BHF Indaba Peter Hill
-
Upload
hlayie-shivambe-rikhotso -
Category
Documents
-
view
220 -
download
0
Transcript of BHF Indaba Peter Hill
-
8/2/2019 BHF Indaba Peter Hill
1/33
FMU Investigator Indaba
Protection of Personal Information Bill How does it affects us?
-
8/2/2019 BHF Indaba Peter Hill
2/33
Protection of Personal Information Bill: How does it affect us?
Peter Hill
Director: IT Governance Network
0825588732
-
8/2/2019 BHF Indaba Peter Hill
3/33
TOPICS TO BE COVERED
Overview of the Protection of Personal Information Act
The impact of the PPI Act
Challenges
The role and function of the Information Protection Officer
Who is the Responsible Party and what are their obligations under thePPI Act?
Why a Code of Conduct (for protecting personal information) withinmedical schemes would be a good idea?
-
8/2/2019 BHF Indaba Peter Hill
4/33
INTRODUCTION
The IT Governance Network (South Africa, US, UK, Switzerland)
Global leaders in IT Governance 15 years experience
International Privacy Expertise 15 years experience
Active participants at Parliamentary meetings finalising the Privacy legislation
Key People
Peter Hill, CISM, CISA, CGEIT, international IT governance specialist
Michael Erner, lawyer, accredited Privacy Expert, Independent Centre for
Privacy Protection Schleswig-Holstein, Germany
Significant clients
Local banking, financial and retail institutions
NASA
Deutsche Telecomglobal
UBS
What we do
Consulting, education, privacy management solutions
Independent external Information Protection Officers
-
8/2/2019 BHF Indaba Peter Hill
5/33
STATUTORY OBLIGATION OF MEDICAL SCHEMES
-
8/2/2019 BHF Indaba Peter Hill
6/33
OVERLAP OF KING III, CPA, POPI AND PCI
Corporate Governance
King III andIT Governance
Consumer Protection Act (CPA)
Protection against discriminatory marketing8. A supplier must not directly or indirectly treatany person differently than any other, in a mannerthat constitutes unfair discrimination on one or moregrounds set out in section 9 of the Constitution, or oneor more grounds set out in Chapter 2 of the Promotionof Equality and Prevention of Unfair DiscriminationAct, when determining whether to report, or reporting,any personal information of such person.
Prohibited transactions, agreements, terms orconditions51. (1) A supplier must not make a transaction oragreement subject to any term or condition if itexpresses an agreement by the consumer toprovidea personal identification code or number to be used toaccess an account.
51. (2) A supplier may not request or demand aconsumer to reveal any personal identification code.
(4) This section does not preclude a supplier torequire a personal identification code or number inorder to facilitate a transaction that in the normalcourse of business necessitates the provision of suchcode or number.
InformationSecurity
Management SystemISO 27001
POPI
PCICPA
-
8/2/2019 BHF Indaba Peter Hill
7/33
PRIVACY RISKS
Ignorant of Individuals constitutional right to privacy Impact on reputation leading to loss of business
Cost of adjusting existing business processes
Cost of additional security (confidentiality, integrity,availability)
Poor record management increases cost ofsearching for, protecting and deleting personalinformation
Regulator audits, costly investigations
Civil litigation cost and damages awarded
Criminal offences leading to Penalties
-
8/2/2019 BHF Indaba Peter Hill
8/33
THE KEY ROLES FOR PPI
The Regulator Data Subjects
Responsible Parties
Processors
Information Officers
Information Protection Officers
Risk Managers
Information Security Managers
Compliance Officers
-
8/2/2019 BHF Indaba Peter Hill
9/33
InternalAudit
THE KEY ROLES FOR PPI
Information Officer
Operators Operators
Operators
IT SecurityManagement
Compliance
Risk Management
Register ofProcessing
-
8/2/2019 BHF Indaba Peter Hill
10/33
THE ROLE OF RESPONSIBLE PARTIES
18. (1) A responsible party must secure the integrity of personal information inits possession or under its control by taking appropriate, reasonabletechnical and organisational measures to prevent
(a) loss of, damage to or unauthorised destruction of personal information;and;
(b) unlawful access to or processing of personal information.
(2) In order to give effect to subsection (1), the responsible party must takereasonable measures to
(a) identify all reasonably foreseeable internal and external risks to
personal information in its possession or under its control;
(b) establish and maintain appropriate safeguards against the risks
identified;
(c) regularly verify that the safeguards areeffectively implemented; and
ensure that the safeguards arecontinually updated in response to new
risks or deficiencies in previously implemented safeguards.
(3) The responsible party must have due regard to generally acceptedinformation security practices and procedures which may apply to itgenerally or be required in terms of specific industry or professional rulesand regulations.
-
8/2/2019 BHF Indaba Peter Hill
11/33
Section 94 of the Protection of Personal Information Act allows a data subject or the
Regulator to institute a civil action for damages in a court against a responsible party
who is breach in any provision of the Act, whether or not there is intent or negligence on the
part of the responsible party.
There are numerous provisions in the Protection of Personal Information Act that require the
responsible party to act in a reasonable manner. The standard to determine whether a
person acted reasonably is that of objective foreseeability. In other words, would a
reasonable person have foreseen the harm.
Any deviation from the standard of foreseeable harm establishes negligence, irrespective of
whether the damage is due to the act of the responsible party or a service provider. Clearly, a
responsible party can be held liable even though there is no apparent fault on his or
her own.
The burden of proof rests with the responsible party to demonstrate that he or she did
properly and continuously assess the risk and take all the measures necessary to mitigate
the risks to data subjects.
RESPONSIBLE PARTIES TO ACT IN A REASONABLE MANNER
-
8/2/2019 BHF Indaba Peter Hill
12/33
NOTIFICATION OF PROCESSING
50. (1) A responsible party must notify the Regulator before commencing the
(a) fully or partly automated processing of personal information or categories ofpersonal information intended to serve a single purpose or different related
purposes; or(b) non-automated processing of personal information intended to serve a single
purpose or different related purposes, if such processing is subject to a priorinvestigation.
(2) The notification referred to in subsection (1) must be noted in a register keptby the Regulator for this purpose.
Notification to contain specific particulars
51.(1) The notification must contain the following particulars:
(a) The name and address of the responsible party;
(b) the purpose of the processing;
(c) a description of the categories of data subjects and of the information orcategories of information relating thereto;
(d) the recipients or categories of recipients to whom the personal informationmay be supplied;
(e) planned trans-border flows of personal information; and
(f) a general description allowing a preliminary assessment of the suitability of theinformation security measures to be implemented by the responsible partyto ensure the confidentiality, integrity and availability of the information whichis to be processed.
-
8/2/2019 BHF Indaba Peter Hill
13/33
BREACH NOTICE
Notification of security compromises
21. (1) Where there are reasonable grounds to believe that the personal information ofa data subject has been accessed or acquired by any unauthorised person,the responsible party, or any third party processing personal information under theauthority of a responsible party, must notify the
(a) Regulator; and
(b) data subject, unless the identity of such data subject cannot be established.
(2) The notification referred to in subsection (1) must be made as soon asreasonably possible after the discovery of the compromise, taking into accountthe legitimate needs of law enforcement or any measures reasonably necessary todetermine the scope of the compromise and to restore the integrity of theresponsible partys information system.
(3) The responsible party may only delay notification of the data subject if the SouthAfrican Police Service, the National Intelligence Agency or the Regulatordetermines that notification will impede a criminal investigation.
CONDITIONS FOR THE LAWFUL PROCESSING OF
-
8/2/2019 BHF Indaba Peter Hill
14/33
Principle 1 - Accountability
The responsible party must ensure that the conditions set out inthe Act, and all the measures required, are complied with.
responsible party means a public or private body or any
other person which, alone or in conjunction with others,determines the purpose of and means for processing
personal information;
CONDITIONS FOR THE LAWFUL PROCESSING OFPERSONAL INFORMATION
C L P
-
8/2/2019 BHF Indaba Peter Hill
15/33
Principle 2 - Processing limitation
Business processes provide the context for processing personalinformation i.e. the specific purpose
Data collection must be proportionate to purpose minimal
Data processing must be for a legitimate purpose Data subject must give consent
Collection of personal data must be directly from the data subjectunless it is contained in a public record
Data models prevent inference of prohibited data elements
Limit the transfer of personal data to service providers Data subject must be able to object, in prescribed manner.
CONDITIONS FOR THE LAWFUL PROCESSING OFPERSONAL INFORMATION
CONDITIONS FOR THE LAWFUL PROCESSING OF
-
8/2/2019 BHF Indaba Peter Hill
16/33
Principle 3 - Purpose specification
Collection of personal information must be for a specifically defined,lawful purpose related to a function of the responsible party
Data subject must be aware of the purpose of collecting data
The purpose for processing personal information must be clear Record retention must not be longer than necessary unless required
by law, a contract or the data subject has consented
A record of the use of personal data to make a decision must beretained for such period required by a law or long enough for the data
subject to request access to the record Destroy, delete or deindentify as soon as practically possible
Destruction of personal information must be in a manner that preventsreconstruction in an intelligible form.
CONDITIONS FOR THE LAWFUL PROCESSING OFPERSONAL INFORMATION
CONDITIONS FOR THE LAWFUL PROCESSING OF
-
8/2/2019 BHF Indaba Peter Hill
17/33
Principle 4 - Further processing limitation
Further processing must be compatible with original purpose
Be aware of the potential consequences of further processing
Take note of any contractual rights and obligations
Take steps to prevent further processing of personal data
Data mining must not exceed original purpose
Allow retention for historical, statistical or research purposes
Stop unlawful processing.
CONDITIONS FOR THE LAWFUL PROCESSING OFPERSONAL INFORMATION
CONDITIONS FOR THE LAWFUL PROCESSING OF
-
8/2/2019 BHF Indaba Peter Hill
18/33
Principle 5 - Information quality
Maintain the accuracy of collected personal information
Check that personal data is not misleading
Ensure that personal data is uptodate
Be aware of the impact the integrity of personal data has on the purposefor collecting personal data
Note: master data must exclude unnecessary records
Note: master data must be secured, and accessed only on the
needto
know basis.
CONDITIONS FOR THE LAWFUL PROCESSING OFPERSONAL INFORMATION
CONDITIONS FOR THE LAWFUL PROCESSING OF
-
8/2/2019 BHF Indaba Peter Hill
19/33
Principle 6 Openness
Only process personal data after notifying the Regulator
The data subject must be aware of the collection of the data and thename and address of the responsible party, whether voluntary or
mandatory, and of any law authorising collection, except if data subject is already aware
all particulars are stated in PROATIA manual
data subject consents to noncompliance
information will be used without identifying data subject
Personal information is already in the public domain.
CONDITIONS FOR THE LAWFUL PROCESSING OFPERSONAL INFORMATION
CONDITIONS FOR THE LAWFUL PROCESSING OF
-
8/2/2019 BHF Indaba Peter Hill
20/33
Principle 7 - Data subject participation
Establish communication processes with data subjects (via theInformation Protection Officer)
Provide data subjects with access to personal information
Enable data subjects to request correction of personal data Manner of access to information is defined in PROATIA.
CONDITIONS FOR THE LAWFUL PROCESSING OFPERSONAL INFORMATION
CONDITIONS FOR THE LAWFUL PROCESSING OF
-
8/2/2019 BHF Indaba Peter Hill
21/33
Principle 8 - Security safeguards
Business controls for maintaining integrity: Identify personal data (structured and unstructured) in all business
processes (formal and informal)
Identify business processing manual controls
Identify application systems and IT processes that support the businessprocesses
Identify programmed procedures supporting the complete and accurate
processing of personal data
Maintain appropriate granularity in user access controls
Maintain appropriate application level security
Maintain appropriate information resource protection
Prevent data leakage (structured and unstructured data)
Maintain the capability to detect security breaches
Regularly review contractual obligations of third parties
Prohibit the processing of special personal information Comply with the requirements of Information Protection Officer and/or
Regulator.
CONDITIONS FOR THE LAWFUL PROCESSING OFPERSONAL INFORMATION
-
8/2/2019 BHF Indaba Peter Hill
22/33
PROHIBITION ON PROCESSING SPECIAL PERSONAL INFO.
25(2) A responsible party may not process personal information concerning thereligious or philosophical beliefs, race or ethnic origin, trade unionmembership, political opinions, health, sexual life or criminal behaviour of a
data subject, other than a child referred to in subsection.
General exemption
25A The prohibition on processing personal information, as referred to in section25, does not apply if
(a) if the processing is carried out with
(i) prior consent of a competent person in respect of a child referred to insection 25(1)(a); or
(ii) the consent of a data subject referred to in section 25(2);
-
8/2/2019 BHF Indaba Peter Hill
23/33
EXEMPTION CONCERNING DATA SUBJECTS HEALTH
30(1) The prohibition on processing personal information concerning a datasubjects health, as referred to in section 25(2), does not apply to theprocessing by
.
(a) medical professionals, healthcare institutions or facilities or social services, ifsuch processing is necessary for the proper treatment and care of the datasubject, or for the administration of the institution or professional practiceconcerned;
(b) insurance companies, medical aid scheme administrators and managed
healthcare organisations, if such processing is necessary for(i) assessing the risk to be insured by the insurance company or covered by
the medical aid scheme and the data subject has not objected to theprocessing;
(ii) the performance of an insurance or medical aid agreement; or
(iii) the enforcement of any contractual rights and obligations;
(c) schools, if such processing is necessary to provide special support for pupils ormaking special arrangements in connection with their health;
(d) institutions of probation, child protection or guardianship, if such processing isnecessary for the performance of their legal duties;
-
8/2/2019 BHF Indaba Peter Hill
24/33
EXEMPTION CONCERNING DATA SUBJECTS HEALTH
(e) the Minister and the Minister of Correctional Services, if such processing isnecessary in connection with the implementation of prison sentences ordetention measures; or
(f) administrative bodies, pension funds, employers or institutions working for them,if such processing is necessary for
(i) the implementation of the provisions of laws, pension regulations orcollective agreements which create rights dependent on the health of thedata subject; or
(ii) the reintegration of or support for workers or persons entitled to benefit in
connection with sickness or work incapacity.(2) In the cases referred to under subsection (1), the information may only be
processed by responsible parties subject to an obligation of confidentiality byvirtue of office, employment, profession or legal provision, or established by awritten agreement between the responsible party and the data subject.
(3) A responsible party that is permitted to process information concerning a data
subjects health or sexual life in terms of this section and is not subject to anobligation of confidentiality by virtue of office, profession or legal provision, musttreat the information as confidential, unless the responsible party is required bylaw or in connection with their duties to communicate the information to otherparties who are authorised to process such information in accordance withsubsection (1).
-
8/2/2019 BHF Indaba Peter Hill
25/33
HOW TO GET TO WHERE YOU NEED TO BE WITH PPI?
Update current Information Officer role to includeInformation Protection Officer responsibilities, ordelegate to deputy IPO
Identify all Personal Information and the ResponsibleParties
Identify the Categories and Purpose for processingPersonal Information
Prepare the forms to register the Processing ofPersonal Information
Identify shortcomings in compliance with theconditions for lawful processing
Identify risks and risk responses
Take corrective action
Notify the Regulator of the categories and purposeof processing personal information
-
8/2/2019 BHF Indaba Peter Hill
26/33
EXAMPLES OF PERSONAL DATA
Staff and customer surveysPayment of entitlementsStaff ID cards used to pay for staff canteen
purchases
Identity management services (identification,authentication, access control,authorization)
Certificate authorities for PKIAcceptable use of IT servicesEmail systemManagement promotion programTelephone and Fax infrastructure, network and
system softwareOnline registration of event participantsLoyalty programContracts with experts, advisorsContact listsAccess control lists to buildingsAccess request to information systemsActuarial calculations of pension schemesWork permits
System authorizations and permissionsEvaluation of PersonnelSpontaneous job applicationsCareer guidanceHuman capital databaseInternal auditChildcare facilitiesMedical examinationsWelcome desk servicesCanteen preferences
Sickness Insurance ClaimsStaff RostersList of members of committeesMailing list of committees
Meeting room reservation systemVoice recording of Helpdesk callsInternal skills quizTimesheets and recordingGlobal user directoryHousing loansAccrual based accounting systemVideo surveillance for physical protectionList of companies and their representativesComments submitted by individualsOutlook calendarDisaster recovery contact listOnline delivery of staff achievement certificatesOnline photos from staff functionWhos Who feature articleDatabase of network partnersExpression of interest from experts responding to RFI
Paper files concerning former Individual ExpertsReader's Letters published on the internal newspaperPrint service monitoringTraining skills databaseComplaints HandlingERP applications (e.g. SAP)VoIP SystemRapid Alert SystemLog files
General
Special
-
8/2/2019 BHF Indaba Peter Hill
27/33
THE IMPACT OF THE PPI ACT - CHALLENGES
Retrofitting to existing processes and infrastructure
Business purpose specific, proportionate to purpose
Cease secondary and unlawful processing
Internet-based processing
Controlling third-parties
Employee education
Unstructured data
Data destruction
Data leakage Sustainability
-
8/2/2019 BHF Indaba Peter Hill
28/33
ROADMAP TO COMPLIANCE WITH PPI
Manage Information Assets
Retrofit PRINCIPLES to Business Processes and Infrastructure
Attend to Key Issues
Overcome ChallengesRiskAssessmentand
Response
Planning
Preparationfor
Registration
1 3 Years1 6 months
AssignRe
sponsibilities
Monitora
nd
Reporting
Ongoing
Register Processing Respond to Regulator Requests
A CODE OF CONDUCT (FOR PROTECTING PERSONAL
-
8/2/2019 BHF Indaba Peter Hill
29/33
A CODE OF CONDUCT (FOR PROTECTING PERSONALINFORMATION) WITHIN MEDICAL SCHEMES
Not all schemes are staffed internally
Often many administrative functions are outsourced
A full-time information protection officer for each scheme could
be costly
Each scheme has many service providers (doctors,
intermediaries, administrators, service providers to the
administrators)
Many schemes have the same relationships.
-
8/2/2019 BHF Indaba Peter Hill
30/33
UPDATE FROM PARLIAMENT 13 AUGUST 2010
Recent submissions by 3 major banks are just repeatingprevious submissions
Chairman stressed companies that cannot demonstrate sufficienteffort to date may not be eligible for an extension if extensions
are granted!
Funding of regulator could be out of fees collected fromcompanies registering late
PPI Act is expected to be promulgated by December 2010
-
8/2/2019 BHF Indaba Peter Hill
31/33
QUESTIONS AND DISCUSSION www.personalprivacy.co.za
IT Governance Network
South Africa, US, UK, Switzerland
PETER HILL
+27 825588732
+44 (0)20 81333180
+1 302-5044408
H IT G N ?
-
8/2/2019 BHF Indaba Peter Hill
32/33
HOW THE IT GOVERNANCE NETWORK CAN ASSIST?
Guidance on:
The Rights of Individuals
Identifying Personal Information
Identifying Responsible Parties
Lawful and unlawful processing Processing Limitations
Further Processing Limitations
Contracting with Third Parties
Notification to the Regulator
The role and procedures of theInformation Protection Officers
Assistance with:
Collection of Registration information
Business process redesign
Measures to enhance Confidentiality
Measures to enhance Integrity
Measures to enhance Availability
Responding to Data Subject requests
Working with the Regulator
Conducting audits
Independent Information ProtectionOffice
Drafting Code of Conduct
S S S
-
8/2/2019 BHF Indaba Peter Hill
33/33
Legal, organisational and technical advice on the course of action to protect thegeneral and special categories of Personal Information
Collect and review information about the processing of Personal Information
Customised PDF forms
Online submission of information
Education
Customised in-house and web-based awareness and educational events for
staff Specialised training for Responsible Parties and Information Protection Officers
Specialised training for Business and IT management
Provide point of contact for Data Subjects to submit information requests
Simple online form
Information Request Management System
Respond to Data Subject requests
Conduct Audits of measures taken to satisfy Regulatory requirements
Assist management remedy issues raised by the Regulator
SPECIALISED SERVICES AND SOLUTIONS