These are my slides for my presentation at the Protection of Personal Information Act Readiness Workshop at the OR Tambo Protea Hotel on 16 April 2014. My focus was on understanding data processing constraints; identifying key risk areas and the benefits of better data protection frameworks.

1. 2014-04-16
Responsible Data Processing
Protection of Personal Information Act Workshop

2. 2014-04-16
Share your thoughts
You can find me on Twitter as @pauljacobson
#POPIready

3. Understanding your data
processing constraints

4. Lawful processing conditions
✤ Accountability!
✤ Purpose limitation!
✤ Purpose specification!
✤ Further processing limitation!
✤ Information quality!
✤ Openness!
✤ Security safeguards!
✤ Data subject participation

5. There are exceptions

6. Personal or household activity

7. Anonymised and can’t be associated !
with a data subject again

8. By or on behalf of a!
public body
National security Public defence
Crime and money
laundering

9. Cabinet or!
Executive Councils
Judicial proceedings

10. 01
Journalistic, literary or
artistic purposes

11. “solely for the purpose of journalistic, literary or artistic
expression to the extent that such an exclusion is necessary to
reconcile, as a matter of public interest, the right to privacy
with the right to freedom of expression.”
– Section 7(1), Protection of Personal Information Act

12. Regulatory function delegated to a code of ethics
that will apply to the exclusion of the Act*
* This is provided for elsewhere and forms part
of a distributed enforcement mechanism

13. Conditions for lawful processing of
personal information

14. Consent and data collection

15. 01
Consent, justification and objection

16. “… it seems to be a sensible approach to say that the scope of
a person’s privacy extends a fortiori only to those aspects in
regard to which a legitimate expectation of privacy can be
harboured.”
– Bernstein and Others v Bester NO and Others

17. Options
Consent
Legitimate interests
Contractual conclusion or performance

18. Only in the case of consent may a data
subject withdraw permission

19. “Legitimate interests” is vague, undefined
and, yet, a very interesting justification

20. “The processing is necessary for the purposes of legitimate
interests pursued by the data controller or by the third party
or parties to whom the data are disclosed, except where the
processing is unwarranted in any particular case by reason of
prejudice to the rights and freedoms or legitimate interests of
the data subject.”
– Section 6, Schedule 2, UK Data Protection Act

21. Still, the “Lawful processing of personal information
conditions” provide broad parameters and context for
“legitimate interests” arguments …

22. 01
Special personal information

23. ✤ Children’s personal information!
✤ Religious or philosophical beliefs*!
✤ Race or ethnic origin!
✤ Trade union membership*!
✤ Political persuasion!
✤ Health or sex life!
✤ Criminal behaviour or biometric information

24. How transparent are you?

25. ‘‘consent’’ means any voluntary, specific and informed
expression of will in terms of which permission is given for
the processing of personal information

26. “A responsible party must take reasonably practicable steps
to ensure that the personal information is complete, accurate,
not misleading and updated where necessary.”
– Section 16, the Protection of Personal Information Act

27. Do you facilitate meaningful access to
personal information you hold?

28. Data processing

29. “Personal information may only be processed if, given the
purpose for which it is processed, it is adequate, relevant
and not excessive.”
– Section 10, the Protection of Personal Information Act

30. Purpose specification
“Personal information must be collected for a specific, explicitly
defined and lawful purpose related to a function or activity of
the responsible party”
Be transparent about the purpose

31. Further processing must align with the original purpose*
* There are exceptions too

32. Data integrity and retention

33. “… records of personal information must not be retained any
longer than is necessary for achieving the purpose for which
the information was collected or subsequently processed …”
– Section 13, Protection of Personal Information Act

34. Don’t lose sight of the bigger data
retention compliance picture
Electronic Communications
and Transactions Act
Protection of Personal
Information Act
Everything else

35. POPI places special emphasis on
security safeguards

36. “A responsible party must secure the integrity and
confidentiality of personal information in its possession or
under its control by taking appropriate, reasonable
technical and organisational measures …”
– Section 19, Protection of Personal Information Act

37. “A responsible party must, in terms of a written contract
between the responsible party and the operator, ensure that
the operator which processes personal information for the
responsible party establishes and maintains the security
measures referred to in section 19 …”
– Section 21, Protection of Personal Information Act

38. Identifying key risk areas

39. How do you process personal information?
Helpful questions
Are you the responsible party or the operator?
Is your reputation at risk and what could go wrong?

40. Do you engage in direct marketing?

41. Do you process personal information on your responsible
party customers’ behalf?

42. Benefits of better protection
frameworks

43. Clear privacy statements

44. Transparent dealings with
stakeholders
2014 Heartbleed Bug
OpenSSL exploit came to light
Providers proactively contacted users
and recommended password changes

45. Be responsible, reduce reputational harm risk in the process

46. “The way to gain good reputation is to endeavor to be what
you desire to appear”
– Socrates

47. Thank you for your time.
Please feel free to contact me if we can assist you or answer questions.
webtechlaw.com/contact
Paul Jacobson 083 444 8260