BHF Indaba Peter Hill

8/2/2019 BHF Indaba Peter Hill

1/33

FMU Investigator Indaba

Protection of Personal Information Bill How does it affects us?


2/33

Protection of Personal Information Bill: How does it affect us?

Peter Hill

Director: IT Governance Network

[email protected]

0825588732


3/33

TOPICS TO BE COVERED

Overview of the Protection of Personal Information Act

The impact of the PPI Act

Challenges

The role and function of the Information Protection Officer

Who is the Responsible Party and what are their obligations under thePPI Act?

Why a Code of Conduct (for protecting personal information) withinmedical schemes would be a good idea?


4/33

INTRODUCTION

The IT Governance Network (South Africa, US, UK, Switzerland)

Global leaders in IT Governance 15 years experience

International Privacy Expertise 15 years experience

Active participants at Parliamentary meetings finalising the Privacy legislation

Key People

Peter Hill, CISM, CISA, CGEIT, international IT governance specialist

Michael Erner, lawyer, accredited Privacy Expert, Independent Centre for

Privacy Protection Schleswig-Holstein, Germany

Significant clients

Local banking, financial and retail institutions

NASA

Deutsche Telecomglobal

UBS

What we do

Consulting, education, privacy management solutions

Independent external Information Protection Officers


5/33

STATUTORY OBLIGATION OF MEDICAL SCHEMES


6/33

OVERLAP OF KING III, CPA, POPI AND PCI

Corporate Governance

King III andIT Governance

Consumer Protection Act (CPA)

Protection against discriminatory marketing8. A supplier must not directly or indirectly treatany person differently than any other, in a mannerthat constitutes unfair discrimination on one or moregrounds set out in section 9 of the Constitution, or oneor more grounds set out in Chapter 2 of the Promotionof Equality and Prevention of Unfair DiscriminationAct, when determining whether to report, or reporting,any personal information of such person.

Prohibited transactions, agreements, terms orconditions51. (1) A supplier must not make a transaction oragreement subject to any term or condition if itexpresses an agreement by the consumer toprovidea personal identification code or number to be used toaccess an account.

51. (2) A supplier may not request or demand aconsumer to reveal any personal identification code.

(4) This section does not preclude a supplier torequire a personal identification code or number inorder to facilitate a transaction that in the normalcourse of business necessitates the provision of suchcode or number.

InformationSecurity

Management SystemISO 27001

POPI

PCICPA


7/33

PRIVACY RISKS

Ignorant of Individuals constitutional right to privacy Impact on reputation leading to loss of business

Cost of adjusting existing business processes

Cost of additional security (confidentiality, integrity,availability)

Poor record management increases cost ofsearching for, protecting and deleting personalinformation

Regulator audits, costly investigations

Civil litigation cost and damages awarded

Criminal offences leading to Penalties


8/33

THE KEY ROLES FOR PPI

The Regulator Data Subjects

Responsible Parties

Processors

Information Officers

Information Protection Officers

Risk Managers

Information Security Managers

Compliance Officers


9/33

InternalAudit

THE KEY ROLES FOR PPI

Information Officer

Operators Operators

Operators

IT SecurityManagement

Compliance

Risk Management

Register ofProcessing


10/33

THE ROLE OF RESPONSIBLE PARTIES

18. (1) A responsible party must secure the integrity of personal information inits possession or under its control by taking appropriate, reasonabletechnical and organisational measures to prevent

(a) loss of, damage to or unauthorised destruction of personal information;and;

(b) unlawful access to or processing of personal information.

(2) In order to give effect to subsection (1), the responsible party must takereasonable measures to

(a) identify all reasonably foreseeable internal and external risks to

personal information in its possession or under its control;

(b) establish and maintain appropriate safeguards against the risks

identified;

(c) regularly verify that the safeguards areeffectively implemented; and

ensure that the safeguards arecontinually updated in response to new

risks or deficiencies in previously implemented safeguards.

(3) The responsible party must have due regard to generally acceptedinformation security practices and procedures which may apply to itgenerally or be required in terms of specific industry or professional rulesand regulations.


11/33

Section 94 of the Protection of Personal Information Act allows a data subject or the

Regulator to institute a civil action for damages in a court against a responsible party

who is breach in any provision of the Act, whether or not there is intent or negligence on the

part of the responsible party.

There are numerous provisions in the Protection of Personal Information Act that require the

responsible party to act in a reasonable manner. The standard to determine whether a

person acted reasonably is that of objective foreseeability. In other words, would a

reasonable person have foreseen the harm.

Any deviation from the standard of foreseeable harm establishes negligence, irrespective of

whether the damage is due to the act of the responsible party or a service provider. Clearly, a

responsible party can be held liable even though there is no apparent fault on his or

her own.

The burden of proof rests with the responsible party to demonstrate that he or she did

properly and continuously assess the risk and take all the measures necessary to mitigate

the risks to data subjects.

RESPONSIBLE PARTIES TO ACT IN A REASONABLE MANNER


12/33

NOTIFICATION OF PROCESSING

50. (1) A responsible party must notify the Regulator before commencing the

(a) fully or partly automated processing of personal information or categories ofpersonal information intended to serve a single purpose or different related

purposes; or(b) non-automated processing of personal information intended to serve a single

purpose or different related purposes, if such processing is subject to a priorinvestigation.

(2) The notification referred to in subsection (1) must be noted in a register keptby the Regulator for this purpose.

Notification to contain specific particulars

51.(1) The notification must contain the following particulars:

(a) The name and address of the responsible party;

(b) the purpose of the processing;

(c) a description of the categories of data subjects and of the information orcategories of information relating thereto;

(d) the recipients or categories of recipients to whom the personal informationmay be supplied;

(e) planned trans-border flows of personal information; and

(f) a general description allowing a preliminary assessment of the suitability of theinformation security measures to be implemented by the responsible partyto ensure the confidentiality, integrity and availability of the information whichis to be processed.


13/33

BREACH NOTICE

Notification of security compromises

21. (1) Where there are reasonable grounds to believe that the personal information ofa data subject has been accessed or acquired by any unauthorised person,the responsible party, or any third party processing personal information under theauthority of a responsible party, must notify the

(a) Regulator; and

(b) data subject, unless the identity of such data subject cannot be established.

(2) The notification referred to in subsection (1) must be made as soon asreasonably possible after the discovery of the compromise, taking into accountthe legitimate needs of law enforcement or any measures reasonably necessary todetermine the scope of the compromise and to restore the integrity of theresponsible partys information system.

(3) The responsible party may only delay notification of the data subject if the SouthAfrican Police Service, the National Intelligence Agency or the Regulatordetermines that notification will impede a criminal investigation.

CONDITIONS FOR THE LAWFUL PROCESSING OF


14/33

Principle 1 - Accountability

The responsible party must ensure that the conditions set out inthe Act, and all the measures required, are complied with.

responsible party means a public or private body or any

other person which, alone or in conjunction with others,determines the purpose of and means for processing

personal information;

CONDITIONS FOR THE LAWFUL PROCESSING OFPERSONAL INFORMATION

C L P


15/33

Principle 2 - Processing limitation

Business processes provide the context for processing personalinformation i.e. the specific purpose

Data collection must be proportionate to purpose minimal

Data processing must be for a legitimate purpose Data subject must give consent

Collection of personal data must be directly from the data subjectunless it is contained in a public record

Data models prevent inference of prohibited data elements

Limit the transfer of personal data to service providers Data subject must be able to object, in prescribed manner.




16/33

Principle 3 - Purpose specification

Collection of personal information must be for a specifically defined,lawful purpose related to a function of the responsible party

Data subject must be aware of the purpose of collecting data

The purpose for processing personal information must be clear Record retention must not be longer than necessary unless required

by law, a contract or the data subject has consented

A record of the use of personal data to make a decision must beretained for such period required by a law or long enough for the data

subject to request access to the record Destroy, delete or deindentify as soon as practically possible

Destruction of personal information must be in a manner that preventsreconstruction in an intelligible form.




17/33

Principle 4 - Further processing limitation

Further processing must be compatible with original purpose

Be aware of the potential consequences of further processing

Take note of any contractual rights and obligations

Take steps to prevent further processing of personal data

Data mining must not exceed original purpose

Allow retention for historical, statistical or research purposes

Stop unlawful processing.




18/33

Principle 5 - Information quality

Maintain the accuracy of collected personal information

Check that personal data is not misleading

Ensure that personal data is uptodate

Be aware of the impact the integrity of personal data has on the purposefor collecting personal data

Note: master data must exclude unnecessary records

Note: master data must be secured, and accessed only on the

needto

know basis.




19/33

Principle 6 Openness

Only process personal data after notifying the Regulator

The data subject must be aware of the collection of the data and thename and address of the responsible party, whether voluntary or

mandatory, and of any law authorising collection, except if data subject is already aware

all particulars are stated in PROATIA manual

data subject consents to noncompliance

information will be used without identifying data subject

Personal information is already in the public domain.




20/33

Principle 7 - Data subject participation

Establish communication processes with data subjects (via theInformation Protection Officer)

Provide data subjects with access to personal information

Enable data subjects to request correction of personal data Manner of access to information is defined in PROATIA.




21/33

Principle 8 - Security safeguards

Business controls for maintaining integrity: Identify personal data (structured and unstructured) in all business

processes (formal and informal)

Identify business processing manual controls

Identify application systems and IT processes that support the businessprocesses

Identify programmed procedures supporting the complete and accurate

processing of personal data

Maintain appropriate granularity in user access controls

Maintain appropriate application level security

Maintain appropriate information resource protection

Prevent data leakage (structured and unstructured data)

Maintain the capability to detect security breaches

Regularly review contractual obligations of third parties

Prohibit the processing of special personal information Comply with the requirements of Information Protection Officer and/or

Regulator.



22/33

PROHIBITION ON PROCESSING SPECIAL PERSONAL INFO.

25(2) A responsible party may not process personal information concerning thereligious or philosophical beliefs, race or ethnic origin, trade unionmembership, political opinions, health, sexual life or criminal behaviour of a

data subject, other than a child referred to in subsection.

General exemption

25A The prohibition on processing personal information, as referred to in section25, does not apply if

(a) if the processing is carried out with

(i) prior consent of a competent person in respect of a child referred to insection 25(1)(a); or

(ii) the consent of a data subject referred to in section 25(2);


23/33

EXEMPTION CONCERNING DATA SUBJECTS HEALTH

30(1) The prohibition on processing personal information concerning a datasubjects health, as referred to in section 25(2), does not apply to theprocessing by

.

(a) medical professionals, healthcare institutions or facilities or social services, ifsuch processing is necessary for the proper treatment and care of the datasubject, or for the administration of the institution or professional practiceconcerned;

(b) insurance companies, medical aid scheme administrators and managed

healthcare organisations, if such processing is necessary for(i) assessing the risk to be insured by the insurance company or covered by

the medical aid scheme and the data subject has not objected to theprocessing;

(ii) the performance of an insurance or medical aid agreement; or

(iii) the enforcement of any contractual rights and obligations;

(c) schools, if such processing is necessary to provide special support for pupils ormaking special arrangements in connection with their health;

(d) institutions of probation, child protection or guardianship, if such processing isnecessary for the performance of their legal duties;


24/33

EXEMPTION CONCERNING DATA SUBJECTS HEALTH

(e) the Minister and the Minister of Correctional Services, if such processing isnecessary in connection with the implementation of prison sentences ordetention measures; or

(f) administrative bodies, pension funds, employers or institutions working for them,if such processing is necessary for

(i) the implementation of the provisions of laws, pension regulations orcollective agreements which create rights dependent on the health of thedata subject; or

(ii) the reintegration of or support for workers or persons entitled to benefit in

connection with sickness or work incapacity.(2) In the cases referred to under subsection (1), the information may only be

processed by responsible parties subject to an obligation of confidentiality byvirtue of office, employment, profession or legal provision, or established by awritten agreement between the responsible party and the data subject.

(3) A responsible party that is permitted to process information concerning a data

subjects health or sexual life in terms of this section and is not subject to anobligation of confidentiality by virtue of office, profession or legal provision, musttreat the information as confidential, unless the responsible party is required bylaw or in connection with their duties to communicate the information to otherparties who are authorised to process such information in accordance withsubsection (1).


25/33

HOW TO GET TO WHERE YOU NEED TO BE WITH PPI?

Update current Information Officer role to includeInformation Protection Officer responsibilities, ordelegate to deputy IPO

Identify all Personal Information and the ResponsibleParties

Identify the Categories and Purpose for processingPersonal Information

Prepare the forms to register the Processing ofPersonal Information

Identify shortcomings in compliance with theconditions for lawful processing

Identify risks and risk responses

Take corrective action

Notify the Regulator of the categories and purposeof processing personal information


26/33

EXAMPLES OF PERSONAL DATA

Staff and customer surveysPayment of entitlementsStaff ID cards used to pay for staff canteen

purchases

Identity management services (identification,authentication, access control,authorization)

Certificate authorities for PKIAcceptable use of IT servicesEmail systemManagement promotion programTelephone and Fax infrastructure, network and

system softwareOnline registration of event participantsLoyalty programContracts with experts, advisorsContact listsAccess control lists to buildingsAccess request to information systemsActuarial calculations of pension schemesWork permits

System authorizations and permissionsEvaluation of PersonnelSpontaneous job applicationsCareer guidanceHuman capital databaseInternal auditChildcare facilitiesMedical examinationsWelcome desk servicesCanteen preferences

Sickness Insurance ClaimsStaff RostersList of members of committeesMailing list of committees

Meeting room reservation systemVoice recording of Helpdesk callsInternal skills quizTimesheets and recordingGlobal user directoryHousing loansAccrual based accounting systemVideo surveillance for physical protectionList of companies and their representativesComments submitted by individualsOutlook calendarDisaster recovery contact listOnline delivery of staff achievement certificatesOnline photos from staff functionWhos Who feature articleDatabase of network partnersExpression of interest from experts responding to RFI

Paper files concerning former Individual ExpertsReader's Letters published on the internal newspaperPrint service monitoringTraining skills databaseComplaints HandlingERP applications (e.g. SAP)VoIP SystemRapid Alert SystemLog files

General

Special


27/33

THE IMPACT OF THE PPI ACT - CHALLENGES

Retrofitting to existing processes and infrastructure

Business purpose specific, proportionate to purpose

Cease secondary and unlawful processing

Internet-based processing

Controlling third-parties

Employee education

Unstructured data

Data destruction

Data leakage Sustainability


28/33

ROADMAP TO COMPLIANCE WITH PPI

Manage Information Assets

Retrofit PRINCIPLES to Business Processes and Infrastructure

Attend to Key Issues

Overcome ChallengesRiskAssessmentand

Response

Planning

Preparationfor

Registration

1 3 Years1 6 months

AssignRe

sponsibilities

Monitora

nd

Reporting

Ongoing

Register Processing Respond to Regulator Requests

A CODE OF CONDUCT (FOR PROTECTING PERSONAL


29/33

A CODE OF CONDUCT (FOR PROTECTING PERSONALINFORMATION) WITHIN MEDICAL SCHEMES

Not all schemes are staffed internally

Often many administrative functions are outsourced

A full-time information protection officer for each scheme could

be costly

Each scheme has many service providers (doctors,

intermediaries, administrators, service providers to the

administrators)

Many schemes have the same relationships.


30/33

UPDATE FROM PARLIAMENT 13 AUGUST 2010

Recent submissions by 3 major banks are just repeatingprevious submissions

Chairman stressed companies that cannot demonstrate sufficienteffort to date may not be eligible for an extension if extensions

are granted!

Funding of regulator could be out of fees collected fromcompanies registering late

PPI Act is expected to be promulgated by December 2010


31/33

QUESTIONS AND DISCUSSION www.personalprivacy.co.za

IT Governance Network

South Africa, US, UK, Switzerland

PETER HILL

+27 825588732

+44 (0)20 81333180

+1 302-5044408

[email protected]

H IT G N ?


32/33

HOW THE IT GOVERNANCE NETWORK CAN ASSIST?

Guidance on:

The Rights of Individuals

Identifying Personal Information

Identifying Responsible Parties

Lawful and unlawful processing Processing Limitations

Further Processing Limitations

Contracting with Third Parties

Notification to the Regulator

The role and procedures of theInformation Protection Officers

Assistance with:

Collection of Registration information

Business process redesign

Measures to enhance Confidentiality

Measures to enhance Integrity

Measures to enhance Availability

Responding to Data Subject requests

Working with the Regulator

Conducting audits

Independent Information ProtectionOffice

Drafting Code of Conduct

S S S


33/33

Legal, organisational and technical advice on the course of action to protect thegeneral and special categories of Personal Information

Collect and review information about the processing of Personal Information

Customised PDF forms

Online submission of information

Education

Customised in-house and web-based awareness and educational events for

staff Specialised training for Responsible Parties and Information Protection Officers

Specialised training for Business and IT management

Provide point of contact for Data Subjects to submit information requests

Simple online form

Information Request Management System

Respond to Data Subject requests

Conduct Audits of measures taken to satisfy Regulatory requirements

Assist management remedy issues raised by the Regulator

SPECIALISED SERVICES AND SOLUTIONS

BHF Indaba Peter Hill

Documents

Transcript of BHF Indaba Peter Hill