THE PROTECTION OF PERSONAL INFORMATION ACT...

THE PROTECTION OF PERSONAL INFORMATION

ACT (PoPI)

IMFO

Institute of Municipal Finance Officers & Related Professions

AGENDA

� PoPI status

� Overview of PoPI – Why do we have PoPI;

Who/What is affected?

� PoPI conditions & special requirements;

definitions and penalties

� Top 6 things to do


PoPI Status

� The Parliament’s Portfolio Committee for Justice and Constitutional

Development voted positively on 24 July 2013, on the changes brought on by

the National Council of Provinces

� It was passed by the House of Assembly on 22 August 2013

� It was signed into law by the President on 26 November 2013

� 11 April 2014: President proclaimed the commencement date of selected

sections (re appointment of Regulator)

� 19 May 2015: Treasury agreed and endorsed the grading of the Regulator

� 14 August 2015: Candidates were nominated

� 11 November 2015: Parliament asked for a meeting to discuss the role of the

Information Regulator. The outcome of the meeting is that Parliament has

asked for another workshop to be set up in 2016 for all relevant stakeholders

� The President is yet to appoint a Regulator and announce the commencement

date of the remainder of the Act (expected in 2016)


Why do we have PoPI?

Overview of PoPI

� PoPI gives effect to the constitutional right to privacy in Section 14

of the Bill of Rights of the Constitution of South Africa

� Alignment of legislation with other countries (more than 100 other

countries already have Privacy legislation)

� Poorly protected personal information has led to:

� Rising levels of identity theft and associated fraud

� Intrusions on the privacy of individuals

� Fines imposed by Regulators


Who/What is affected?

Overview of PoPI


Applies to:

• Public and private sector

• Natural and juristic persons

• Paper and electronic records

Affects all areas of business:

• Employees

• Customers

• Suppliers

• Information held on behalf of third

parties

Covers:

• Eight information processing

conditions

• Direct marketing by electronic

communication and automated

decision-making

• Trans-border information flows

• Rights of data subjects

• Establishment of Regulator

• Enforcement provisions

8 Conditions

PoPI conditions & special requirements


1. Accountability– Responsible party ensures compliance

2. Processing limitation– Lawfulness, Minimality

– Consent, justification and objection

– Collection directly from the data subject

3. Purpose specification– Collection for a specific purpose

– Retention of records

4. Further processing limitation– Further processing compatible with purpose of

collection

5. Information quality– Quality of information

6. Openness– Documentation of processing operations

– Notification to data subject when collecting personal

information

7. Security safeguards– Integrity and confidentiality

– Information processed by Operator

– Notification of security compromises

8. Data subject participation– Access to and correction of personal information

– Direct marketing – electronic and unsolicited: Consent, opt-in and opt-out

– Cross border transfers: No transfer outside RSA unless conditions are met

– Special Personal Information: Children, race, gender, health, etc.

Personal Information

PoPI definitions


‘‘personal information’’ means information relating to an identifiable, living,

natural person, and where it is applicable, an identifiable, existing juristic person,

including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin,

colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief,

culture, language and birth of the person;

(b) information relating to the education or the medical, financial, criminal or employment history of the

person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location

information, online identifier or other particular assignment to the person;

(d) the biometric information of the person;

(e) the personal opinions, views or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or

further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal information relating to the person or if the

disclosure of the name itself would reveal information about the person;”

Processing

PoPI definitions


‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic

means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval,

alteration, consultation or use;

(b) dissemination by means of transmission, distribution or making available in any other form; or

(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

Record

PoPI definitions


‘‘record’’ means any recorded information—

(a) regardless of form or medium, including any of the following:

(i) Writing on any material;

(ii) information produced, recorded or stored by means of any tape-recorder, computer

equipment, whether hardware or software or both, or other device, and any material subsequently

derived from information so produced, recorded or stored;

(iii) label, marking or other writing that identifies or describes any thing of which it forms part,

or to which it is attached by any means;

(iv) book, map, plan, graph or drawing;

(v) photograph, film, negative, tape or other device in which one or more visual images are

embodied so as to be capable, with or without the aid of some other equipment, of being

reproduced;

(b) in the possession or under the control of a responsible party;

(c) whether or not it was created by a responsible party; and

(d) regardless of when it came into existence;”

PoPI penalties


‘‘Any person convicted of an offence in terms of this Act, is liable, in the case of

a contravention of—

(a) section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for a

period not exceeding 10 years, or to both a fine and such imprisonment; or

(b) section 59, 101, 102, 103(2) or 104(1), to a fine or to imprisonment for a period not

exceeding 12 months, or to both a fine and such imprisonment.”

Administrative fine – may not exceed R10,000,000

Put privacy governance in place

Top 6 things to do


Support and commit to privacy

● Accountability ● Privacy governance charter ● Privacy steering committee

Guide and direct privacy

● Privacy policy ● Minimum control standards ● Regulatory response guidelines ●

Contract provisions ● Pre-contract assessments

Inform and educate the organisation about privacy

● Training ● Awareness

Focus on data elements

Top 6 things to do


212121

2222

2323

242525

2626

2730

0 5 10 15 20 25 30 35

Income/Salary/etc.

Passport number

Business registration number

Postal address

Financial institution account number

National Identity / Social Security Number

Customer Number

Number of occurrences of data elements in surveyed applications

Personal data

elements

Conduct and learn from gap assessments

Top 6 things to do


PoPICompliance Readiness

Understand data flows

Top 6 things to do


Instill an information protection culture

Top 6 things to do


Training

Top 6 things to do


Executives

Management

All Employees

- Presentations- Regulatory Dialogue Sessions

- Classroom Based Training

- General Awareness Activities

- Online Training- Webinars

Thank You!


Busisiwe Mathe

PwC Director

+27 (82) 210 3121

+27 (11) 797 4875

[email protected]

THE PROTECTION OF PERSONAL INFORMATION ACT...

Documents

Transcript of THE PROTECTION OF PERSONAL INFORMATION ACT...