a) •The DS can consent to not being notified when information is collected. Notification of Collection Section18(4)(a)
POPI and Consent •The DS must consent to the processing of Special Personal personal information. Information Section 27 • Information regarding religious or philosophical can be processed only by religious or spiritual institutions to which the DS belongs without • Consent from the DS is needed when this data supplied to third parties. Religious Beliefs Section 28(3)
POPI and Consent • Information regarding trade union membership processed only by the trade union or its body to which the DS belongs. • Consent from the DS is needed when this data supplied to third parties. Trade Union Membership Section 30(2) • Information regarding political persuasion can processed only by institutions founded on principles to which the DS belongs without •Consent from the DS is needed when this data is supplied to third parties. Political Persuasion Section 31(2)
POPI and Consent • Processing PI regarding children can only occur the consent from a person who has legal Information to make decisions regarding that child. Children Section 34 • Processing for direct marketing is prohibited DS gives consent. •To request consent, the RP may approach the consent only once and only if the DS has not previously withheld consent. Direct Marketing Section 69
POPI and Consent • RP may not transfer PI to a third party in a country unless the DS has consented or the benefits the DS and it is impractical to obtain and the DS would likely give consent. Foreign should have similar processing protection as Foreign Country Transfer Section 72(1) •The Minister has the power to create regulations regarding the manner and form within which the consent must be obtained or requested for direct marketing. Minister’s Powers Section 112(2)(f)
POPI and Notification •Notification to DS when collecting personal Notification to DS when collecting PI Section 18 •The Operator must notify the RP immediately there are reasonable grounds to believe that the personal information of a DS has been accessed acquired by any unauthorised person Security measures regarding processed by Section 21
POPI and Notification •Where there are reasonable grounds to believe personal information of a DS has been accessed acquired by any unauthorised person, the RP notify the Regulator and the DS Notification of Compromises Section 22 •The RP must notify a DS, who has made a correction or deletion of record of the action result of such request Correction of personal Section 24
POPI and Notification • RP must notify and obtain prior authorization Regulator for processing for the following: • for a purpose other than the original purpose intended at collection •with the aim of linking the information information processed by other responsible • process information on criminal behaviour •process information for the purposes of credit reporting or • transfer special PI or the PI of children to a party in a foreign country that does not adequate level of protection. Responsible party to notify Regulator if processing is subject to authorisation Section 58
Giving Your PI Away Shopping online Subscribing or registering Competitions, prizes, rewards Online games and virtual worlds Social Media Online Browsing Employment Name Surname email address telephone number postal address city Education credit card number ID number physical address
POPI for Business Financial Education Transport Gaming Social Media Advertising Music Telecoms Credit Personal Information is Sports Mapping Insurance IT Banking Medical your Business
POPI for Business 1 •POPI Strategy 2 •Appoint an Information Officer 3 •Privacy Policy 4 •Consider who the Data Subjects are •Limit the collection type and amount to the purpose 3 •Third party Transfer 4 •Cross-border transfer 5 •Direct Marketing Practices 6 •Special Personal Information 7 •Children’s Personal Information 8 •Directories
POPI for Business •-Obtain consent DS to use PI for the specified purpose •-Network Security – integrity and safekeeping •-Limit access per business role •-Ensure that there are back-up and business continuity plans •-Access Security at all points •-Access to Information Procedure (correction, objections to processing, copy of records, third parties who access their PI) •-Procedures for updating details to ensure and completeness •-Ensure Records retention management (deletion or de-identification) •-Incident Management Process Creating Business Process
POPI for Business Well managed brand Strengthens the brand Conveys that the business understands its legal obligations to the client Builds trust in the brand
POPI for Business Privacy infringement Loss of Intellectual Property Defamation Loss of sensitive information Security compromise - issues of national security Financial loss POTENTIAL FOR LITIGATION Brand Damage
PI and Cyber Crime Cybercrime PI
PI & Cybercrime Lloyd’s 2013 Risk Index Report Cyber security has moved from 12th position to 3rd position as a global concern to business. The 2013 Norton Report South Africa has the third highest number of cybercrime victims following Russia and China. PwC’s Global State of Information Security Survey 2014 reported a rise of 25% in security incidents with a 51% rise in spend on security. Overall, this makes up only 4% of the IT spend.
PI & Cybercrime South Africa’s National Cyber Security Policy Framework was passed in March 2012 18 months later Department of Communications appointed the National Cyber Security Advisor in October 2013 Goal co-ordinate government actions on cyber security and ensure co-operation between government, the private sector and civil society on addressing cyber threats
PI & Cybercrime The Electronic Communications and Transactions Act 2002 9 years later No cyber inspectors to enforce cyber security Wolfpack Information Risk’s report – The South African Cyber Threat Barometer 2012/13 no national computer security incident response team no national response team to co-ordinate a cyber defence strategy Annual losses in 3 sectors = R2.65 billion
PI & Cybercrime India Sponsored training for 500 000 “cyber warriors” South Korea 5000 cyber specialists are developed annually United Kingdom 11 centres established for cyber skills development allied to the universities South Africa ?
Thanks, Questions? Komeshni Patrick Komeshni.patrick@endcode.org www.endcode.org

Empfohlen

POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentation
OvationsGroup
 
The Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMThe Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCM
Myron Duncan Burton Betshanger
 
Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popi
Werksmans Attorneys
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
Komal Gadia
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theft
Amber Gupta
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018
amirhannan
 

Empfohlen

POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentation
OvationsGroup
 
The Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMThe Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCM
Myron Duncan Burton Betshanger
 
Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popi
Werksmans Attorneys
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
Komal Gadia
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theft
Amber Gupta
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018
amirhannan
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
legalPadmin
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspective
Dr. Mira Suleimenova, CIPPe
 
5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-Ready5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-Ready
EDB
 
PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)
Hairul Hafiz Hasbullah
 
Popi act presentation
Popi act presentationPopi act presentation
Popi act presentation
Kholisile Mazaza
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
Home
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
Altacit Global
 
Applying the Personal Data Protection Act (Singapore)
Applying the Personal Data Protection Act (Singapore)Applying the Personal Data Protection Act (Singapore)
Applying the Personal Data Protection Act (Singapore)
Benjamin Ang
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Practical steps to GDPR compliance
Practical steps to GDPR compliance Practical steps to GDPR compliance
Practical steps to GDPR compliance
Jean-Michel Franco
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
SaimaRafiq
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
Directorate of Information Security | Ditjen Aptika
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protection
Rachel Aldighieri
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Iain Wicks MCIPR
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
Marketing Team at Crown Worldwide Group
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data Subject
JDP Consulting
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethics
AT Internet
 
The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013
Myron Duncan Burton Betshanger
 
POPI
POPI POPI
POPI
POPI ACT Protection of Personal Info
 

Weitere ähnliche Inhalte

Was ist angesagt?

General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-Ready5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-Ready
EDB
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
Altacit Global
 
Practical steps to GDPR compliance
Practical steps to GDPR compliance Practical steps to GDPR compliance
Practical steps to GDPR compliance
Jean-Michel Franco
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
SaimaRafiq
 

Was ist angesagt? (20)

General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspective
 
5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-Ready5 Ways to Make Your Postgres GDPR-Ready
5 Ways to Make Your Postgres GDPR-Ready
 
PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)
 
Popi act presentation
Popi act presentationPopi act presentation
Popi act presentation
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
Applying the Personal Data Protection Act (Singapore)
Applying the Personal Data Protection Act (Singapore)Applying the Personal Data Protection Act (Singapore)
Applying the Personal Data Protection Act (Singapore)
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Practical steps to GDPR compliance
Practical steps to GDPR compliance Practical steps to GDPR compliance
Practical steps to GDPR compliance
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protection
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data Subject
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethics
 

Andere mochten auch

Human rights in Bangladesh
Human rights in BangladeshHuman rights in Bangladesh
Human rights in Bangladesh
Syed Shihab
 
Software project management interview questions and answers
Software project management interview questions and answersSoftware project management interview questions and answers
Software project management interview questions and answers
simonthomas990
 
Presentation of scenes of The Descent
Presentation of scenes of The DescentPresentation of scenes of The Descent
Presentation of scenes of The Descent
alexjr1996
 
Edited pictures presentation
Edited pictures presentationEdited pictures presentation
Edited pictures presentation
alexjr1996
 
Bijlage 2-shell-ffs-reactor
Bijlage 2-shell-ffs-reactorBijlage 2-shell-ffs-reactor
Bijlage 2-shell-ffs-reactor
pouya_ms
 

Andere mochten auch (20)

The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013
 
POPI
POPI POPI
POPI
 
POPI and Email Marketing
POPI and Email Marketing POPI and Email Marketing
POPI and Email Marketing
 
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
 
Opportunities and benefits of POPI
Opportunities and benefits of POPIOpportunities and benefits of POPI
Opportunities and benefits of POPI
 
Human rights in Bangladesh
Human rights in BangladeshHuman rights in Bangladesh
Human rights in Bangladesh
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
 
Premier Health Brochure
Premier Health BrochurePremier Health Brochure
Premier Health Brochure
 
October fair trade month
October fair trade monthOctober fair trade month
October fair trade month
 
Sviesuva bredikis
Sviesuva bredikisSviesuva bredikis
Sviesuva bredikis
 
Narracion
NarracionNarracion
Narracion
 
The magic to think big
The magic to think bigThe magic to think big
The magic to think big
 
2015 09-10 Health Valley meets Topsector LSH Alain van Gool
2015 09-10 Health Valley meets Topsector LSH Alain van Gool2015 09-10 Health Valley meets Topsector LSH Alain van Gool
2015 09-10 Health Valley meets Topsector LSH Alain van Gool
 
Software project management interview questions and answers
Software project management interview questions and answersSoftware project management interview questions and answers
Software project management interview questions and answers
 
Presentation of scenes of The Descent
Presentation of scenes of The DescentPresentation of scenes of The Descent
Presentation of scenes of The Descent
 
Edited pictures presentation
Edited pictures presentationEdited pictures presentation
Edited pictures presentation
 
Patient confidentiality training
Patient confidentiality trainingPatient confidentiality training
Patient confidentiality training
 
Los nombres de villayon
Los nombres de villayonLos nombres de villayon
Los nombres de villayon
 
Kaunas bm šviesuva 2014 11 03
Kaunas bm šviesuva 2014 11 03Kaunas bm šviesuva 2014 11 03
Kaunas bm šviesuva 2014 11 03
 
Bijlage 2-shell-ffs-reactor
Bijlage 2-shell-ffs-reactorBijlage 2-shell-ffs-reactor
Bijlage 2-shell-ffs-reactor
 

Ähnlich wie The Protection of Personal Information Act: A Presentation

Freedom of Information and Data Protection
Freedom of Information and Data ProtectionFreedom of Information and Data Protection
Freedom of Information and Data Protection
EquiGov Institute
 

Ähnlich wie The Protection of Personal Information Act: A Presentation (20)

GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
Freedom of Information and Data Protection
Freedom of Information and Data ProtectionFreedom of Information and Data Protection
Freedom of Information and Data Protection
 
Introduction to the Freedom of Information and Data Protection Act Trinidad a...
Introduction to the Freedom of Information and Data Protection Act Trinidad a...Introduction to the Freedom of Information and Data Protection Act Trinidad a...
Introduction to the Freedom of Information and Data Protection Act Trinidad a...
 
Data privacy act of 2012 presentation
Data privacy act of 2012 presentationData privacy act of 2012 presentation
Data privacy act of 2012 presentation
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, Exeter
 
GDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To PrepareGDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To Prepare
 
Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal Information
 
Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal Information
 
Education law conference, March 2017 - Nottingham - Understanding & dischargi...
Education law conference, March 2017 - Nottingham - Understanding & dischargi...Education law conference, March 2017 - Nottingham - Understanding & dischargi...
Education law conference, March 2017 - Nottingham - Understanding & dischargi...
 
POPI_Overview_E
POPI_Overview_EPOPI_Overview_E
POPI_Overview_E
 
POPI_Overview_E
POPI_Overview_EPOPI_Overview_E
POPI_Overview_E
 
What does the GDPR mean for charity communicators? | Scotland Networking Grou...
What does the GDPR mean for charity communicators? | Scotland Networking Grou...What does the GDPR mean for charity communicators? | Scotland Networking Grou...
What does the GDPR mean for charity communicators? | Scotland Networking Grou...
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdf
 
Education law conference, March 2017 - Manchester - Understanding and dischar...
Education law conference, March 2017 - Manchester - Understanding and dischar...Education law conference, March 2017 - Manchester - Understanding and dischar...
Education law conference, March 2017 - Manchester - Understanding and dischar...
 
Education law conference, March 2017 - London - Understanding and discharging...
Education law conference, March 2017 - London - Understanding and discharging...Education law conference, March 2017 - London - Understanding and discharging...
Education law conference, March 2017 - London - Understanding and discharging...
 
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
Lorson Resources Limited - Records & Information Presentation: Data Protectio...Lorson Resources Limited - Records & Information Presentation: Data Protectio...
Lorson Resources Limited - Records & Information Presentation: Data Protectio...
 

Mehr von Endcode_org

E-commerce regulation pria chetty
E-commerce regulation pria chettyE-commerce regulation pria chetty
E-commerce regulation pria chetty
Endcode_org
 

Mehr von Endcode_org (11)

IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends
 
IAB Online Content Regulation
IAB Online Content RegulationIAB Online Content Regulation
IAB Online Content Regulation
 
Electronic Contracting Presentation
Electronic Contracting PresentationElectronic Contracting Presentation
Electronic Contracting Presentation
 
E-contracting and Commerce
E-contracting and CommerceE-contracting and Commerce
E-contracting and Commerce
 
Cyber Banking Conference
Cyber Banking Conference Cyber Banking Conference
Cyber Banking Conference
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
 
Consumer Protection
Consumer ProtectionConsumer Protection
Consumer Protection
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk
 
Innovator's Guide to the IP Galaxy
Innovator's Guide to the IP GalaxyInnovator's Guide to the IP Galaxy
Innovator's Guide to the IP Galaxy
 
Mutual Non Disclosure Agreement (South Africa)
Mutual Non Disclosure Agreement (South Africa)Mutual Non Disclosure Agreement (South Africa)
Mutual Non Disclosure Agreement (South Africa)
 
E-commerce regulation pria chetty
E-commerce regulation pria chettyE-commerce regulation pria chetty
E-commerce regulation pria chetty
 

Kürzlich hochgeladen

一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
e9733fc35af6
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
JosephCanama
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
Airst S
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
Airst S
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
Airst S
 
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
SUHANI PANDEY
 
Interpretation of statute topics for project
Interpretation of statute topics for projectInterpretation of statute topics for project
Interpretation of statute topics for project
VarshRR
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
e9733fc35af6
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 

Kürzlich hochgeladen (20)

A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURYA SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
 
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdf
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 
Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentation
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
 
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
 
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.
 
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
 
The Main Steps on Starting a Business in Spain
The Main Steps on Starting a Business in SpainThe Main Steps on Starting a Business in Spain
The Main Steps on Starting a Business in Spain
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in Law
 
Interpretation of statute topics for project
Interpretation of statute topics for projectInterpretation of statute topics for project
Interpretation of statute topics for project
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 

The Protection of Personal Information Act: A Presentation

  • 1. The Protection of Personal Information Act 2013 Personal Information is your business 25.09.14 KOMESHNI PATRICK TECHNOLOGY LAWYER/DIRECTOR/ENDCODE.ORG
  • 2. Contents  Definitions  Aims  Exemptions  Key Role Players for POPI  8 Conditions of POPI  POPI and Consent  POPI and Notification  Giving PI Away  POPI for Business  PI & Cybercrime
  • 3. What is Personal Information (PI)?  Section 1  Identifiable, living, natural person or identifiable, existing juristic person  Race, sex, gender, name, sexual orientation, age, mental health  Medical, financial, criminal or employment history  E-mail address, physical address, telephone number, location information, online identifier  Biometric information  Personal opinions, views or preferences  Private correspondence  Opinions of another individual about the person  name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
  • 4. What is Special Personal Information?  Section 1  The religious or philosophical beliefs  race or ethnic origin  trade union membership  political persuasion  health or sex life or biometric information of the person  The criminal behaviour of the person to the extent that such information relates to—  The alleged commission by the person of any offence  Any proceedings in respect of any offence allegedly committed by the person or the disposal of such proceedings
  • 5. What is Processing?  Sections 1 and 4 of POPI  Processing means any activity whether by automatic means or not, concerning personal information, including  The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;  Dissemination by means of transmission, distribution or making available in any other form; or  Merging, linking, as well as restriction, degradation, erasure or destruction of information;  Processing must be for a defined and legitimate purpose that is clear to the DS from whom you are collecting the PI
  • 6. The Protection of Personal Information 4 of 2013 (POPI) Aims:  Protection of PI processed by private and public bodies  Minimum requirements for processing of PI  Establishment of Information Regulator  Codes of Conduct  Rights protection against SPAM and automated decision-making  Regulate cross-border flow
  • 7. Exemptions from POPI Personal & Household • Personal address book • Personal Computer De-identified & cannot be re-identified • Anonymous Surveys • Course Evaluation Public Bodies involved in national security • Prevention and detection of unlawful activities • Terrorism, money laundering, offenses Judicial Function of a Court • Section 166 of the Constitution Terrorism • Terrorist & Related Activities Act 33 of 2004 Journalistic, literary, artistic • Freedom of Expression (S16 Constitution) • Codes of Ethics govern PI infringements
  • 8. Key Role Players for POPI Data Subject •The person to whom PI relates •Public or private body or any other person which determines Responsible Party the purpose of and means for processing PI •Person who processes PI for a RP in terms of a contract or mandate, without coming under the direct authority of that party Operator •Any person legally competent to consent to any action or decision being taken in respect of any matter concerning a child Competent Person •A juristic person established in terms of the Act accountable to the National Assembly and appointed by the Minister of Justice Information Regulator
  • 9. 8 Conditions of POPI •RP to ensure Accountability conditions for lawful processing •Minimality – adequate, relevant and not excessive •Consent, Justification, Objection •Collection directly from Data Subject Processing Limitation •specific, explicitly defined and lawful purpose •Records of PI must not be retained longer than is necessary for achieving the purpose •Exemption: record required by law, historical, statistical or for research • destroy/delete/de-identify a record of PI once purpose achieved Purpose Specification •To be compatible with original purpose of collection if not, consent for further processing is required Further Processing Limitation
  • 10. 8 Conditions of POPI •RP must take steps to ensure PI is complete, accurate and not misleading Information Quality •Records of the processing cycle for operations must be maintained and made available to the DS •Obligation on RP to notify the DS upon collection of PI Openness • Integrity and confidentiality of PI must be maintained to prevent loss, damage, unauthorised destruction, unlawful access or processing •Operator must notify RP if there are reasonable grounds to believe that the PI was accessed by an unauthorised person and the RP has to notify the Regulator and the DS Security Safeguards •Right to be informed - DS can be requested free of charge if PI held •Where DS requests copy of the record, the RP can charge a fee •DS can request correction or deletion of PI that is inaccurate, irrelevant, out of date, excessive, incomplete, misleading or unlawfully obtained Data Subject Participation
  • 11. POPI and Consent •Consent from DS for processing PI •Consent can be withdrawn at any time. •Where the DS is a child, consent is needed from Competent Person General Consent Section 11 • For records to be retained longer than is needed achieving the purpose of the data processing, must consent. Retention of Section 14(1)(d)
  • 12. POPI and Consent •The RP must restrict processing of information if: •The accuracy is contested by DS and RP has to the PI •Purpose is achieved but retain PI for proof •The processing is unlawful and the DS requests restriction rather than destruction •The DS requests PI be transmitted to another automated system Restriction on processing Section 14(7) •May only be processed: • With DC consent or Competent Person’s consent • For purposes of proof •To protect a right of another natural or legal • For public interest
  • 13. POPI and Consent • Further processing of information that is with the original purpose of collection can only Further Processing the DS consents. Section 15(3)(a) •The DS can consent to not being notified when information is collected. Notification of Collection Section18(4)(a)
  • 14. POPI and Consent •The DS must consent to the processing of Special Personal personal information. Information Section 27 • Information regarding religious or philosophical can be processed only by religious or spiritual institutions to which the DS belongs without • Consent from the DS is needed when this data supplied to third parties. Religious Beliefs Section 28(3)
  • 15. POPI and Consent • Information regarding trade union membership processed only by the trade union or its body to which the DS belongs. • Consent from the DS is needed when this data supplied to third parties. Trade Union Membership Section 30(2) • Information regarding political persuasion can processed only by institutions founded on principles to which the DS belongs without •Consent from the DS is needed when this data is supplied to third parties. Political Persuasion Section 31(2)
  • 16. POPI and Consent • Processing PI regarding children can only occur the consent from a person who has legal Information to make decisions regarding that child. Children Section 34 • Processing for direct marketing is prohibited DS gives consent. •To request consent, the RP may approach the consent only once and only if the DS has not previously withheld consent. Direct Marketing Section 69
  • 17. POPI and Consent • RP may not transfer PI to a third party in a country unless the DS has consented or the benefits the DS and it is impractical to obtain and the DS would likely give consent. Foreign should have similar processing protection as Foreign Country Transfer Section 72(1) •The Minister has the power to create regulations regarding the manner and form within which the consent must be obtained or requested for direct marketing. Minister’s Powers Section 112(2)(f)
  • 18. POPI and Notification •Notification to DS when collecting personal Notification to DS when collecting PI Section 18 •The Operator must notify the RP immediately there are reasonable grounds to believe that the personal information of a DS has been accessed acquired by any unauthorised person Security measures regarding processed by Section 21
  • 19. POPI and Notification •Where there are reasonable grounds to believe personal information of a DS has been accessed acquired by any unauthorised person, the RP notify the Regulator and the DS Notification of Compromises Section 22 •The RP must notify a DS, who has made a correction or deletion of record of the action result of such request Correction of personal Section 24
  • 20. POPI and Notification • RP must notify and obtain prior authorization Regulator for processing for the following: • for a purpose other than the original purpose intended at collection •with the aim of linking the information information processed by other responsible • process information on criminal behaviour •process information for the purposes of credit reporting or • transfer special PI or the PI of children to a party in a foreign country that does not adequate level of protection. Responsible party to notify Regulator if processing is subject to authorisation Section 58
  • 21. Giving Your PI Away Shopping online Subscribing or registering Competitions, prizes, rewards Online games and virtual worlds Social Media Online Browsing Employment Name Surname email address telephone number postal address city Education credit card number ID number physical address
  • 22. POPI for Business Financial Education Transport Gaming Social Media Advertising Music Telecoms Credit Personal Information is Sports Mapping Insurance IT Banking Medical your Business
  • 23. POPI for Business 1 •POPI Strategy 2 •Appoint an Information Officer 3 •Privacy Policy 4 •Consider who the Data Subjects are •Limit the collection type and amount to the purpose 3 •Third party Transfer 4 •Cross-border transfer 5 •Direct Marketing Practices 6 •Special Personal Information 7 •Children’s Personal Information 8 •Directories
  • 24. POPI for Business •-Obtain consent DS to use PI for the specified purpose •-Network Security – integrity and safekeeping •-Limit access per business role •-Ensure that there are back-up and business continuity plans •-Access Security at all points •-Access to Information Procedure (correction, objections to processing, copy of records, third parties who access their PI) •-Procedures for updating details to ensure and completeness •-Ensure Records retention management (deletion or de-identification) •-Incident Management Process Creating Business Process
  • 25. POPI for Business Well managed brand Strengthens the brand Conveys that the business understands its legal obligations to the client Builds trust in the brand
  • 26. POPI for Business Privacy infringement Loss of Intellectual Property Defamation Loss of sensitive information Security compromise - issues of national security Financial loss POTENTIAL FOR LITIGATION Brand Damage
  • 27. PI and Cyber Crime Cybercrime PI
  • 28. PI & Cybercrime Lloyd’s 2013 Risk Index Report Cyber security has moved from 12th position to 3rd position as a global concern to business. The 2013 Norton Report South Africa has the third highest number of cybercrime victims following Russia and China. PwC’s Global State of Information Security Survey 2014 reported a rise of 25% in security incidents with a 51% rise in spend on security. Overall, this makes up only 4% of the IT spend.
  • 29. PI & Cybercrime South Africa’s National Cyber Security Policy Framework was passed in March 2012 18 months later Department of Communications appointed the National Cyber Security Advisor in October 2013 Goal co-ordinate government actions on cyber security and ensure co-operation between government, the private sector and civil society on addressing cyber threats
  • 30. PI & Cybercrime The Electronic Communications and Transactions Act 2002 9 years later No cyber inspectors to enforce cyber security Wolfpack Information Risk’s report – The South African Cyber Threat Barometer 2012/13 no national computer security incident response team no national response team to co-ordinate a cyber defence strategy Annual losses in 3 sectors = R2.65 billion
  • 31. PI & Cybercrime India Sponsored training for 500 000 “cyber warriors” South Korea 5000 cyber specialists are developed annually United Kingdom 11 centres established for cyber skills development allied to the universities South Africa ?
  • 32. Thanks, Questions? Komeshni Patrick Komeshni.patrick@endcode.org www.endcode.org